Category Archives: security

Between the Chair and the Keyboard: Creating Security Culture

Every time someone picks up a mouse, they make a choice to either strengthen or lessen our security posture.

The security team can impact these choices through culture. For a long time, however, it was difficult to know what had to be present to create and manage security culture. The recent Cisco Security Outcomes Study finally shed some light on these factors.

Top success factors for creating a strong security culture

Provide a user-friendly experience

Culture is built one action at a time. Since the rise of BYOD and consumerization of IT, people in the workforce have a choice. They can use the organization’s technology, or they can go elsewhere. They can opt into the controls, or they can work around security. Actions become habits, habits become behavior, and behavior quickly spreads. The wrong bit of friction, at the wrong time, for the wrong person, can lead entire teams to turn elsewhere for IT services. Constrained users get creative, and creative people are a security concern.

Savvy security leaders are constantly on the hunt for ways to improve usability and user adoption. They partner with IT to ensure the workforce has access to the best available technology. Moreover, leaders work to ensure that security is well integrated, minimizing the steps and choices a person must take to complete their work. In part, I believe that accounts for proactive tech refresh (SS6) and well-integrated tech (AO1) being such contributing factors in security culture.

It is less about getting the latest and greatest, and more about using refreshes as an opportunity to simplify the user experience and, thereby, create the conditions for security culture.

Access the full Cisco 2021 Security Outcomes Study

Prevent incidents and adversaries

Preventing security incidents requires identifying what could go wrong, and early detection when things do go wrong. A typical organization may have 20 IT professionals for every security professional, and for every security professional there may be 1,000 employees. Enrolling IT and the broader workforce in detecting and reporting malware, phishing attempts, and other warning signs is crucial to preventing incidents. The data clearly confirms the correlation between response and culture (AO9).

Of course, such reporting must be high fidelity in order to not contribute to alert fatigue. The higher the number of alarms, the greater the percentage of false positives, the more likely a security analyst is to become desensitized and to ignore the alerts. It is accurate threat detection (AO8) which allows the security team to act on signals, which in a culture with security awareness, includes reports from the workforce.

Go beyond security awareness

Culture spans the gap between awareness and action. As expected, having security awareness training (BG4) corresponds with creating a security culture. It would be interesting to peel this back and see what form training takes. We’ve all seen poorly done training, the annual ritual of mindlessly clicking next on the presentations covering security and compliance. Some of the better training programs favor gamification and feature shorter lessons. We simply don’t have the data on how the respondents are organizing their training.

Training is the starting point. We’ve seen how hard it is to get people to act on awareness, from using seatbelts to stopping texting while driving, from stopping smoking to eating better. Cyber security is no different. Behavior economics has spent decades teasing out the barriers to action, and the tactics for getting people there. Two these tactics are tying behaviors to a person’s identity and making it a personal routine. Culture is the beliefs and the behaviors of people in our organizations.

Integrate security into projects

Culture is built one conversation at a time. Every interaction is an opportunity to communicate and reinforce secure behaviors. When security operations personnel work effectively and closely with the organization’s IT operations and development teams, this provides a cadence for having these conversations. Every plan, every change, every configuration, offers an opportunity to build and bundle security into the infrastructure. We see this in the data (AO3).

Moving up the stack, purchasing software and services provides another cadence for security conversations. Auditing an organization’s vendors strengthens the efficacy of controls along the supply chain. Audits also provide an object lesson that’s independent of the organization itself, and therefore psychologically feels safer to the employees seeing the faults in others. Managing vendor security (BG7) is a platform for regularly and consistently explaining the security standards to procurement and those with purchasing authority.

From the report: “You can’t just impose security on the organization; it must be built into the fabric of the infrastructure and organization itself to really make a difference. Good collaboration among technical teams is essential to that goal.”

Use metrics for feedback

Culture is built one measure at a time. Now every security tool has metrics and dashboards. Most every security program has metrics. Some have key performance indicators (KPIs) and key risk indicators (KRIs). But while these are useful in driving operational excellence and managing risk, such measures don’t easily translate into culture change. We need feedback on the efficacy of any given control. We need metrics that surface work arounds, work hacks, and security policy violations. These are signs that the workforce is struggling to meet our security objectives, enabling the team to better redesign the controls and adjust the process.

What are the right things to measure? Program performance metrics (AO2) which identify areas of friction.

Culture anti-patterns

Security culture is above the security poverty line. Security teams need the financial budget to successfully cover the fundamentals. They also need sufficient personnel. Teams focused on firefighting are not well-positioned for building relationships and developing empathy needed for culture change. On a one-on-one basis, an over-worked and burned-out security analyst is the last person you want as an advocate. Don’t put a frustrated employee with a frustrated security professional and expect positive change. Security culture requires capacity, and we see this reflected in the data as a strong correlation with budget and staffing (SS2, SS3).

Do you want to kill the security culture? Don’t fund the program (SS2). Don’t hire enough people for security roles (SS3). Don’t train your people (SS4).

For a full listing of all security outcomes, please see

Appendix B of the Security Outcomes Study

Surprises in the data

You might expect excluding the executive team would be another way to kill culture. Surprisingly, security being important to execs (BG2) wasn’t correlated with security culture. That top-down approach, so often advocated for by security consultants and pundits alike, didn’t make the cut. If the choice is getting executives on-board with security’s priorities, or getting security’s priorities aligned with the executives vision, take the latter approach. I was more surprised that the bottom-up approach also didn’t make the cut. I’ve run programs where culture was built one line of code at a time and built one patch at a time. I had expected a stronger showing for vulnerability remediation deadlines (AO5) and secure development (AO6).

Additionally, given the objectives of enabling the workforce while disabling the criminals? Security leaders need to understand the business and security’s role (BG1). We also must understand how threats move through the environment, in part, by learning from prior incidents (AO11). That neither of these were correlated likely speaks to the understanding coming from informal or ad hoc processes.


Creating and shaping a security culture requires a focus on usability, services, accurate alerting, awareness, and well-integrated change processes. Culture management needs time and attention, alongside staples like asset management or vulnerability management, in the overall security strategy. The Cisco Security Outcomes Study states “the strategy-culture correlation is worth calling out specifically. This is the only outcome in the ‘Enabling the Business’ category for which having a sound security strategy significantly increases the probability of success. That may seem odd, but consider that many a frustrated employee has asked something to the effect of ‘why do we have to go through all of this?’ in response to new security policies. A good strategy eases that frustration by getting everyone on the same page.”

Additional Resources:

Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI

Cisco fixed multiple flaws in Cisco SD-WAN products that could allow an unauthenticated, remote attacker to execute attacks against its devices.

Cisco released security updates to address multiple flaws in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute attacks against vulnerable devices.

These vulnerabilities impact devices running the following Cisco SD-WAN Software:

  • IOS XE SD-WAN Software
  • SD-WAN vBond Orchestrator Software
  • SD-WAN vEdge Cloud Routers
  • SD-WAN vEdge Routers
  • SD-WAN vManage Software
  • SD-WAN vSmart Controller Software

The first issue, tracked as CVE-2021-1300, is a Cisco SD-WAN buffer overflow vulnerability that could be exploited by an unauthenticated, remote attacker to trigger a buffer overflow condition.

“A vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.” reads the security advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges.”

The vulnerability stems from the incorrect handling of IP traffic. An attacker can trigger the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. The flaw has been rated with a CVSS Base Score of 9.8.

The IT giant said that there are no workarounds that address this vulnerability.

The second flaw addressed by the company is a Cisco SD-WAN buffer overflow vulnerability tracked as CVE-2021-1301.

A flaw resides in the NETCONF subsystem, an authenticated, remote attacker could exploit the vulnerability to trigger a denial of service (DoS) condition on an affected device or system.

The vulnerability is caused by the insufficient input validation of user-supplied input that is read by the system during the establishment of an SSH connection.

“An attacker could exploit this vulnerability by submitting a crafted file to be read by the affected system. A successful exploit could allow the attacker to cause a buffer overflow that could result in a DoS condition on the affected device or system.” states the advisory.

The flaw has been rated with a CVSS Base Score of 6.5, the company said that are no workarounds that address this vulnerability.

Cisco also addressed critical Command Injection vulnerabilities in Smart Software Manager Satellite Web UI.

The flaws, tracked as CVE-2021-1138, CVE-2021-1140, and CVE-2021-1142, affect Cisco Smart Software Manager Satellite releases 5.1.0 and earlier and have been fixed with the release of versions 6.3.0 and later.

“Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.” reads the advisory.

The Cisco Product Security Incident Response Team (PSIRT) is not aware of public announcements or threat actors exploiting the above issues in attacks in the wild.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

The post Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI appeared first on Security Affairs.

The Bots That Stole Christmas


Who remembers heading out the night before ticket sales opened for your favorite band and camping out with all the other crazy fans who were in queue to buy the best seats when it opened the following morning? Or doing the same at a game store because a new game was coming out the next day and you needed to be the first to finish the campaign?! I do.

These scenarios are quickly becoming a thing of the past, as these environments are now mechanized and favor machines, not humans. Machines will not take over in the form of Skynet, but in the form of everyday automation, and this machine-scale world is already here today. This holiday season, I found myself in that exact position as I tried to get the new PlayStation 5 (PS5) via every single avenue I could. Each time, I was met with machines beating me to the punch. Online retail is no longer a human-scale offering, but rather an opportunity for bots and machines to outmaneuver and outperform the average buyer and help someone with often less-than-scrupulous morals make a quick buck on people’s fear of missing out (FOMO). In this blog, I want to share that experience and then show how this extends to what is coming for information security. It’s time to defend at machine-scale or die!

This whole scenario makes me think back to a quote from the Matrix:

“Throughout human history, we have been dependent on machines to survive. Fate, it seems, is not without a sense of irony.”

Get the new PS5 via an online retailer, wrap it, and have it ready for Christmas morning. Sounds easy enough. Christmas has passed and still no PS5 in sight. I’m a Distinguished Engineer so it is not that I am new to technology and my failure here is simply the fact that I am trying to shop in the traditional manner which is to show up at a website at a certain time and transact with my browser until my order is complete. That’s the old way. The new way is to employ software automation on your behalf so that your shopping task can operate at machine-scale and not at human-scale. No matter how fast you might be able to get that item in your cart and get to checkout, odds are, you’re not faster than a series of bots doing the same thing en-masse.

The first community to harness this unfair advantage are the folks who don’t want it for themselves, but instead want to use this scarcity to resell them on online auction sites for a profit. In the case of the PS5, the item in question retails at 499.99 USD. Meanwhile, scalpers now regularly sell them at 1100.00 USD on places like eBay. They have rightfully earned the name Grinch Bots. Many online retailers are aware of and actively trying to thwart this kind of activity, blocking tens of millions of bots attempts within the first 30 minutes of another batch being available for sale.

There’s a bot for that!

When mobile phones were coming of age, everyone would say “there’s an app for that!” These days, it is more likely that you will want to claim that “there’s a bot for that!” Yes, that is right, you can find services on the internet that will use bots to do your bidding, allowing you to operate at machine speed and machine-scale. There are even services out there that compare bot services to one another. So, the question becomes: To shop for high demand items on the Internet, will I need to employ bots?!

My experience says YES you will.

These shopping bot services are not illegal (yet). The US has legislation in the form of the 2016 BOTS Act which made it illegal to use software to scalp tickets and is now proposing a similar Stopping Grinch Bot Act that targets people who use bots to circumvent anti-bot protections from retailers.

And before you start thinking that this is just someone’s home project or a side-hustle, some of these bot groups have been known to make millions in profits over the course of a few weeks!

The machine-scale mega trend

The megatrend here is what we used to call “digitization,” but there’s a bit more to it than that. Retail, once a completely manual process, was then augmented by machines, and is now almost fully automated by machines, which brings with it huge advantages – both for the good guys and the bad guys. At what point are you automated enough to consider your business to be operating at machine-scale? The fact of the matter is that like online shopping, you can no longer defend your business at human-scale. I’m not talking about a future that is years out, I am talking about right now. You are facing an adversary that now has easy access to machine-speed, machine-scale perception, and machine-scale operations. Are you ready for this next level of threat actor?

A few questions you may want to consider when assessing your readiness:

  • What percentage of threat detection is automated versus manual?
  • For the automated detection, is the fidelity high enough to be safe to automate a response?
  • How much of your infrastructure can be automated safely?
    • How much is still too dangerous to automate and why?
  • What are your automation goals this year, in 3 years, and again in 5 years? Will you ever get to a 70% automated? 80%?

Automating what was once manual is always considered to be progress – that is at least, when it works as designed.

As a security professional, we must also do our threat modeling to design systems that can operate in the face of a hostile environment and one that has an active and learning set of adversaries.

While I still don’t have a subscription to a bot service to buy a PS5, the game of cybersecurity is one that I consider more fun, more engaging, and one that I am subscribed to whether I like it or not.

FireEye releases an auditing tool to detect SolarWinds hackers’ activity

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

The experts explained how the UNC2452 and other threat actors breached the infrastructure and moved laterally from on-premises networks to the Microsoft 365 cloud. The paper, titled Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 also provides tips for organizations on how proactively harden their environments.

FireEye also released a tool named Azure AD Investigator that could be used by organizations to discover if their organization has been breached by the SolarWinds hackers, tracked by the security firm as UNC2452.

This FireEye GitHub repository contains a PowerShell module that can be used to detect artifacts associated with the UNC2452’s intrusion and other threat actor activity.

“Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts.” states FireEye. “Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. Analysis and verification will be required for these.”

FireEye pointed out that the tool is read-only, which means that it does not make any changes to the Microsoft 365 environment.

The company warns that the tool could not identify a compromise 100% of the time, and is not able to distinguish if an artifact is the result of a legitimate admin activity or threat actor activity.

Mandiant researchers explained that UNC2452 and other threat actors primarily used four techniques for lateral movements:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

The Cybersecurity and Infrastructure Security Agency (CISA)’s Cloud Forensics team has also released a PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.

CrowdStrike experts also decided to create their own tool because they face difficulties in using Azure’s administrative tools to enumerate privileges assigned to third-party resellers and partners in their Azure tenant.

“CrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and provide advice to mitigate risk.” states the security firm.

“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them. We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”

The CrowdStrike Reporting Tool for Azure (CRT) tool could be used by administrators to analyze their Microsoft Azure environment and review the privileges assigned to third-party resellers and partners.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds APT)

The post FireEye releases an auditing tool to detect SolarWinds hackers’ activity appeared first on Security Affairs.

The SolarWinds Orion Breach, and What You Should Know

By Joe Marshall of Cisco Talos and Paul Smith of Cisco IoT

What is this?

On December 11th, 2020, the U.S. government and the company SolarWinds disclosed a breach into their SolarWinds Orion Platform network management software. This attack was conducted by a sophisticated and likely nation-state based attacker. SolarWinds Orion is a commonly used network management software stack used to manage complex switched and routed IT/OT architectures.

High profile customers of the Orion platform are numerous U.S. government agencies, and many private entities. The adversary was able to penetrate SolarWinds software development infrastructure, and bolt malware into a legitimate software update from SolarWinds for their Orion platform. In March of 2020, this malicious ‘patch’ was distributed, which then could provide backdoor access into the victim’s networks where the adversary could then exfiltrate data.

Due to the enormity of this attack, forensic and threat intelligence information is still rapidly changing. For Cisco Secure and IoT customers, our security coverage and updates can be found at the Cisco Talos blog post here. At the time of this posting, SolarWinds customer exposure is stated to be less than 18,000 of the 30,000 Orion platform customers.

What do you do about it?

Per an advisory published by the Cybersecurity & Infrastructure Security Agency, or CISA, potential victims should identify which victim category they fall into based on the whether or not they installed the following binaries and contacted the command and control (C2) server: avsvmcloud[.]com

  • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
  • Orion Platform 2020.2 RC1, version 2020.2.100.12219
  • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
  • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432

To determine a level of concern, CISA has also given these categories to help you understand risks and perform incident response as necessary.

  • Category 1: includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
  • Category 2: includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with infected appliances communicating with avsvmcloud[.]com but not with a secondary C2—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
  • Category 3: includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.

What does this mean?

The SolarWinds Orion compromise is an incredibly impactful attack across numerous industrial verticals, especially electric subsectors concerned with critical infrastructure. This will perhaps be regarded in the same category as NotPetya, or ccleaner as another successful nation-state supply chain attack with vast ramifications. As this is a recently discovered attack both in breadth and scope, we will be unpacking the damage done and discovering new forensic details for a considerable amount of time. Now is as a good a time as any to consider your operating risks and cyber threats to your business continuity.

As potentially damaging as the SolarWinds compromise could be, it could also be a catalyst for positive change for your enterprise. We would encourage you to think about your converged IT/OT architectures – what exposures and risks do you have not just from something like the SolarWinds compromise, but with any enterprise products that straddle both information and operational technology enterprises. Could you identify all the risks and exposures you have? From fundamental asset identification and network mappings and data flows, to unpatched vulnerabilities and process identification, there is a lot to consider.

It is also important to note that the attack on the SolarWinds Orion platform can absolutely cause an unwanted disruption in an operational network. Due to the pervasive nature of this platform, its tendrils can extend very far into the spine of an operational technology environment. From assigning IP’s and port security, to active directory integrations, to patch management and networking monitoring, SolarWinds Orion can run very deep into networks. This is largely undesirable for security reasons, but many enterprises may view it as necessary evil to maintain a large and complex infrastructure.

Furthermore, due to the nature of how products like SolarWinds Orion manage the infrastructure, it requires stored credentials/keys to be put in place to leverage the ease of use. This has long been the dilemma faced in IT/OT infrastructure, fewer people managing larger scale networks utilizing the convivence of ‘single pane of glass’ tools. These create security holes, and it is really up to the enterprise to weigh the risk vs. reward.


Long gone are the halcyon days of only external cyber risks to your enterprise. As organizations outsource all or parts of their IT and make heavier use of cloud services, their cybersecurity relies even more on those of their suppliers. We now live in an era of nation-state compromised supply chains that could impact your enterprise in profound ways. Given the considerable burden of managing your enterprises security, and now contending with nation-state supply chain attacks, it can likely feel overwhelming as a defender. Our suggestion: start at the basics and work forward. Ask yourselves what’s the worst day you could have and plan your risks accordingly.

Consider strategies like operating your industrial infrastructure in a zero trust model that can help mitigate damage done, not just against the SolarWinds compromise, but against ransomware or other malware attacks. Consider how well you know your networks, and if you know what there is to protect. Think about security monitoring and protections in your OT environments. Consider emergency response playbooks for cyber incident response. Consider safety concerns if an attack impacts your operations, or your regulatory compliance.

Ultimately, these are all difficult questions with complex answers, but the resilience and safety of your organization are worth the journey. Here is how Cisco can help:

Cisco Cyber Vision has been specifically developed for OT and IT teams to work together to ensure continuity, security, resilience and safety of your industrial operations. Cyber Vision has behavioral analysis and Snort® intrusion detection capabilities to detect malicious traffic. The latest Cyber Vision knowledge base includes Cisco Talos IDS signatures to detect SolarWinds attacks. If you have not done so already, we recommend you install it today by downloading it here.

Cisco Talos Incident Response (CTIR) provides a full suite of proactive and emergency services to help you prepare, respond and recover from a breach. CTIR enables 24-hour emergency response capabilities and direct access to Cisco Talos, the world’s largest threat intelligence and research group.

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools.

Cloud Mailbox Defense: End Users Share the Product Highlights Driving Their Success

This blog was written & authored by Rob Tappenden, Technical Marketing Engineering Leader at Cisco

Simplicity. This was the key fundamental principle of Cloud Mailbox Defense that we introduced in our earlier blogs. So how did the first customers and partners to try Cloud Mailbox Defense (CMD) think we did? “We have tested dozens of solutions. Cloud Mailbox Defense is the first solution that is ‘as easy as it claims to be’. There are no hidden architecture requirements, no additional configuration step and no misleading claims” said Anthony Gates, EVP/GM Rhino Networks.

In case you are not familiar with Cloud Mailbox Defense (I’d encourage you to read through some of my earlier blogs) this is our new supplementary security solution that allows you to take command of your Microsoft 365 mailboxes. It’s a cloud native solution focus on three core principles.

Cloud Mailbox Defense capabilities

Now simplicity may be the cornerstone of Cloud Mailbox Defense, but can a security product be too simple to be effective? After all, as more and more email moves to the cloud, some Gartner clients “report dissatisfaction with natively available capabilities” of their cloud email providers. That’s why it’s critical to blend this simplicity with 20 years of email security experience and the power of Cisco’s Talos threat intelligence, to give you a secure outcome you can see across all of your messages in your Microsoft 365 domain. To validate this, we have been running approximately three quarters of a million customer and partner emails through our solution per day to allow them to tell us whether we have realized our principles.

Their verdict?

Just like simplicity, once again we’ve delivered. According to Craig Ouzounian from Chevron Corporation, “You get a full picture, that east-west visibility that we don’t have today.” This comprehensive visibility is combined with the power of Cloud Mailbox Defense’s cloud native search and triage. Brian Kang from SecurView stated, ‘I don’t even bother to run a message trace in Microsoft, I just do it right here [in CMD]’. CMD’s value isn’t only in its ability to provide additional security context, it also reduces administrative overhead.” Harry Singh from VOX Network Solutions highlighted that, “The speed and ease of use, compared with the Microsoft one, is a huge improvement. If I go into the Microsoft Advanced Threat Protection search, it takes forever. I use PowerShell because the search is so slow, it’s work. I can’t just do it on the ATP side.”

Visibility. Simplicity. Integration. Delivered on Microsoft 365 email. We said it and we meant it. That’s the Cisco Mailbox Defense reality.

Naturally we’re thrilled about the feedback we’re receiving from our customers and partners, but rest assured we’re not done. Cloud email expectations and the threat landscape continues to evolve at a phenomenal pace. Cloud Mailbox Defense has an exciting roadmap ahead of it, leveraging the power of the SecureX platform and the whole Cisco Secure portfolio to be the premier Cloud Email Supplementary Security product of choice for your needs today and the future.

Start your free 30-day trial of Cloud Mailbox Defense today and check out and the At-A-Glance for more details about Cloud Mailbox Defense.

Desktops in the Data Center: Establishing ground rules for VDI

Since the earliest days of computing, we’ve endeavored to provide users with efficient, secure access to the critical applications which power the business.

From those early mainframe applications being accessed from hard-wired dumb terminals to the modern cloud-based application architectures of today, accessible to any user, from anywhere, on any device, we’ve witnessed the changing technology landscape deliver monumental gains in user productivity and flexibility.  With today’s workforce being increasingly remote, the delivery of secure, remote access to corporate IT resources and applications is more important than ever.

Although the remote access VPN has been dutifully providing secure, remote access for many years now, the advantages of centrally administering and securing the user desktop through Virtual Desktop Infrastructure (VDI) are driving rapid growth in adoption.  With options including hosting of the virtual desktop directly in the data center as VDI or in the public cloud as Desktop-as-a-Service (DaaS), organizations can quickly scale the environment to meet business demand in a rapidly changing world.

Allowing users to access a managed desktop instance from any personal laptop or mobile device, with direct access to their applications provides cost efficiencies and great flexibility with lower bandwidth consumption…. and it’s more secure, right?  Well, not so fast!

Considering the Risks

Although addressing some of the key challenges in enabling a remote workforce, VDI introduces a whole new set of considerations for IT security.  After all, we’ve spent years keeping users OUT of the data center…. and now with VDI, the user desktop itself now resides on a virtual machine, hosted directly inside the data center or cloud, right inside the perimeter security which is there to protect the organization’s most critical assets. The data!

This raises some important questions around how we can secure these environments and address some of these new risks.

  • Who is connecting remotely to the virtual desktop?
  • Which applications are being accessed from the virtual desktops?
  • Can virtual desktops communicate with each other?
  • What else can the virtual desktop gain access to outside of traditional apps?
  • Can the virtual desktop in any way open a reverse tunnel or proxy out to the Internet?
  • What is the security posture of the remote user device?
  • If the remote device is infected by virus or malware, is there any possible way that might infect the virtual desktop?
  • If the virtual desktop itself is infected by virus or malware, could an attacker access or infect other desktops, application servers, databases etc. Are you sure?

With VDI solutions today ranging from traditional on-premises solutions from Citrix and VMware to cloud offered services with Windows Virtual Desktop from Azure and Amazon Workspaces from AWS, there are differing approaches to the delivery of a common foundation for secure authentication, transport and endpoint control.  What is lacking however, is the ability to address some of the key fundamentals for a Zero Trust approach to user and application security across the multiple environments and vendors that make up most IT landscapes today.

How can Cisco Secure Workload (Tetration) help?

Cisco Secure Workload (Tetration) provides zero trust segmentation for VDI endpoints AND applications.  Founded on a least-privilege access model, this allows the administrator to centrally define and enforce a dynamic segmentation policy to each and every desktop instance and application workload.  Requiring no infrastructure changes and supporting any data center or cloud environment, this allows for a more flexible, scalable approach to address critical security concerns, today!

Establishing Control for Virtual Desktops

With Secure Workload, administrators can enforce a dynamic allow-list policy which allows users to access a defined set of applications and resources, while restricting any other connectivity.  Virtual desktops are typically connected to a shared virtual network, leaving a wide-open attack surface for lateral movement or malware propagation so this policy provides an immediate benefit in restriction of desktop to desktop communication.

This flexible policy allows rules to be defined based on context, whether identifying a specific desktop group/pool, application workloads or vulnerable machines, providing simplicity in administration and the flexibility to adapt to a changing environment without further modification.

  • Do your VDI instances really need to communicate with one another?

With a single policy rule, Secure Workload can enforce a desktop isolation policy to restrict communication between desktop instances without impacting critical services and application access.  This simple step will immediately block malware propagation and restrict visibility and lateral movement between desktops.

Deny policy for virtual desktop isolation
Figure 1: Deny policy for virtual desktop isolation
Lateral communication between desktops blocked (inbound and outbound)
Figure 2: Lateral communication between desktops blocked (inbound and outbound)
  • Want to permit only a specific user group access to your highly sensitive HR application?

Secure Workload will identify the desktop instances and application workloads by context, continuously refreshing the allow-list policy rules to permit this communication as users log in and out of their virtual desktops and as the application workloads evolve.

Context based application access control
Figure 3: Context based application access control
  • Need full visibility of which applications are being accessed, how and when?

Tetration not only enforces the allow-list policy to protect your assets, but also records flow data from every communication, ensuring continuous near-real-time compliance monitoring of traffic to identify malicious or anomalous behaviors.

  • Need to meet segmentation requirements for regulatory compliance?

Natural language policy definition based on dynamic labels and annotations ensures traffic complies with regulatory policy constraints from one well-defined policy intent.

  • Require the ability to automatically quarantine vulnerable virtual desktops or application workloads to protect against exploit?

Tetration natively detects vulnerable software packages to apply automated policy controls which only apply until remediation.

All offered from SaaS, this can be achieved without any change to existing infrastructure, with distributed enforcement at scale from virtual desktops to application workloads for end to end protection.

Ready to get started?  Find out more about Cisco Secure Workload

Out today: Defending against critical threats: A 12 month roundup

Inside, we take a retrospective look at cyber threats, and how they have evolved in the last 12 months. In something a little different to our previous reports, we’ve designed this in a magazine style format to include both interviews with security experts, and research driven features.

Our intention is to help inform strategic decision-making, as organizations prepare for threats they may encounter in the future. 

As a couple of callouts, we’ve included articles that address the ways cyber criminals sought to take advantage of the COVID-19 pandemic, be it through phishing campaigns, leveraging the great migration to remote work, or even going after health care organizations themselves.

Our interview with Esmond Kane, CISO for Steward Health Care, also shines a light on how COVID-19 impacted those on the security front line. 

In other topics, we’ve seen a large evolution in ransomware over the past year. Edmond Brumaghin, threat researcher for Cisco Talos, has pulled together some terrific research on Big Game Hunting attacks. This is when cyber criminals seek to monopolize a ransomware deployment by targeting backup systems, domain controllers, and other business-critical servers during a “post-compromise” phase. 

Our cover feature is the topic of election security. Cisco Talos spent four years conducting hands-on research into this field, and within this publication, we have an interview Matt Olney, Director of Talos threat intelligence and interdiction (who led this research) to capture his thoughts post-election. 

As our team were pulling this magazine together, what really struck me was that the topics illustrate how cyber threats impact our lives on a human level  from threats against our democracy, to our healthcare, to the organizations we work within. 

I hope you enjoy the read.

Click to read ‘Defending against critical threats: A 12 month roundup’

For more on these threat topics, take a listen to the latest episode of the Security Stories podcast.

Ben Nahorney, (my co-editor for the magazine), and I are joined live by Edmund Brumaghin to learn more about big game hunting attacks. Plus, we have the full interview with Esmond Kane to hear more about his experiences leading security on the front line of healthcare.

Listen below, or on on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from.


Rob Joyce is the new NSA Cyber Director

The U.S. National Security Agency has appointed Rob Joyce as the agency’s new director of cybersecurity, who has long experience in US cybersecurity

The National Security Agency (NSA) has appointed US cybersecurity official Rob Joyce as the new chief of the Cybersecurity Directorate. Joyce served as the NSA’s top representative in the UK since 2018, he is the successor of Anne Neuberger, who recently appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC). Neuberger was the director of the directorate since its creation in 2019.

Joyce also served as senior advisor to the NSA director on cybersecurity strategy.

Joyce has previously held other roles at the NSA, including chief of Tailored Access Operations (TAO), now Computer Network Operations, which is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA).

Rob Joyce also served as deputy director of the Information Assurance Directorate (IAD).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

The post Rob Joyce is the new NSA Cyber Director appeared first on Security Affairs.

President Biden’s Peloton exercise equipment under scrutiny

President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.

According to a Popular Mechanics report, President Joe Biden is going to move to the White House and likely he will have to give up his Peloton exercise equipment for security reasons.

Peloton exercise equipment’s popularity surged during the pandemic, it allows users to do gymnastic exercise from home, interacting with each other within an online community.


Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.

To secure the exercise equipment, Biden’s Peloton may have to be modified, removing the microphone, camera and networking equipment.

“If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment … and you basically have a boring bike,” Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. “You lose the shiny object and the attractiveness.”

The case has an important precedent, three years ago The Verge revealed that a person close to the company confirmed that Michelle Obama had a Peloton, but it was a modified model, without a camera or microphone.

Peloton runs a custom operating system built on top of Android’s own system and is equipped with networking equipment to access the user’s home WiFi network or a hard-wired connection, like Ethernet.

“That allows the bike to communicate with your Apple Watch or Fitbit, which are internet-of-things (IoT) devices that contain microphones. If a hacker found a way to infect Biden’s Peloton, then it’s theoretically possible they could hop from the bike to the watch and vice versa,” Kilger added.

Several hacking communities online focus on IoT devices, including the Peloton equipment. The risk is that someone could find a way to compromise the equipment with malware, then move laterally within the host network and compromise any other connected device.

The report pointed out that Secret Service can take precautions to secure the gym sessions of the President. They could set up the bike in a special gym area where it is not allowed to discuss classified topics. Another countermeasure is to use a hardwired connection for the President’s Peloton equipment that’s separate from the rest of the White House network.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Peloton)

The post President Biden’s Peloton exercise equipment under scrutiny appeared first on Security Affairs.

Siemens fixed tens of flaws in Siemens Digital Industries Software products

Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution.

Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions.

The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and the Teamcenter Visualization solution. JT2Go is a 3D JT viewing tool to allows its customers to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data. Teamcenter Visualization software provides a comprehensive family of visualization solutions to access documents, 2D drawings and 3D models in a single environment.

“JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions.” states the advisory published by the vendor.

The company recommends limiting the opening of untrusted files in systems where JT2Go or Teamcenter Visualisation is installed to mitigate the risk of attacks exploiting these issues. It also suggests applying a Defense-in-Depth concept to reduce the probability that the untrusted code is run on the system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory related to these security flaws.

According to CISA, the addressed flaws include Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read.

The following products are affected by the vulnerabilities addressed by Siemens:

  • JT2Go: All versions prior to v13.1.0
  • JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
  • Teamcenter Visualization: All versions prior to V13.1.0
  • Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Several vulnerabilities addressed by the vendor received a CVSS v3 base score of 7.8, including:

The flaws were reported by two researchers through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. CISA.

Siemens also addressed six vulnerabilities in its Solid Edge solution that provides software tools for 3D design, simulation and manufacturing. The flaws could lead arbitrary code execution and information disclosure.

“Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version.” reads the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens)

The post Siemens fixed tens of flaws in Siemens Digital Industries Software products appeared first on Security Affairs.

Election Security: A conversation with Matt Olney from Cisco Talos

Next week we will publish our third annual “Defending Against Critical Threats” report; a roundup of some the most impactful cyber attacks from the past 12 months.

Included in the publication are articles about how cyber criminals sought to take advantage of the COVID-19 pandemic. We also cover Big Game Hunting attacks, whereby cyber criminals seek to monopolize a ransomware deployment in a ‘post compromise’ phase.

Of course, last year saw one of the most momentous general elections in United States history, and Cisco Talos have spent the last four and a half years conducting hands on research into election security. In the publication coming next week, we have an interview with the leader of that research, Matt Olney, to capture his thoughts post-election.

We didn’t have room for the interview in its entirety however, so whilst we’re dotting the i’s and crossing the t’s on the final report, we thought we would bring you some extracts from my conversation with Matt, as a bit of an aperitif of what’s to come next week:


Four and a half years ago you and the team decided to put a large amount of resource into researching and investigating election security. What triggered this decision?

The inciting event was the 2016 breach of the Democratic National Committee servers. The news first emerged in the Washington Post, and was quickly confirmed by the New York Times.

We started gathering information, and it soon became clear that this was a case of a foreign adversary orchestrating an attack on our elections. The decision part was easy: I wanted our team to be able to help fight against this.


At that point, did you know how much research you were going to undertake? How did you start your investigation?

I had a sense, yes. But at that point in 2016, I also didn’t know what I didn’t know.

To start things off, I called David Liebenberg, who is still on my team and now heads my strategic analysis team. I asked him, “Could you call all 50 secretaries of states and ask them how they handle security?”

The secretary’s offices weren’t super enthusiastic about someone who cold called them out of the blue, wanting them to answer questions about the security of their system. But that’s what we did, and thanks to David’s efforts we got several breakthroughs.

For example, the Georgia Secretary of State’s office redirected us to an expert at Kennesaw State University, where they had a research organization into elections.

They were the first people to talk to us about the uniqueness of the economy that surrounds election security, and the relationship between vendors and the Secretary of State’s office and how conscious of mitigations they are.


What was the political context at the time, and what was the overall process for election security in 2016?

After the 2016 DNS breach, the Department of Homeland Security became the critical infrastructure touch point from the federal government for election security. But that wasn’t without pushback.

This was at point when Barack Obama was still President. There were very strong counters, primarily from Republican states, against federal intrusion into state elections.

That was a very difficult time, because the United States is made up of counties, and the states themselves run the elections. The federal government had no real role in the administration of them. So there was a lot of challenges there.

At the time I remember thinking that this was crazy, and that there really should be more federal involvement in election security. But I came to acknowledge that it was going to be a very challenging ask in 2016 to have the federal government provide any real value (in terms of assistance into election security) before the elections that happened in November of that year.


Amongst those challenges, what was your next step? 

The Mississippi Secretary of State’s office invited us to come on site for a week to dig into how their systems are built, and learn what mitigations they have in place. We were also able to share our insights into adversary behavior, and how attackers might target election infrastructure.

We learned an incredible amount about how election administrators think about elections because of that experience.

We also had had a really useful ally at the Cyber Threat Alliance, Neil Jenkins, who is the Head of Data Analysis and Intelligence.  In 2016, he was the point person at the Department of Homeland Security for election security issues.

We sat down with him and had a conversation, and he was the first person to point out that the people behind running elections are absolutely outstanding. They think in terms of contingencies, because they know that they have one chance to run an election on one day. They therefore anticipate thousands of different scenarios, from everything down to the whole county being flooded.

I think that’s one of the things that’s hard for a lot of people to understand. When you run an election in a country with 328 million people in it, there’s inevitably going to be problems that come up. But those problems aren’t an indication of malicious behavior necessarily. And so how you handle the situation is what determines your success. That’s why election officials are so outstanding – because they have so many standards and procedures in place.

This became very apparent in our conversations in Mississippi. We were constantly asking, “What if this happens?” or “How do you control for this?” And every single time they had an answer, no matter what we threw at them. There was never a point where they said, “Oh, we never thought of that.”

I think about this a lot when I see all the election security conspiracy theories. When someone can think of something that would cause that system problems, they immediately assume that they’ve found some nefarious backdoor. But the system is built to handle things like this.

There’s a great example from Ohio. Ohio was the second state we visited and I remember sitting down with the election officials team, discussing how they handled disinformation campaigns.

They told us a story about how they were monitoring Twitter. They had a system with a whole bunch of keywords set up, and any time a keyword showed up they would get an alert. And they found a gentleman in Ohio who was going from precinct to precinct, voting at each of them. He then went onto Twitter and YouTube and videoed himself saying, “Look, I can vote multiple times and they’re letting me do it. This election is a sham.”

The team in Ohio reached out to this gentleman and said, “A couple things: One, the first time you cast your vote it was counted, but every subsequent time you cast your vote, you actually cast what’s called a provisional ballot, because you were at the wrong precinct. So before that ballot is counted, you’re going to be checked to see if you voted previously. Also, you’re kind of committing a felony here.”

From the outside, the story is that this guy voted 10 times, but that’s not how the system works. It’s built, as per federal law, from the Help America Vote Act, where provisional ballots help to assure Americans that, even if there’s a small hiccup in the process, that there’s a chance for their vote to be counted. And that vote will be validated and then counted.

It’s all part of the controls that the system has in place to protect the franchise of American voters. Yes, it’s a complicated system, and it’s different in every state, but there are controls at every point along the way.


What would you say is the greatest challenge that you came up against  during the course of your research over the four and a half years?

There isn’t a huge amount of transparency about election security, for obvious reasons. But it’s also partly because, in the past, certain security researchers have taken a very antagonistic approach to talking about these issues.

There was one example which I can recall from a presentation at DEF CON. It was by a security researcher who shall remain nameless. The National Association of the Secretary of States came back after the presentation and said it didn’t fully represent the defensive state of elections.

The response of the researcher was to turn around and say, “Well, you’re just a bunch of ******* luddites.”

A few years later I sat in a meeting with the National Association of the Security of States, and the Director just so happened to be sitting next to me.

I said to her, “I’m here to learn about what makes your systems unique, and to share my expertise in this space. I’m here to be a partner, I’m not here to tell you what to do or to cause problems. I would never, for example, call you a luddite.”

She turned to me with a grin and said, “A ******* luddite.”

The insult, quite understandably, had stayed with her all this time.

Because of that type of behavior from others in our field, for every interaction we had with the Secretary of State’s offices, we had to get over that hurdle of, “We’re not here to be that person. That’s not the kind of experience we want you to have.”

I’m not overstretching this by saying that election security officials had a PTSD mentality with threat researchers. Those researchers weren’t looking for a partnership, they were looking for notoriety.

We were very clear that we wanted to be a partner in this process, because we understood that they are the people who specialise in elections. We specialise in nation state actors. Between the two of us, we could come out of the other side of this with a better outcome.


Don’t miss the full interview with Matt in next week’s publication of ‘Defending Against Critical Threats: A 12 month roundup’.

In the meantime, you can subscribe to the Security Stories podcast to hear more about the topics in the report in the next episode out on Tuesday.

And be sure to check out Talos’ election coverage at

Cisco says its RV routers will no longer receive updates

Cisco announced it will no longer release firmware updates to fix 74 vulnerabilities affecting its RV routers, which reached end-of-life (EOL).

Cisco will no longer release firmware updates to address 74 vulnerabilities affecting some of its RV routers that reached end-of-life (EOL).

The vendor will not release updates for RV110W, RV130, RV130W, and RV215W devices the reached EOL in 2017 and 2018, but Cisco provided paid support until December 1, 2020.

The list of flaws affecting the devices includes RCEs, DoS issues, command injection vulnerabilities and XSS bugs.

Below the advisories published by the IT giant:

“Cisco has not released and will not release software updates to address the vulnerabilities described in this advisory.” reads the advisory. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products:

In order to exploit the flaws, the attackers need to have credentials for the device.

End-of-Sale and End-of-Life Announcement for the Cisco Small Business RV Series Routers (selected models)

The company is encouraging its customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.

Cisco is not aware of attacks exploiting the vulnerabilities in the above advisories, it also added that the flaws are not simply exploitable.

“The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory.” concludes Cisco.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco RV routers)

The post Cisco says its RV routers will no longer receive updates appeared first on Security Affairs.

Expert discovered a DoS vulnerability in F5 BIG-IP systems

A security researcher discovered a flaw in the F5 BIG-IP product that can be exploited to conduct denial-of-service (DoS) attacks.

The security expert Nikita Abramov from Positive Technologies discovered a DoS vulnerability, tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access Policy Manager (APM).

The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).

The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.

“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”

An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).

Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected bydevelopers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies.” Nikita Abramov researcher at Positive Technologies explains.

The flaw impacts versions 14.x and 15.x, the vendor already released security updates that address it.

In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post Expert discovered a DoS vulnerability in F5 BIG-IP systems appeared first on Security Affairs.

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies.

Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.

The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors.  The campaign has been active at least since 2020, the attackers leverage remote access trojans to spy on their victims. 

The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The operations described by QiAnXin are attributed to an APT group active since at least April 2018.

Below the similarities found by ESET:

  • We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
  • Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
  • The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
  • Some of the C&C servers in Operation Spalax use and subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.

However, experts found differences in the attachments used for phishing emails, the remote access trojans (RATs) used the operator’s C&C infrastructure.

The attacks start with phishing messages that lead to the download of RAR archives hosted on OneDrive or MediaFire containing a malicious executable.

“We’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan running on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes.” continues the report. “We have seen the attackers use three different RATs: Remcos, njRAT and AsyncRAT.”

Operation Spalax

The phishing messages used a wide range of topics as lures, such as notifications of driving infractions, to attend court hearings, and to take mandatory COVID-19 tests.

ESET also documented the use of heavily obfuscated AutoIt droppers, in this attack scenario the first-stage malware performs the injection and execution of the payload. The malware use two shellcodes contained in the compiled AutoIt script, the first one decrypts the payload and the second injects it into some process.

The Trojans used in Operation Spalax implements several capabilities to spy on targets, such as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other payloads.

ESET pointed out that the attackers leveraged on large network C2 infrastructure, experts observed at least 24 different IP addresses in use in the second half of 2020. Attackers probably compromised devices to use them as proxies for their C2 servers. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. In the second half of 2020 alone they used 24 IP addresses.

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year,” ESET concludes. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Spalax)

The post Operation Spalax, an ongoing malware campaign targeting Colombian entities appeared first on Security Affairs.

New Year, New Outcomes: How We Can Do Better in 2021

At Cisco, it has long been our belief that when it comes to security, simplified and integrated is better. I’ve written a number of blogs about this lately, and I know what some of you are thinking: “Multi-product platform solution touted by multi-product platform vendor…surprise, surprise!” And that’s okay. After years of ever-increasing complexity, you have every right to be a tough crowd.

First, let me tell you that we put our money where our mouth is; last year marked a major milestone for our business and the industry. In 2020, we unveiled the result of a huge investment with the launch of our integrated platform, Cisco SecureX. By integrating both Cisco and third-party technologies, SecureX fosters greater visibility, automation, and collaboration. It protects your network, cloud, users, and applications all from a single place, boosting simplicity and efficiency.

But you’d be right to remain skeptical. While all of these capabilities sound great, do they actually result in better security? Yes, they do, but I’m not asking you to take my word for it. In our recent, worldwide, double-blind survey, over 4,800 respondents delivered a resounding ‘yes.’

Up-to-date, well-integrated tech leads to better protection

In the Cisco 2021 Security Outcomes Study, we analyzed the use of 25 security best practices to determine which ones had the greatest impact on improving organizational defenses. We surveyed more than 4,800 IT, security, and privacy professionals across 25 different countries, and from various industries and organizational sizes.

The study found that the two best practices that contribute most to overall security program success are: 1) proactively refreshing technology before it becomes outdated, and 2) making sure technology is well integrated. As can be seen in the below figure, these practices increased the probability of an organization achieving security success by an average of 12.7% and 10.5%, respectively. While we had no influence over these findings, they certainly bode well for SecureX customers.

Practices most strongly correlated with overall security program success

Cisco SecureX is embedded into every Cisco security product. At its very core is integration – not simply bringing together Cisco technologies, but also enabling security teams to integrate a wide range of third-party solutions. Its intuitive interface allows users to view security insights and analytics from multiple products all in one place, and maintain context while navigating consoles. This empowers security professionals to make faster and more informed decisions.

As for the #1 best practice in our report, proactive tech refresh, the cloud-native Cisco SecureX platform makes it easy for customers to start with just the technology they need, and add on over time – with access to new products (or product trials) in a single click. In fact, it’s been shown that organizations can get the SecureX platform up-and-running and begin to experience benefits in as little as 15 minutes.

The 2021 Security Outcomes Study also analyzed how much various security best practices increased organizations’ chances of achieving roughly a dozen specific security outcomes – for example, creating a strong overall security culture within an organization, recruiting talented security personnel, or maintaining a cost-effective security program. As seen below, the two practices of proactive tech refresh and well-integrated technology had a positive impact on every single one of these desired outcomes.

All security practices correlated with each security program outcome

Effect of various security practices on desired outcomes

Accurate detection, accelerated response, and automation are also key

Other best practices that had a positive impact on achieving many commonly desired security outcomes include: accurate threat detection, conducting timely incident response, and using automation effectively. SecureX can play a key role in helping organizations embrace all of these best practices.

Accurate detection & timely response

The foundational technology on which we built Cisco SecureX is Extended Detection and Response (XDR). Roughly 11,000 customers are already improving threat detection, investigation, and remediation with SecureX threat response.

According to Stephen Reinhard, IT Director for Ralph Sellers Automotive, “I would highly recommend SecureX threat response. It unites the ability to identify and act on actionable intelligence from multiple security products. It also reduces time to resolution for our team.”

Cisco SecureX boasts powerful XDR capabilities that help organizations fine-tune detection and IR processes. And according to our survey, this can improve many crucial security efforts including minimizing unplanned work, running cost-effectively, and garnering confidence in the security program from both peers and executives.

Using automation effectively

Automation is another important benefit driving the success of SecureX customers. SecureX orchestration allows users to take advantage of pre-built or easily customizable workflows to automate routine security tasks. Customers are saving hundreds of hours, and are reducing attack response time by as much as 85 percent.

“The bad guys are now moving at the speed of the machine, so our automation principle is to move at that same speed,” said Jesse Beauman, M.S., Assistant Vice Chancellor for Enterprise Infrastructure at UNC Charlotte. “Cisco solutions allow us to do so.”

According to our study, in addition to keeping up with the bad guys, automation can also help security groups run cost-effectively and meet the overall demands of the business, among other benefits.

Cross-team collaboration brings additional wins

Our report shows that IT and security teams working together has a positive impact on building a strong security culture and recruiting skilled security professionals – both worthy goals.

We also broke our survey data down into several specific regions and verticals. In the healthcare industry specifically, IT and security working together increased an organization’s ability to avoid major incidents by an average of nearly 16%, and increased the ability to minimize unplanned, resource-draining work by an average of roughly 20%.

By enabling teams to visualize and interact with security, networking, and IT technologies together, SecureX fosters greater collaboration between SecOps, ITOps, and NetOps groups. Based on our survey results, this can greatly improve overall security.

How can SecureX help you?

While this is far from an exhaustive list of Cisco SecureX benefits, we hope it gives you an idea of what organizations can achieve with an integrated security platform versus a plethora of disparate products. If you want to know more about our survey: 1) explore the findings for yourself with an interactive chart (in case, you know, you don’t want to take my word for it), 2) access the full Cisco 2021 Security Outcomes Study, and 3) check out our report blog series.

The nice thing about the study is that the results can be applied in a customizable way. Whether you want to improve your overall security, or achieve more specific goals, you can use the data to inform your security strategy.

Happy New Year!

Join us on January 21 for our next Cisco Secure Insights Summit, Defining the Industry Standard for XDR,
to hear about the many benefits of a platform approach to security.


Pinpoint Your SolarWinds Exposure with Cisco Endpoint Security Analytics

As various private organizations and high-value government bodies figure out the blast radius of the recent state-sponsored SolarWinds attack, with Cisco Endpoint Security Analytics (CESA) in your toolkit you could quickly assess your own exposure…like the CESA customer noted below.

CESA brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform to help address the endpoint visibility gap left behind by traditional EDR/EPP solutions and network security analytics platforms.

CESA Closing the Endpoint Visibility Gap

So how does CESA accomplish this for the SolarWinds breach?  Well, it’s actually in its wheelhouse.

CESA’s ability to associate what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed—for both on-net and off-net endpoints—within minutes.  How do we know?  Our CESA users have told us.

Here’s an excerpt from a customer email we received:

“(IR analyst) brought up a great point today while digging out of this Solarwinds mess. We were able to connect local Windows processes to domains that were reported in the IOC lists.   
With this information we could quickly understand what our endpoint exposure was for all managed hosts from their NVM logs. It also gave us a view into other domains that might have been associated with this attack, but not yet publicly published.

We likely never would have seen this data and could not explain our exposure to this severe threat.  (AnyConnect) NVM logs in Splunk once again helped to save the day.”

If you want to get deep on this, below is a sample CESA Splunk query tuned for this scenario that the customer used to discover stage-2 C&C activities from SolarWinds that their malware solution missed.

CESA Splunk-query:

earliest=-365d index=anyconnect (avsvmcloud OR digitalcollege OR freescanonline OR deftsecurity OR thedoccloud OR virtualdataserver OR websitetheme OR panhardware OR OR highdatabase OR incomeupdate OR databasegalore) | fields *

Below is an actual sample result from this simple query showing details of an endpoint exposed:

pr=”6″ sa=”″ sp=”59422″ da=”″ dp=”443″ fst=”Sat May 16 19:38:31 2020″ fet=”Sat May 16 19:38:32 2020″ udid=”3AECA…<redacted>…2504C3A66″ liuid=”<REDACTED>\<redacted>” liuida=”<REDACTED>” liuidp=”<redacted>” liuat=”32770″ pa=”NT AUTHORITY\SYSTEM” paa=”NT AUTHORITY” pap=”SYSTEM” puat=”2″ pn=”SolarWinds.BusinessLayerHost.exe” ph=”A650DE5170E4A1D6EB1DADE89BDE7215A30CD4C005BEC9C3241865B40220B9D0″ ppa=”NT AUTHORITY\SYSTEM” ppuat=”2″ ppn=”services.exe” pph=”9090E0E24E14709FB09B23B98572E0E61C810189E2DE8F7156021BC81C3B1BB6″ ibc=”445″ obc=”570″ ds=”<redacted>.com” dh=”” iid=”246″ mnl=””” mhl=”””

CESA dashboard example: Monitoring endpoint traffic going across split VPN tunnels

CESA dashboard

CESA closes the endpoint visibility gap for events like this one with SolarWinds.  But there are many other bad things that happen in this endpoint gap.  CESA addresses endpoint security visibility use cases such as:

  • Unapproved applications and SaaS visibility
  • Endpoint security evasion
  • Attribution of user to device to application to traffic and destination
  • Zero-trust monitoring
  • Data loss detection
  • Day-zero malware and threat hunting
  • Asset inventory

In addition to the many benefits that CESA provides to close the endpoint visibility gap, Cisco Secure offers a platform approach with Cisco SecureX, a cloud-native, built-in platform experience.   With the Cisco Secure platform approach, you will be able to provide greater visibility, faster response and more efficient security operations.  Explore our integrated approach to find out how you can identify and contain 70% more malicious intent and risk exposure with 85% less dwell time.

Learn more about how CESA can protect your network and its endpoints.

Cisco addresses a High-severity flaw in CMX Software

Cisco addressed tens of high-severity flaws, including some flaws in the AnyConnect Secure Mobility Client and in its small business routers.

This week Cisco released security updates to address 67 high-severity vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is a high-severity vulnerability that affects Cisco Connected Mobile Experiences (CMX), which is a smart Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics for consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile engagement and allows them to directly deliver content to smartphones and tablets that are personalized to visitors’ preferences and pertinent to their real-time indoor locations.

The vulnerability, which received a CVSS score of 8.8 out of 10, could be exploited by a remote authenticated attacker to change the password for any account user on affected systems.

“A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”

The flaw affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2.

The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.

Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.

The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a dynamic-link library (DLL) injection attack.

“A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.” reads the advisory.

“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”

Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CMX)

The post Cisco addresses a High-severity flaw in CMX Software appeared first on Security Affairs.

CISA warns of recent successful cyberattacks against cloud service accounts

The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.

According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.

CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.

The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).

Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.

At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.

Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.

“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post CISA warns of recent successful cyberattacks against cloud service accounts appeared first on Security Affairs.

Cisco Secure Workload Immediate Actions in Response to “SUNBURST” Trojan and Backdoor


The SUNBURST trojan and backdoor, as dubbed by FireEye researchers, that has compromised multiple U.S. Government systems recently, highlights the complexity and connectedness of the modern enterprise IT environment as a security weakness. Recent reporting makes clear that the adversary took advantage of software complexity to deliver a highly refined attack affecting thousands of organizations. Even with many top-tier security controls in place, the attack was able to go unobserved for months.

This blog is not to tell you deploy one product and job is done, you never need to worry about this class of threats again. It will never be that easy. Creating an enterprise software architecture that has defense-in-depth baked in through multiple layers of fortification including lateral movement control and least privilege, on the other hand, is a proven, repeatable, realistic, and implementable strategy.

In these attacks, there is always a chain of events, and the goal is to try cut at least one of those links to protect your organization. Apply least privilege and zero trust segmentation controls to break as many links as possible in your application environment. The trick is to do this without bringing any services down, requiring infrastructure changes, or frustrating application owners.

We will define actionable zero trust segmentation controls that can be applied by Cisco Secure Workload with immediate effect to protect your enterprise from the “SUNBURST” trojan and backdoor. We will also present advice on zero trust segmentation and least privilege models to help protect you on an on-going basis, as applying restrictions only to SolarWinds machines and their communication is not enough.  If already exploited, the adversary has now moved laterally and the problem then becomes not only what SolarWinds can or cannot talk to, but how all application workloads communicate.

In your own environment, run a thought experiment and compute the possible ‘hops’ from a management or monitoring tool like SolarWinds Orion, to a monitored workload, to your most critical data. Chances are, without proper lateral movement control, the number will be uncomfortably low. Use Cisco Secure Workload to raise it.

Cisco Secure Workload Recommendations

In line with Cisco Talos recommendations, all organizations that use the SolarWinds Orion IT monitoring and management software are urged to follow the guidance from DHS and CISA along with the related guidance from SolarWinds to further secure these environments.

As highlighted above, initial steps involve:

  1. Identification of compromised/affected assets
  2. Applying primary mitigations including restricting network traffic to least privilege

Cisco Secure Workload can directly support both initial steps to assist in the identification of compromised assets and the application of network restrictions to control network traffic through central automation of distributed firewalls at the workload level.  This flexible approach means a consistent firewall policy can be quickly applied to control inbound and outbound traffic at each workload without the need to re-architect the network or modify IP addressing and is compatible with any on-premises infrastructure or public cloud provider.

Identification of Compromised Assets

Cisco Secure Workload can identify compromised assets via three methods:

  1. Presence of installed package
  2. Presence of running process (either name or hash)
  3. Presence of loaded libraries (DLLs)

As operator, you may choose to identify based on one or more indicators. Cisco Secure Workload will dynamically compute a list of all assets that meet the criteria defined. The list will be kept up to date and refreshed every 60 seconds to account for changes in your environment.

Fig 1 – identifying workloads with affected SolarWinds processes based on published process hash signatures

Fig 2- identifying workloads with affected SolarWinds processes based on published DLL hash signatures

Fig 3 – Identifying workloads with affected SolarWinds package installed, regardless of whether it is running in memory or not

Least Privilege Network Restriction

Once compromised assets have been collated, network traffic can be restricted based on a least privilege model. As operator, you may decide how much privilege to grant. In the current situation, it may be advised to provide zero privileges to all identified Orion Platform assets. In the future, as patched versions of Orion are deployed, privileges may be slightly increased, but only to cover the exact communications Orion requires for operation, and nothing more.

Fig 4 – A Cisco Secure Workload policy includes a dynamic set of source and destinations, defined here by workloads that have been detected to have SolarWinds software and an action, which in this case is to restrict any network traffic.

Fig 5 – More surgical restrictions on trust can be applied, such as removing access to the internet, users, or critical assets.

Fig 6 – The most secure state is when zero trust policies are enacted that define the expected and allowed communication patterns of an application and block all else. Communication patterns can either be ingested as published by the vendor or discovered via machine learning analysis on historical network traffic performed by Cisco Secure Workload if not available.

In the past, we were lucky to be able to conceptualize and wrangle with the complexity of our systems, but those days are gone. The complexity of modern infrastructures, and the blind spots that creates, provides opportunity for adversaries to deliver silent and sophisticated threats. For enterprises, the need for more – more agility, more features, more integrations, more value – has left us with an interwoven web of systems that are highly connected to each other, to the point that the attack surface of any one application becomes the attack surface of all, unless we are segmenting.

The above steps will help protect your organization from the SUNBURST trojan and backdoor, but don’t stop there. The most consistent guidelines and hardening measures published by government agencies and independent research bodies that is re-iterated in almost any attack – whether ransomware or supply-chain related – to help mitigate the threat, restrict the attacker, and limit propagation is to apply zero trust segmentation controls. In addition to the many benefits of implementing a zero trust segmentation control, Cisco Secure offers  Cisco SecureX, a cloud-native, built in platform experience.   With the Cisco Secure platform approach, you will be able to provide greater visibility, faster response and more efficient security operations.  The time to act is now.

Get started with Cisco Secure Workload

Cisco Secure Endpoint Named an Endpoint Security Top Player

The Radicati Group has named Cisco a Top Player in the Endpoint Security – Market Quadrant 2020. Radicati recognizes endpoint security top players as “current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future. Top Players shape the market with their technology and strategic vision.” We believe our leadership position in this report is validation of our robust, comprehensive and integrated approach and execution towards being our customers’ trusted endpoint security provider.

Cisco is a top player in the Radicati Market Quadrant for 2020 Endpoint Security

Cisco Secure Endpoint (formerly AMP for Endpoints) stands out from the competition for many reasons, and it all starts with our world-class threat intelligence organization, Talos. Talos constantly analyzes threat data and creates protections that Secure Endpoint uses to automatically protect organizations against known, unknown and emerging threats.

“That ability to push information automatically into Talos and then update the system automatically, saves us an enormous amount of time.”– Technical Director, read full review

We offer multifaceted prevention techniques as part of our Endpoint Platform Protection (EPP) capabilities, including machine learning, behavioral analysis, heuristics, sandboxing, and more, to prevent threats from entering the endpoint. We also offer unified user access and endpoint protection, allowing you to enforce multi-factor authentication and block the access of infected endpoints to sensitive information.

“It has decreased time to detection by 95%. A lot of the time, prior to having AMP…we weren’t aware of any type of malicious activity until it had an impact on the organization.” – Systems Architect, read full review

But we know that you can’t stop threats that you can’t see. So, Cisco Secure Endpoint goes beyond prevention by providing advanced Endpoint Detection and Response (EDR) capabilities to give you deep visibility into telemetry and potentially malicious file activity across your endpoint environment. This enables you to detect malicious activity fast and eliminate it before damage can be done.

“We had a 97% reduction in time to remediation, because it’s almost instantaneous. In the 18 months that we’ve had AMP, there has not been malicious activity on an endpoint that we weren’t able to resolve immediately.” – Systems Architect, read full review

Finally, we help you save time by enabling automation using our integrated architecture. Built-in to Cisco Secure Endpoint, the Cisco SecureX platform delivers threat response with automatic threat context enrichment and unified threat response capabilities across the entire security ecosystem, including Endpoints, Network, Email, DNS, and more to provide thorough network edge to endpoint visibility. Cisco Secure Endpoint works together with the rest of our integrated security portfolio so you can see more, detect faster and automatically block and respond to advanced threats.

This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together, and a lot of stuff is now starting to happen automatically. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.” – Security Officer, read full review

Cisco Secure Endpoint has gained incredible momentum, including the introduction of our built-in SecureX platform, advanced EDR capabilities like live queries, cloud secure malware analytics, and human-driven threat hunting, continued enhancements to our prevention engines, and enhanced integration with third-party tools and our own growing security portfolio.

No other vendor can deliver both the strength of EPP and EDR and the breadth of integrated XDR capabilities from the edge to the endpoint that Cisco offers. We’re committed to continuing our momentum and helping our customers grow their businesses by protecting their environments from today’s threats.


Download Radicati’s 2020 Magic Quadrant for Endpoint Security.


Security incident forces firm to consider its MSP options

This is the second is a series of three articles sponsored by Ricoh looking at how real companies facing transformation evaluated their MSP options. The variety of services MSPs provide can range from the monitoring of IT networks to being responsible or all repairs, updates, and patches, as well as providing new software, hardware, infrastructure,…

The post Security incident forces firm to consider its MSP options first appeared on IT World Canada.

Minimize Risk and Impact with a Security Platform Approach

Much has been written about the Sunburst attack, a supply chain attack using the SolarWinds Orion application. Many organizations are still diligently working to understand the potential exposure to their organization from this devastating attack. And many are starting to think about how they can get to a future state where the risk of these type of attacks are minimized. So how do you get your organization to address problems like this, and make preparations to better handle these types of attacks more effectively in the future?

Piecemeal Security Paradigm

Despite an increase in security investments, most organizations are experiencing longer threat dwell times within their security ecosystem — 280 days on average1. Why is that? A core challenge is that organizations often find themselves dealing with incompatible point solutions, delivering patchwork coverage for their environment and undermining any efforts to build effective cyber risk management. The telemetry data logged by each security tool often is analyzed in isolation — often lacking the fidelity to detect more subtle and hidden attacks. Then, the alerts generated are decided upon in isolation — often concluding too little malicious intent or risk exposure for teams to act quickly or at all due to limited resources. When teams act within this piecemeal security paradigm, too often response happens one control point at a time without efficient coordination – wasting time and often failing to complete defense against the breach.

Shatter the Piecemeal Security Paradigm

Cisco believes a platform approach will help build fortified defenses to deal with the ever more devastating threat landscape. Cisco SecureX is a cloud-native, built-in platform experience that gives your security infrastructure – Cisco and 3rd party solutions – a makeover from a series of disjointed solutions into a fully integrated defense that will liberate you from being stuck in the piecemeal security paradigm.

Our platform approach with SecureX will deliver the broadest Extended Detection and Response (XDR) capabilities to intelligently detect and confidently respond. And unlike others offering XDR solutions, SecureX offers turnkey interoperability with your infrastructure, including 3rd party security tools. From initial access to impact and the mitigations to execution, lateral movement, or exfiltration in between. Cisco can connect many layers of machine learning-enhanced analytics across multiple data sources to accurately identify malicious intent and risk exposure. Then, Cisco pinpoints the root cause by simplifying investigation with visual forensics and connecting playbook-driven automation across the most control points to reduce threat dwell time. This is how you shatter the piecemeal paradigm to become more effective in defending against attacks such as Sunburst.

Critical Building Blocks 

SecureX is built into the Cisco Secure portfolio, so if you have Cisco Secure products, you are entitled to it. Let’s talk about some core control points that are critical to helping implement a strong defense.

  • Cisco Secure Cloud Analytics: delivers critical network detection and response capabilities. One of the key capabilities is that it will help you quickly discover SolarWind Orion servers in your network. Once you have patched the servers, you will need to assess whether any malicious or suspicious activity has already taken place in your network. Secure Cloud Analytics is capable of detecting a range of suspicious activities that are commonly seen in an advanced cyberattack to steal data, like C&C connections, lateral movement, and data exfiltration. Now that you have searched for and identified potentially compromised servers and had a look at detections that alert on malicious behaviors in the network that might be associated with the attack, you can go ahead and define a set of actions that will further protect your organization, and also allow for an automated response.
  • Cisco Secure Endpoint: Gain visibility into endpoints to locate Sunburst infected hosts, and our endpoint detection and response capabilities deliver insight into the “SolarWinds Supply Chain Attack” event notice to inform of the attack and provide retrospective detection alerts based on ongoing threat intelligence and hunting efforts. And customers that are using SecureX threat hunting will of course be notified where IOCs indicate the presence of the Sunburst backdoor. Additionally, you can assess exposure to Sunburst using Cisco Endpoint Security Analytics (CESA). Find out what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed—for both on-net and off-net endpoints—within minutes.
  • Cisco Umbrella: is a cloud-delivered security service that converges multiple functions in the cloud, blocks users from connecting to malicious, command & control domains, IPs, and URLs associated with this attack, whether users are on or off the corporate network. On December 18, 2020, Cisco Umbrella released an update to the threat reports providing visibility into threats you may have been exposed to over a given period of time and whether they are blocked or allowed. This specific update enables all customers to review the last 12 months of Umbrella DNS events for traffic that may indicate the presence of the SolarWinds Orion / Sunburst backdoor. The Umbrella team also provided instructions on how customers can use these new capabilities to quickly assess their environment.
  • Cisco Secure Workload: assists in the identification of compromised assets and the application of network restrictions to control network traffic through central automation of distributed firewalls at the workload level. This flexible approach means a consistent firewall policy can be quickly applied to control inbound and outbound traffic at each workload without the need to re-architect the network or modify IP addressing and is compatible with any on-premises infrastructure or public cloud provider.  It can identify compromised assets via three methods: (1) presence of installed package; (2) presence of running process (either name or hash); and (3) presence of loaded libraries (DLLs). Once compromised assets have been collated, network traffic can be restricted based on the least privilege model. In the current situation, it may be advised to provide zero privileges to all identified Orion Platform assets. In the future, as patched versions of Orion are deployed, privileges may be slightly increased, but only to cover the exact communications Orion requires for operation, and nothing more.
  • Cisco Talos Incident Response: provides a full suite of proactive and emergency services to help you respond and recover from attacks.  With this service, you will have access to the world’s largest threat intelligence and research group. Talos Incident Response is currently engaged and supporting many customers concerning Sunburst.

Simplify Incident Response

Despite good intentions, security investments without a platform approach too often leads to a piecemeal security paradigm that will not effectively defend against attacks such as Sunburst. True, control points such as Network Detection and Response, Endpoint Security, Firewall, etc., are important, but being able to effectively implement extended detection and control across these control points is critical.

With the Cisco Secure platform approach, you will be able to quickly pinpoint the root cause of an attack such as Sunburst by simplifying investigation with visual forensics and connecting playbook-driven automation across multiple control points to reduce threat dwell time.  Explore our integrated approach to find out how you can identify and contain 70% more malicious intent and risk exposure with 85% less dwell time.

  1. Source: Ponemon Institute research featured in IBM’s Cost of a Data Breach Report 2020

Network Security and Containers – Same, but Different


Network and security teams seem to have had a love-hate relationship with each other since the early days of IT. Having worked extensively and built expertise with both for the past few decades, we often notice how each have similar goals: both seek to provide connectivity and bring value to the business. At the same time, there are also certainly notable differences. Network teams tend to focus on building architectures that scale and provide universal connectivity, while security teams tend to focus more on limiting that connectivity to prevent unwanted access.

Often, these teams work together — sometimes on the same hardware — where network teams will configure connectivity (BGP/OSPF/STP/VLANs/VxLANs/etc.) while security teams configure access controls (ACLs/Dot1x/Snooping/etc.). Other times, we find that Security defines rules and hands them off to Networking to implement. Many times, in larger organizations, we find InfoSec also in the mix, defining somewhat abstract policy, handing that down to Security to render into rulesets that then either get implemented in routers, switches, and firewalls directly, or else again handed off to Networking to implement in those devices. These days Cloud teams play an increasingly large part in those roles, as well.

All-in-all, each team contributes important pieces to the larger puzzle albeit speaking slightly different languages, so to speak. What’s key to organizational success is for these teams to come together, find and communicate using a common language and framework, and work to decrease the complexity surrounding security controls while increasing the level of security provided, which altogether minimizes risk and adds value to the business.

As container-based development continues to rapidly expand, both the roles of who provides security and where those security enforcement points live are quickly changing, as well.

The challenge

For the past few years, organizations have begun to significantly enhance their security postures, moving from only enforcing security at the perimeter in a North-to-South fashion to enforcement throughout their internal Data Centers and Clouds alike in an East-to-West fashion. Granual control at the workload level is typically referred to as microsegmentation. This move toward distributed enforcement points has great advantages, but also presents unique new challenges, such as where those enforcement points will be located, how rulesets will be created, updated, and deprecated when necessary, all with the same level of agility business and thus its developers move at, and with precise accuracy.

At the same time, orchestration systems running container pods, such as Kubernetes (K8S), perpetuate that shift toward new security constructs using methods such as the CNI or Container Networking Interface. CNI provides exactly what it sounds like: an interface with which networking can be provided to a Kubernetes cluster. A plugin, if you will. There are many CNI plugins for K8S  such as pure software overlays like Flannel (leveraging VxLAN) and Calico (leveraging BGP), while others tie worker nodes running the containers directly into the hardware switches they are connected to, shifting the responsibility of connectivity back into dedicated hardware.

Regardless of which CNI is utilized, instantiation of networking constructs is shifted from that of traditional CLI on a switch to that of a sort of structured text-code, in the form of YAML or JSON- which is sent to the Kubernetes cluster via it’s API server.

Now we have the groundwork laid to where we begin to see how things may start to get interesting.

Scale and precision are key

As we can see, we are talking about having a firewall in between every single workload and ensuring that such firewalls are always up to date with the latest rules.

Say we have a relatively small operation with only 500 workloads, some of which have been migrated into containers with more planned migrations every day.

This means in the traditional environment we would need 500 firewalls to deploy and maintain minus the workloads migrated to containers with a way to enforce the necessary rules for those, as well. Now, imagine that a new Active Directory server has just been added to the forest and holds the role of serving LDAP. This means that a slew of new rules must be added to nearly every single firewall, allowing the workload protected by it to talk to the new AD server via a range of ports – TCP 389, 686, 88, etc. If the workload is Windows-based it likely needs to have MS-RPC open – so that means 49152-65535; whereas if it is not a Windows box, it most certainly should not have those opened.

Quickly noticeable is how physical firewalls become untenable at this scale in the traditional environments, and even how dedicated virtual firewalls still present the complex challenge of requiring centralized policy with distributed enforcement. Neither does much to aid in our need to secure East-to-West traffic within the Kubernetes cluster, between containers. However, one might accurately surmise that any solution business leaders are likely to consider must be able to handle all scenarios equally from a policy creation and management perspective.

Seemingly apparent is how this centralized policy must be hierarchical in nature, requiring definition using natural human language such as “dev cannot talk to prod” rather than the archaic and unmanageable method using IP/CIDR addressing like “deny ip”, and yet the system must still translate that natural language into machine-understandable CIDR addressing.

The only way this works at any scale is to distribute those rules into every single workload running in every environment, leveraging the native and powerful built-in firewall co-located with each. For containers, this means the firewalls running on the worker nodes must secure traffic between containers (pods) within the node, as well as between nodes.

Business speed and agility

Back to our developers.

Businesses must move at the speed of market change, which can be dizzying at times. They must be able to code, check-in that code to an SCM like Git, have it pulled and automatically built, tested and, if passed, pushed into production. If everything works properly, we’re talking between five minutes and a few hours depending on complexity.

Whether five minutes or five hours, I have personally never witnessed a corporate environment where a ticket could be submitted to have security policies updated to reflect the new code requirements, and even hope to have it completed within a single day, forgetting for a moment about input accuracy and possible remediation for incorrect rule entry. It is usually between a two-day and a two-week process.

This is absolutely unacceptable given the rapid development process we just described, not to mention the dissonance experience from disaggregated people and systems. This method is ripe with problems and is the reason security is so difficult, cumbersome, and error prone within most organizations. As we shift to a more remote workforce, the problem becomes even further compounded as relevant parties cannot so easily congregate into “war rooms” to collaborate through the decision making process.

The simple fact is that policy must accompany code and be implemented directly by the build process itself, and this has never been truer than with container-based development.

Simplicity of automating policy

With Cisco Secure Workload (Tetration), automating policy is easier than you might imagine.

Think with me for a moment about how developers are working today when deploying applications on Kubernetes. They will create a deployment.yml file, in which they are required to input, at a minimum, the L4 port on which containers can be reached. The developers have become familiar with networking and security policy to provision connectivity for their applications, but they may not be fully aware of how their application fits into the wider scope of an organizations security posture and risk tolerance.

This is illustrated below with a simple example of deploying a frontend load balancer and a simple webapp that’s reachable on port 80 and will have some connections to both a production database (PROD_DB) and a dev database (DEV_DB). The sample policy for this deployment can be seen below in this `deploy-dev.yml` file:

Now think of the minimal effort it would take to code an additional small yaml file specified as kind:NetworkPolicy, and have that automatically deployed by our CI/CD pipeline at build time to our Secure Workload policy engine which is integrated with the Kubernetes cluster, exchanging label information that we use to specify source or destination traffic, indeed even specifying the only LDAP user that can reach the frontend app. A sample policy for the above deployment can be seen below in this ‘policy-dev.yml’ file:

As we can see, the level of difficulty for our development teams is quite minimal, essentially in-line with the existing toolsets they are familiar with, yet this yields for our organizations immense value because the policy will be automatically combined and checked against all existing security and compliance policy as defined by the security and networking teams.

Key takeaways

Enabling developers with the ability to include policy co-located with the software code it’s meant to protect, and automating the deployment of that policy with the same CI/CD pipelines that deploy their code provides businesses with speed, agility, versioning, policy ubiquity in every environment, and ultimately gives them a strong strategic competitive advantage over legacy methods.

If you’re now interested, this is just the beginning of what can be achieved with Cisco Secure Workload. For more information, and to learn many additional benefits of Cisco Secure Workload, please visit:

Learn more about Cisco Secure Workload


#CiscoChat Live: Recapture Your Time and Get More Out of Secure Remote Working

How do you feel when you hear phrases like, “the pandemic”, “remote working”, “the new (or next) normal”? Fatigued?

You are not alone.

Most of us are experiencing online fatigue as a result of working from home for months now. Worse, we’re physically and mentally fatigued by the shift to the “always on” mode with remote working. It doesn’t take much if you think about it. Just ask yourself, “How many more hours do you find yourself working on a daily basis now that you’re working from home?” all while keeping your remote employees and your company data secure all at the same time. There is a better way. Simplify, simplify, simplify.

Join us for a #CiscoChat Live on how to get time back and start unlocking the opportunity ahead while you and your employees continue to work remotely. Especially,  as the transition to a hybrid work environment begins, we’ll discuss how you do this while ensuring a simple and secure experience. Learn from experts from both Cisco Security and our customers as they talk about the future of secure remote work including the major trends, 10 key takeaways and how Cisco can help you on this journey  – so you can get back some time and some much-needed peace of mind. 


Recapture Your Time and Get More Out of Secure Remote Working
Thursday, January 14 at 3:00 p.m. ET, 12:00 p.m. PT

Philipp Neidlein, IT Product Manager Voice & Data Network, Festo
Collin John, Global Security Manager, Alvarez & Marsal
Ben Munroe, Director of Product Marketing, Cisco
Jolene Tam, Product Marketing Manager, Cisco SecureX

Hazel Burton, Product Marketing Manager, Cybersecurity Thought Leadership 

Join our live broadcast on these channels: homepage 
Cisco YouTube 
Cisco Secure Facebook 
Cisco Secure Twitter 
Cisco Secure LinkedIn
Cisco Designed Twitter 

Using the social media channels above, you will have the opportunity to ask questions about how remote working is changing, the challenges, even participate in a few polls, and learn the role security can play in helping simplify a secure experience. Set your clocks and mark your calendars for January 14th at 12:00 p.m. PT syou get some time and much needed peace of mind back into your work life. 

Security Outcomes Report: Top Findings from Around the World

The Security Outcomes Study has been out for a few weeks now and I’ve had time to sit back and read it over with coffee in hand. The report empirically measures what factors drive the best security outcomes. The part that really caught me from the outset was the fact that this was based on a survey wherein the respondents didn’t in fact know that it was for Cisco. I think this is a point that absolutely must be highlighted right from the beginning. It was interesting to look at how the respondents set themselves apart from each other when a geographic lens was focused on the collected data.

To be quite clear, there were many similarities between the different regions around the world. Whether in APJC, EMEAR or the Americas it showed that there is in fact a significant push towards technology refresh in every region. The study shows a significant improvement in security when organizations have a proactive approach to refreshing their IT and security technology. This makes sense because rather than continuing to operate on systems and software that may be deprecated, the study shows that by creating refresh projects, organizations could mitigate a significant amount of security issues that had been lingering for a multitude of reasons. This helped organizations to alleviate some of the accumulated security debt.

To explore how organizations in different countries and regions are successfully achieving each security outcome, visit

Now as we break out into different regions, we see that the priorities tend to diverge. When we look at the data collected from APJC we see that some of the focal points (the squares in the matrix with the darkest shades of blue) such as building executive confidence on threat detection so as to secure more budget are a challenge. This is the top-rated point for the survey from respondents in Asia for this report.

APJC, Asia and Japan, Security Outcomes Report

The data from EMEAR however shows an increase in focus on proactive tech refresh for the goals of satisfying meeting compliance regulations. Here too, as we see in APJC, that cost effectiveness is also important. Timely incident response also registers high on the ranking for working to manage the top security risks facing organizations. The top listed data point for the EMEAR is hands down on working to meet compliance regulations at 11.2%.

EMEAR, Europe, Middle East, Africa, Security Outcomes Report

Now as we shift our discussion to the Americas, we see that the priorities shift. In contrast to APCJ and EMEAR regions, for the Americas this doesn’t register in the data as it pertains to threat detection and security budgeting. There are two items that leap off the page are for priorities in the Americas. First is a focus on running a cost-effective shop with well-integrated technology. The second point which ranks highest overall is the need to retain security talent to help manage the well-integrated technology deployments.

Americas, North America, South America, Security Outcomes Report

This survey was a bit of an eye opener for me personally as I did not expect that a proactive technology refresh program would be as much of a focus for organizations as it is. However, it does make sense. To help manage the accrual of security debt a tech refresh program will go a long way to helping to alleviate the issues introduced by risk management that has not been able to close out issues.

This was really rather amazing reading for a survey driven study and my hat is off to the team who drove this project and the incredible insights that it provides, not only from a sheer statistical point of view but also from the perspective of a regional break out.


Additional Resources:


Introducing: Cisco’s Innovated Transparency Report

As our customers’ businesses evolve in complexity and scale, we are hyperaware of our responsibility as a data steward to protect the privacy and trusted relationships that drive our business forward.

For many years, Cisco has published* the number of demands for customer data that we receive from law enforcement and governments around the world. In an age of growing geopolitical tensions, evolving threat landscapes, and increasing demands for corporate transparency, tech companies must stay focused on the steps they are taking to ensure customer privacy is recognized as a human right and a business imperative. A human focus is at the heart of every aspect of Cisco innovation, and we continuously work to make this apparent to our customers.

We listen to our customers’ security and privacy concerns as a guide to help shape our company and practices, all with a goal of being a trusted partner at every step. In response, we have refreshed our Transparency Report to answer our customers’ top questions about government data demands. Our leading additions are outlined below.

Global Map

The interactive map display gives geographic granularity into the very limited number of demands we receive from around the world. It illustrates the total disclosures of customer data by country and notes why some demands did not result in disclosure. One of the key metrics included in each country breakdown is the number of demands Cisco rejects during the given timeframe. We firmly hold law enforcement and governments accountable to our commitments to protect customer data, and this often includes rejecting requests that don’t meet our standards. Additionally, often Cisco does not have the data law enforcement is looking for, as illustrated by the no data disclosed metric.

Law Enforcement Guidelines

For the first time, we are publishing law enforcement guidelines to inform our customers and law enforcement agencies about the ways we protect customer data. It outlines the legal burden required of law enforcement agencies and governments when demanding customer data, and the laws to which these demands are subject. Cisco recognizes and appreciates government efforts to thwart bad actors and deter criminal activity. Nonetheless, we remain committed to ensuring that access to our solutions and services are protected from unlawful intrusion.

Frequently Asked Questions

At Cisco, we are constantly working on clear and simple communication to our customers, especially when it comes to important topics, like the ways in which we are protecting your data. We’ve added a Frequently Asked Questions (FAQ) section to guide customers through this crucial discussion. In this section, we reiterate that Cisco never allows backdoors or gives governments or law enforcement agencies direct access to content or non-content data without following appropriate legal process.

Our commitment to customers is to be open and transparent, particularly as it relates to issues that could potentially impact their business. As such, Our Principled Approach continues to guide every decision we make regarding government demands for customer data. It details the commitments we have made to protect customer privacy, minimize disclosure, and ensure we uphold and respect human rights.

To learn more about Cisco’s commitment to Transparency and Accountability, please visit our Trust Center or view our Global Data Demand Infographic. Questions about our Transparency Report or Our Principled Approach? Email:

*Transparency report data is published twice yearly, covering a reporting period of either January-to-June or July-to-December. Cisco publishes this data six months after the end of a given reporting period, in compliance with legal restrictions on the timing of such reports.

IoT Unravelled Part 3: Security

IoT Unravelled Part 3: Security

In part 1 of this series, I posited that the IoT landscape is an absolute mess but Home Assistant (HA) does an admirable job of tying it all together. In part 2, I covered IP addresses and the importance of a decent network to run all this stuff on, followed by Zigbee and the role of low power, low bandwidth devices. I also looked at custom firmware and soldering and why, to my mind, that was a path I didn't need to go down at this time.

Now for the big challenge - security. As with the rest of the IoT landscape, there's a lot of scope for improvement here and also just like the other IoT posts, it gets very complex for normal people very quickly. But there are also some quick wins, especially in the realm of "using your common sense". Let's dive into it.

The "s" in IoT is for Security

Ok, so the joke is a stupid oldie, but a hard truth lies within it: there have been some shocking instances of security lapses in IoT devices. I've been directly involved in the discovery or disclosure of a heap of these and indeed, security is normally the thing I most commonly write about. Let me break this down into logical parts and use real world examples of where things have gone wrong and I'd like to cover it in two different ways:

  1. Risks that impact IoT devices themselves
  2. Risks that impact data collected by IoT devices

Let's take that first point and what immediately came to mind was the Nissan Leaf vulnerability someone in my workshop found almost 5 years ago now. Here we had a situation where an attacker could easily control moving parts within a car from a remote location. Fortunately, that didn't include driving functions, but it did include the ability to remotely manage the climate control and as you can see in the video embedded in that post, I warmed things up for my mate Scott Helme from the other side of the world whilst he sat there on a cold, damp, English night.

Same again with the TicTocTrack kids tracking watches which allowed a stranger on the other side of the world to talk to my 6 year old daughter. The thing with both the car and the watch hacks though is that the vulnerability was at the API layer, not the device itself and this is where we spear off into another 2 directions:

  1. Risks that impact IoT devices due to vulnerabilities in web APIs
  2. Risks that impact IoT devices due to vulnerabilities in the device itself

I've given 2 examples of the first point, so here's 2 examples of the second beginning with LIFX light bulbs. The vulnerability Context Security discovered meant exposing the Wi-Fi credentials of the network the device was attached to, which is significant because it demonstrates that IoT vulnerabilities can put other devices on the network at risk as well. Another example also from Context Security was the vulnerability in CloudPets talking (and listening) teddy bears that amounted to no auth on the Bluetooth allowing an attacker to take control of the toy. (Incidentally, Lixil Satis toilets had a similar vulnerability due to hardcoded PINs on all "devices".)

Back to the bit about risks impacting data collected by IoT devices and back again to CloudPets, Context Security's piece aligned with my own story about kids' CloudPets messages being left exposed to the internet. I can't blame this on the teddy bears themselves, rather the fact that the MongoDB holding all the collected data was left publicly facing without a password. Same again with VTech who collected a bunch of data via children's tablets (IMHO, an IoT device as they're first and foremost a toy) then left it open to very simple vulnerabilities. Are these examples actually risks in IoT? Or are they just the same old risks we've always had with data stored on the internet? It's both, here's why:

Let's use smart vibrators as an example (yes, they're a real thing), in particular the WeVibe situation:

At the August Def Con conference in Las Vegas, two New Zealand hackers demonstrated that the We-Vibe 4 Plus vibrator was sending information — including device temperature and vibration intensity — back to its manufacturer, Standard Innovation.

If this data was compromised, it could potentially expose a huge amount of very personal information about their owners, information that never existed in digital form before the advent of IoT. Whilst the underlying risk that exposes the data may well be a classic lack of auth CloudPets style, there'd be no data to expose were it not for adding internet to devices that never had it before. Adult toys have been around forever and a day, they're not new, but recording their usage and storing it on the cloud is a whole different story.

So, what's to be done about it? Let's got through the options:

Firmware Patching

I'll start with the devices themselves and pose a question to you: can you remember the last time you patched the firmware in your light globes? Yeah, me either, because most of mine are probably like yours: the simplest electrical devices in the house. Some of them, however, are more like the LIFX example from before in that they have little microprocessors and are Wi-Fi (or Zigbee) enabled. And, just like the LIFX devices, they're going to need patching occasionally. They're complex little units doing amazing things and they run software written by humans which inevitably means that sooner or later, one of us (software developers) is going to screw something up that'll require patching.

IoT firmware should be self-healing. This is super important because your average person simply isn't going to manually patch their light bulbs. Or talking teddy bear. Or vibrator. Can you imagine - with any of those 3 examples - your non-tech friends consciously thinking about firmware updates? How often would you think about firmware updates? How often would I? To test that last question, I fired up a bunch of IoT device apps to see which ones are auto-updating (so I don't have to think about patching) versus requiring a manual update (in which case, I should have been thinking about patching). I started with the Philips Hue app which was both auto-updating and at the latest firmware version:

IoT Unravelled Part 3: Security

Ok, that's good, not something I need to think about then. Let's try Nanoleaf which are the LED light panels both kids have on their walls:

IoT Unravelled Part 3: Security

Ok, so they're up to date, but will they stay up to date? By themselves? I honestly don't know because it's not clear if, to use my earlier term again, they're self-healing. Same with the Shellys I've become so dependent on:

IoT Unravelled Part 3: Security

And just to perfectly illustrate the problem, I snapped that screen cap the day before posting this part of the series. Just over a day later, it's a different story and I only knew there was an update pending because I fired up the app and looked at the device:

IoT Unravelled Part 3: Security

I checked just one of the couple of dozen connected lights running in the Tuya app:

IoT Unravelled Part 3: Security

This looks good, but it wasn't the default state! I had to manually enabled automatic updates and I had to do it on a per-device basis. People just aren't going to do this themselves.

The next thing I checked was my Thermomix and the firmware situation is directly accessible via the device itself:

IoT Unravelled Part 3: Security

I'm not sure whether this auto-updates itself or not (it's still fairly new in the house), but with a big TFT screen and the ability to prompt the user whilst in front of the device, I'd be ok if it required human interaction.

Finally, I checked my TP-Link smart plugs via the Kasa app:

IoT Unravelled Part 3: Security

Uh... is that good? Bad? Does it need an update? Turns out you can't tell by looking at the device itself, you need to jump back out to the main menu, go down to settings, into firmware update then you see everything pending for all devices:

IoT Unravelled Part 3: Security

I don't know how to auto-update these nor do I have any desire to continue returning to the app and checking what's pending. I hit the update button and assumed all would be fine... (it wasn't, but I'll come back to shortly)

Here's what I'm getting at with all this and I'll hark back to the title of part 1: it's a mess. There's no consistency across manufacturers or devices either in terms of defaulting to auto-updates or even where to find updates. And before anyone starts jumping up and down suggesting that devices shouldn't auto-update because you should carefully test any patches before rolling out to production and ensuring you have a robust rollback strategy, these are consumer devices made for people like my mum and dad! It needs to be easy. It's not.

When Patching Goes Wrong

Now that I've finished talking about how patching should be autonomous, let's talk about the problems with that starting with an issue I raised in this tweet from yesterday:

What appears to have happened is that in order to address "security vulnerabilities on the plug", TP-Link issued a firmware update that killed the HA integration. More specifically, they closed off the port that allowed HA to talk directly to the smart plug which broke the integration, but didn't break the native Kasa app. As at the time of writing, the fix is to raise a support ticket with TP-Link, send them your MAC address then they'll respond with a firmware downgrade you can use to restore the device to its previous state. Ugh. (Sidenote: regarding this particular issue, it looks like work has been done to make HA play nice with the newer version of the firmware.)

Let's start by looking at this from a philosophical standpoint:

Clearly it was never TP-Link's intention for people to use their plugs in the fashion HA presently is and I'll talk more about why HA does this in the next section of this post. But rightly or wrongly, the risk you take when using devices in a fashion they weren't designed for is that the manufacturer may break that functionality at some time. One way of dealing with that is to simply block the devices from receiving any updates:

But what if that device was the LIFX light bulb from earlier on and the patch was designed to fix a serious security vulnerability? Now you've introduced another risk because you're not taking patches and you have to trade that off against the risk you run when you do take patches! As @GerryD says further down that thread, it's a calculated risk and ultimately, you're trading one problem off against another one.

Speaking of trading problems, another approach is just to flash the devices with custom firmware like Tasmota:

Tasmota is designed for precisely this sort of use case and I have a high degree of confidence that they wouldn't break functionality in the same way as TP-Link did. However, I also have a high degree of confidence that Tasmota is software, all software has bugs (open source or not), and you still need a patching mechanism. To my point about @GerryD's tweet earlier, firewalling off devices still remains a problem even when running open source custom firmware.

So, what's the right approach? For your average consumer (and remember, that's probably 99%+ of people buying TP-Link smart plugs), automatically updating firmware is key. For the rest of us, we need to recognise that we take on risks when using IoT devices in ways they weren't designed for. In a perfect world, companies would approach this in the same way Shelly has:

Paulus is the founder of HA and I've had a few chats with him during my IoT journey. This tweet is exemplary behaviour by Shelly and if I'm honest, my opinion of them raised a few bars after reading this. In that perfect world, TP-Link wouldn't necessarily need to go as far as devoting resources to building HA integrations (although that would be nice!), but they would make a commitment to ensure their devices are "open" and accessible to other platforms in a documented, supported fashion that won't be broken by future patches. Perhaps that's just a matter of time and as demand grows, who knows, we might even see HA on the TP-Link box alongside the tech behemoths.

This whole discussion about devices updating their firmware raised another philosophical debate which I want to delve into now, and that's the one about how self-contained the IoT ecosystem should be within the LAN versus having cloud dependencies.

Cloud Versus Local Only Access

In part 1 of the series I quoted from the HA website about how the project "puts local control and privacy first". What this means in practical terms is that HA can operate in a self-contained fashion within the local network. For example, before the aforementioned TP-Link firmware update, HA could reach out from its home in my server cabinet directly to the smart plug in Ari's room and communicate with it over port 9999. It would still work if there was no internet connectivity (local control) and TP-Link were none the wiser that I'd just toggled a switch (privacy first). There's also the added upside of the resiliency this brings with it should an IoT manufacturer have an outage on their cloud:

That resiliency extends beyond just a cloud outage too; what if Tuya shuts down the service? Still want to be able to turn your lights on? There's a lot to be said about local control. That said, there's also a lot to be said about cloud integration and a perfect example of that is weather stations. I'm looking around at devices (the Davis Vantage Pro2 is the frontrunner at present, but I'm open to suggestions), and that then raises the question: which ones have an integration with HA? But also (and based on the TP-Link experience above), which ones have an integration that won't break in the future? A weather station is a sizable outlay compared to a smart plug and I don't want to go into it with an expectation of it working a certain way and then one day having that broken.

One approach is that rather than trying to integrate directly between the weather station and HA, you find a weather station that can integrate with Weather Underground (which Davis can do with WeatherLink Live) then use the Weather Underground integration. Now you're dependent on the cloud, but you've also dramatically widened your scope of compatible devices (WU integration is very common) and done so in a way that's a lot less hacky than custom integrations connecting to non-standard services. I don't have a problem with this, and I think that being too religious about "though shalt not have any cloud dependencies" robs you of a lot of choices.

That said, from a simple security and privacy perspective (and often a performance perspective too), I always prioritise local communication. For example, each Shelly device in the house has cloud integration disabled:

IoT Unravelled Part 3: Security

That doesn't stop me controlling the device remotely because I can use HA's Nabu Casa to do that, but it does stop my being dependent on yet another IoT vendor to remotely manage my home. It also grants me more privacy as the devices aren't perpetually polling someone else's cloud... almost. For some reason, the Shelly on my garage door is making a DNS request for once every second!

IoT Unravelled Part 3: Security

That data is from my Pi-hole and the Shelly is configured precisely per the earlier image. I've even pulled the JSON from the /settings API on the Shelly (you can hit that path on the IP of any Shelly on the network and retrieve all the config data), diffed it with other Shellys not displaying this behaviour and I still can't work out why it's so chatty. The point I'm making here is that devices can do a lot of communicating back to the mothership and where possible, this should be disabled.


If we recognise this whole thing is a mess and that at least as of today, we don't have a good strategy for keeping things patched, what should we do? One popular approach is to isolate the network the IoT things are on from the network the non-IoT things are on. This mindset is akin to putting all the potentially bad eggs in the one basket and the good eggs (such as your PC) in another basket.

The requirement for doing this is to have networking gear in the home that supports it. In part 2 I talked about the importance of good networking gear and indeed I've written many pieces before about Ubiquiti before, both their AmpliFi consumer line and UniFi prosumer line, the latter having run in my house for the last 4 years. Running UniFi, I can easily create multiple Wi-Fi networks:

IoT Unravelled Part 3: Security

And yes, I name my SSIDs "HTTP403" 😊

As we then look at which clients have connected to which SSIDs, we can see them spread across the primary (HTTP403) and IoT (HTTP403 IoT) networks:

IoT Unravelled Part 3: Security

I've also got a heap of access points across my house so different devices are connected to different APs depending on where they're located and what signal strength they have. I've chosen to place all my highly trusted devices such as my iPhone, iPad and PCs on the primary network and all the IoT things on the IoT network. I've also placed the Ubiquiti cameras (including their doorbell) on the primary network figuring they're all essentially part of the UniFi ecosystem anyway.

But this is just segmentation by SSID; every device is on the same subnet and the same logical VLAN and there's not presently any segmentation of clients such that the Shelly controlling the lights on my fireplace can't see my iPhone. Ubiquiti has a good writeup of how to do this and in the first version of my UniFi network, that's precisely how things were configured. (Also check out how to configure interVLAN routing.) But there were problems...

The main problem is that you end up with all sorts of scenarios where a particular IoT device needs to see the app that controls it but because the very purpose of the VLAN is to lock the IoT things away, things would fail. So, you end up tracking down devices, ports and protocols and creating ever more complex firewall rules between networks. Troubleshooting was painful; every time I had an IoT device not behaving as expected, I'd look suspiciously at the firewall rules between the VLANs. I ended up constantly debugging network traffic and searching across endless threads just like this one trying to work out why Sonos wasn't playing nice across VLANs.

When I set up version 2 of my UniFi network (complete tweet thread here), I kept the IoT SSID but never bothered with the VLAN. It made it easy for all the existing devices to jump onto the new network (I used the same password from the v1 network) and it gives me the option to segment traffic later on. It also gives me the option to easily put it all on a different subnet later on, for example if I genuinely get to the point of IPV4 exhaustion on the subnet. (Sidenote: even this can be painful as the native apps for many IoT devices want to join them to the same SSID the phone running the app is on so I found myself continually joining my iPhone to the IoT SSID before pairing... then forgetting I'd done that and later wondering why my phone was on the IoT network! It's painful.)

Getting back to network compatibility, whilst Ubiquiti's UniFi range will happily support this approach, AmpliFi won't. To the best of my knowledge, most consumer-focused network products won't and why would they? Can you imagine your parents VLAN'ing their IoT things? It's painful enough for me! We need to think differently.

Zero Trust

Let's just take a slice out of out of the Wikipedia definition:

The main concept behind zero trust, is that networked devices, such as laptops, should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified.

It's become a bit of a buzzword of late but the principle is important: instead of assuming everything on the network is safe because you only put good things on the network, assume instead that everything is bad and that each client must protect itself from other clients. It's akin to moving away from the old thinking that all the bad stuff was outside the network perimeter and all the good stuff was inside. That logic started eroding as soon as we had floppy disks, went quickly downhill with USB sticks and is all but gone in the era of cloud. We've been heading in this direction with enterprise security for years, now we also need to adopt that same thinking in the home.

A good example of the importance of this brings me back to the TP-Link plugs I mentioned earlier. Remember, the one with the security flaw which was patched and then broke the HA integration? Just last month, Which? did a review on smart plugs and found the following:

A critical flaw we found in testing meant that an attacker could seize total control of the plug, and of the power going to the connected device. The vulnerability is the result of weak encryption used by TP-Link. The attacker would have to be on your wi-fi network to do the hack.

The whole premise of an attacker already being on your network is precisely why zero trust is important. Somewhat ironically though, I suspect that whilst on the one hand the TP-Link situation is viewed as a vulnerability, the ability to connect directly to it on the local network is probably what made the HA integration feasible in the first place! In other words, one person's vulnerability is another person's integration 😎

When we put this into the context of your average consumer, it means that stuff just needs to work out of the box. The Windows machine should be resilient to a connected IoT vacuum cleaner gone bad. The personal NAS shouldn't be wide open to a connected sous vide turned rogue. Consumers can't configure this stuff nor should they, rather we need to do a better job as an industry of making IoT devices resilient to each other.

I appreciate this isn't concise "do this and you'll be fine" advice, but it's where we need to head in the future, and I'd be remiss not to push that view here. Let's look at one more related topic - TLS.

Transport Layer Security

Our view of SSL or HTTPS or TLS (and all those terms get used a bit interchangeably), has really changed over the years. Once upon a time, it was the sole domain of banks and e-commerce sites and it meant you were "secure" (Chrome literally used to use that word). The good guys had it, the bad guys didn't. In fact, most websites didn't have it but these days, it's quite the opposite; most websites do serve their traffic securely regardless of the type of business they are. The growth has been driven by the free and easy availability of certificates, largely due to the emergence of Let's Encrypt in 2016.

As it relates to IoT, let's look at it in 2 different ways:

  1. Devices talking to hosted services over HTTPS
  2. Devices hosting services that could support HTTPS

The first point is a bit of a no brainer because all the certificate management is done centrally by, say, Amazon for their Echo devices. Every time one of the kids asks Alexa a question, a TLS connection is established to Amazon's services and they get the benefit of confidentiality, integrity and authenticity.

The second point is trickier because we're talking about a whole bunch of devices in the house running web servers and talking HTTP. For example, my UniFi network centres around their Dream Machine Pro device and Scott has written in the past about how to set up HTTPS on the UDM. He's also done the same thing with his Pi-hole. HA has a Let's Encrypt add-on. Increasingly, we're seeing IoT things support HTTPS which is great, and it goes a step further in taking us towards that zero trust principle, but it's not all that simple...

Every Shelly I have in the house has its own little web server and I connect to it locally via IP address... over HTTP. An adversary sitting at the network routing level (i.e. on one of my switches) would be able to observe the traffic (no confidentiality), modify it (no integrity) or redirect it (no authenticity). Beyond a cursory Google search that returned no results, I haven't even begun to think about the logistics of installing a cert on a Shelly let alone the dozen other Shelly devices I have in the house.

Out of curiosity, I asked this question earlier today and got a response from Paulus just before publishing this blog post:

Reading through the responses to my original question, the resounding feedback was that when it comes to IoT communicating inside home networks, people weren't too concerned about a lack of transport layer encryption. I can understand that conclusion insofar as the LAN is a much lower risk part of the whole IoT ecosystem. I'd like everything to be sent over a secure transport layer (perhaps per Paulus' IKEA suggestion), and certainly any devices acting as clients communicating with external servers should be doing this already, but inevitably, there will be gaps.

There are, however, some very practical, very common-sense things we can do right now to improve the security posture of our IoT things so let's finish up by talking about those.

Common-Sense Security

Security goes well beyond just digital controls, indeed there are many ways we can influence our IoT security posture simply by adjusting the way we think about the devices. I want to break this down into 3, common-sense approaches:

1. You cannot lose what you do not have: This is an old adage often used in a digital privacy context and it's never been truer than with IoT. Headlines such as Stranger hacks into baby monitor, tells child, 'I love you' are a near daily occurrence and there's a sure way to ensure a hacker doesn't end up watching and talking to your child: don't put a camera with a mic and speaker in their bedroom! Right about now, a small subset of my readership is getting ready to leave angry comments about "victim blaming" and I'll ask them to start with a blog post from almost 5 years ago titled Suggesting you shouldn’t digitise your sexual exploits isn’t “victim blaming”, it’s common-sense. The point in all these cases isn't to say someone is "wrong" for using a connected baby monitor or making kinky home movies, rather that doing so increases the chances of an otherwise private event being seen by others. Do your own assessment on whether you're willing to take that risk or not.

As it relates to my own approach to IoT, all cameras I have point at places that are publicly observable. (The only exceptions are inside my garage and my boatshed, both places where nothing happens I wouldn't be comfortable with the public seeing.) My worst-case scenario if my cameras are pwned isn't the exposure of my kids to strangers or an intimate moment with my partner, it's only publicly observable activity.

Using features such as Ubiquiti's privacy zones on their Protect cameras also helps:

IoT Unravelled Part 3: Security

Those black boxes are recorded onto all video the camera captures and shield both the master bedroom and the pool from view should someone obtain the video. If an adversary gained full control to the UniFi Protect server then yes, they could remove the privacy zones, but that would only apply to future videos and only until I cottoned on to something being wrong.

2. Be selective with what you connect: This whole journey began with me trying to automate my garage door, which I eventually did. But I actually have 2 garage doors with one leading to what could more appropriately be called a carport (a covered area inside the property boundary) and the other then leading inside the house. It looks like this:

IoT Unravelled Part 3: Security

I've divided this into risk zones and the reason the upper area is low risk is that it's easily accessible. There's a wall around the house behind those green palms, but it can be jumped. That door is internet connected and it allows me to remotely open it so couriers can drop off packages or I can easily ride my bike back inside the property boundary (I just ask Siri on my watch to open it up). The higher risk zone contains things like bikes, wakeboards and life vests (not to mention my beer fridge!) I've not connected that door as it presents a greater risk and provides less upside if connected than the external door thus is harder to justify being IoT enabled.

The point here is that I'm effectively doing my own little risk assessment on each IoT device, and you can too. What upside does it bring you? What downside does it present? How likely is that to happen? And finally, what's the impact if it does? Easy 🙂

3. Choose who to trust: I'll give you a real-world example here, starting with this tweet:

The back story to this was that I'd just installed Ubiquiti's AmpliFi ALIEN unit at this friend's house and in doing so, set up a brand new network with new SSID and subsequently set about migrating all the connected things to the new one. Everything came over just fine... except the doorbell. I have absolutely no idea who made that doorbell; it seemed to be a cheap Chinese model with very little documentation and no clear way to join a new network. I was stumped and the doorbell was kinda crap anyway thus the tweet above.

Now, if I had to choose between trusting that old doorbell with the ones suggested in that thread (namely Ring, Nest and Ubiquiti), it's an easy decision. These companies invest serious dollars in their security things in just the same way Amazon does with their Echo devices. Why mention Echo? Because people often ask if I trust them given I have one in each kids' room. Now that's a binary question with a non-binary response because trust is not as simple as "completely" or "not at all", it's much more nuanced. What I know about each of the multi-billion dollar tech companies mentioned here is that they have huge budgets for this stuff and are the most likely not just to get it right in the first place, but to deal with it responsibly if they get it wrong.

But a caveat: Nissan is also a huge company with massive budgets and they made an absolute mess of the security around their car. It doesn't surprise me that CloudPets and TicTocTrack made the mistakes they did because they're precisely the sorts of small organisations shipping cheap products that I expect to get this wrong, but clearly organisation size alone is not a measure of security posture.


There will be those who respond to this blog post with responses along the lines of "well, you really don't need any of these things connected anyway, why take the risk?" There's an easy answer: because it improves my life. In the final part of this series I'm going to do video walkthroughs of a whole bunch of different ways in which I benefit from my connected environment, showing how each connected thing operates. I like my IoT devices and in order to reap the benefits they provide, I'm willing to wear some risk.

Coming back to a recurring theme from this series, the security situation as it relates to normal everyday people using IoT devices isn't great and I've given plenty of examples of why that's the case. I also don't believe the approaches taken by enthusiasts solves the problem in any meaningful way, namely custom firmware, blocking device updates and creating VLANs. It's fiddly, time consuming, fraught with problems and most importantly, completely out of reach for the huge majority of people using IoT devices. We need to do better as an industry; better self-healing devices, better zero trust networks and better interoperability.

Finally, and per the last couple of blogs in the series, Scott and I will be talking live about all things IoT (and definitely drilling much deeper into the security piece given the way both of us make a living), later this week via this scheduled broadcast 👇

Inside the Cit0Day Breach Collection

Inside the Cit0Day Breach Collection

It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data. The hard bit for me is figuring out whether it's pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it's just more noise that ultimately doesn't really help people make informed decisions about their security posture. More on that shortly, let's start with what's in there and we're looking at a zip file named "" that's 13GB when compressed:

Inside the Cit0Day Breach Collection

A couple of folders down are two more folders named "Cit0day []" and "Cit0day Prem []"

Inside the Cit0Day Breach Collection

And then this is where it gets interesting: The first folder has 14,669 .rar files in it whilst the second has a further 8,949 .rar files giving a grand total of 23,618 files. This is where the "more than 23,000 hacked databases" headlines come from as this is how many files are in the archive. Because it's relevant to the story and especially relevant to people who find their data in this breach via an HIBP search, I'm going to list the two sets of files in their entirety via the following Gists:

  1. Cit0day []
  2. Cit0day Prem []

Let's drill deeper now and take a look inside one of these files and I'm going to pick " {1.515.111} [HASH+NOHASH] (Arts)_special_for_XSS.IS.rar" simply because it's one of the larger ones. Here's the contents:

Inside the Cit0Day Breach Collection

Taking that first and largest file from the archive, there are over 1.5M lines comprised of email address and MD5 hash pairs. I'm going to highlight one particular row that used a Mailinator address simply because Mailinator accounts are public email addresses where there is no expectation whatsoever of privacy. Here it is:

When looking at the "Results.txt" file, that email address appears with a cracked password:

The "NotFound.txt" file consists of email address and MD5 hash pairs and for each hash I randomly Googled, no plain text result was found so this appears to be hashes that weren't cracked. The "Rejected.txt" file contained malformed email addresses and "Result(HEX).txt" had a small number of email address and password hex pairs. This same pattern appeared over and over again across the other archives and it gives us a pretty good idea of what the data was intended for: credential stuffing.

I extracted all the files, ran my usual email address extraction tool over it (effectively just a regex that can quickly enumerate through a large number of files), and found a total of 226,883,414 unique addresses. A substantial number, although not even in the top 10 largest breaches already in HIBP.

But is it legit? I mean can we trust that both the email addresses and passwords from these alleged breaches represent actual accounts on those services? Let's take the example above which allegedly came from, a guitar forum. Over to the password reset and drop in the Mailinator address from before:

Inside the Cit0Day Breach Collection

Apparently, an email has been sent to that address which indicates it does indeed exist on the site:

Inside the Cit0Day Breach Collection

And sure enough, in that public Mailinator inbox is the password reset email for a user by the name of "trawis":

Inside the Cit0Day Breach Collection

Consequently, there is a very high likelihood this data is legit. I haven't notified Chordie as they're one of more than 23k sites listed so clearly disclosure in the traditional sense isn't going to work, at least not where I privately contact the company. But each time I checked, the pattern repeated itself; has an account on

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

Or over on, also had an account:

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

In that example, the data was found in a file called " {54.629} [NOHASH].txt" and true to its name, it appears from the forgotten password email that they were never even hashed in the first place. Same again for on

Inside the Cit0Day Breach Collection
Inside the Cit0Day Breach Collection

I'm conscious I'm showing actual email addresses and either passwords or reset tokens in the images above, but again, these are very clearly test accounts with no expectation of privacy. I'm showing these for impact; this is a serious set of data that includes actual breaches that are almost certainly unknown by the site operators.

Many of the sites indicated in this collection of data are now defunct. For example, as of the time of writing, simply returns "Forbidden". Back in May, it was a service for blokes to meet Czech women according to Or take which is returning HTTP500 today, but in Jan last year was a (self-proclaimed) global leader in digital education.

At least one other site in the collection was previously (publicly) known to have been breached and in this particular case, was already in HIBP. For example, " {287.560} [HASH+NOHASH] (Adult)_special_for_XSS.IS.rar" is already in HIBP as a sensitive breach. I'm sure there are probably others too so inevitably this isn't 100% new data, let's see if we can put a number on that:

I was curious as to how much of this data had been seen in other breaches before and if there was an obvious trend. For example, is this largely just data from, say, the Collection #1 credential stuffing list I loaded early last year? I took a slice of addresses from the 226M I'd extracted and started running them against HIBP. Here's what I found after checking over 74k addresses:

Inside the Cit0Day Breach Collection

Only 55% of the addresses in the sample set had been seen before (after loading the complete data set into HIBP, that number rose to 65%). There were a bunch of addresses in the Collection #1 incident and also in the 2,844 breach collection I added in Feb 2018, but clearly based on the red "null" results there were also many new addresses. In other words, there were a substantial number of people who prior to loading this data, would get no hits when searching HIBP but had previously been in a breach.

Then there were the passwords. Eyeballing them, they're all the sorts of terrible passwords you'd expect most people to use. Passwords like "Ashtro1969", "Odette1978" and, perhaps unsurprisingly given the file I was looking at, "ilovechordie". Whilst many of the passwords I tested were terrible enough to have previously appeared in other data breaches and flowed through to Pwned Passwords, these three didn't exist there at all. In fact, over 40M of them didn't exist at all.

The passwords, however, do also pose a bit of a conundrum when parsing them out of thousands of separate files. Whilst many existed as credential pairs in the "Results.txt" files of the respective archives, others existed in files such as " {1.928} decrypted.txt" (they're almost certainly cracked hashes rather than "decrypted" ciphers) and " {2.166} [NOHASH].txt", the latter possibly indicating that passwords were never hashed to begin with. So, thousands of files, different naming formats and whilst mostly consistent in terms of structure, inevitably there are some parsing issues in there. For example, this "password":

3px;"><a href="docs/!INDEX.html"><b>Ãëàâíàÿ</b></a></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="docs/ondfi5.html" style="">Î êîìïàíèè</a><br/></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="docs/8qjisp.html" style="">Óñëóãè</a><br/></div><div style="padding-left: 10px; padding-top: 3px; padding-bottom: 3px;"><a href="

This would be an epic password if someone did in fact use it, but it's almost certainly an upstream parsing error. Or take this password:


Yes, I can envisage someone using it on a website (perhaps one related to cooking), but no, I don't believe it would have been used 6,349 times which is the number of occurrences that were found within the breach corpus. Interestingly, they were all sourced from " {134.303} [HASH] (Business and Industry).txt" and as best I can make it, is a Thai fashion site. But neither of these data quality issues matter - here's why:

When these passwords flow through into Pwned Passwords, they ultimately exist as hashes to be downloaded or queried using k-anonymity. Nobody is going to use the first password with all the HTML in it so it has no real world impact. Someone might feasibly try to use the second password and a service using HIBP's Pwned Passwords might then reject it due to its prevalence. I'm ok with that because it's not a good password! But what about hash collisions? What if someone else tries to use a password where the SHA-1 hash is equal to the SHA-1 hash of the junk data? It'd return a hit in HIBP which would effectively be a false positive, but whether there's a small amount of junk data in there or not (and it's a very small amount - well under 1%), the same issue prevails. Plus, considering that SHA-1 hashes occupy a total character space of 16^40, you can easily do the maths on how extremely unlikely this is (and the impact is still very low if it does).

Given the number of individual breaches, the legitimacy of the data plus the vast number of previously unseen email addresses and passwords, I've loaded it all into HIBP. The lot - both emails and passwords (note: these go in as separate archives and never as pairs, read more about Pwned Passwords here). As with other breaches without a single clear origin, this means that people may find themselves pwned and not know which service leaked their data. It also means they may find their password breached and not know which service leaked it. But it also doesn't matter - here's why:

The goal of HIBP has always been to change behaviours, namely to move people from using those one or two or three weak passwords all over the place and get themselves into a proper password manager like 1Password and create strong, unique passwords everywhere (full disclosure: I'm on their board of advisors). If you've done that already and then find yourself in the Cit0day data then it's a non-event for two reasons:

  1. Being in one of the 23k breaches isolates your risk to that breach alone; because you've not reused the password anywhere else, exposure in that one place doesn't put you at risk anywhere else.
  2. Passwords randomly generated from a password manager are almost certainly not going to be cracked; even when stored weakly (for example, as an unsalted MD5 hash), your ~40 character random string isn't being cracked. If, on the other hand, the site stored it in plain text, see point 1.

And if you don't already have a password manager? Then you need to get one and promptly change the password on every important account anyway!

But there is a gap that goes beyond the risks associated with exposed passwords alone, and that's the personal impact of other exposed data. If, for example, you filled a bunch of other personal information into Chordie then it would be reasonable to assume that's now in the possession of other parties and you would quite rightly want to know about that. This is where we really need the sites indicated in those two Gists above to come forth and I suggest the following: If they're on the list, test a sample set of their own subscriber's email addresses on HIBP. If you're worried about submitting someone else's personal info to my service, grab some Mailinator addresses and check those. If they come back with hits against the Cit0day breach then that's a very strong indication of breach.

In closing, there's now 226M more breached accounts in HIBP and a further 41M passwords (just over 40M new ones from this incident and just under 1M from other incidents since the last release). Just to emphasise why it was important to get this data set into HIBP, the Pwned Passwords k-anonymity API has been hit 815M times in the last month:

Inside the Cit0Day Breach Collection

Feeding these passwords into the corpus of known breached ones has an immediate an tangible impact on account takeovers which is good for online services, good for individuals and good for the web as a whole.

A last word on this: please don't contact me and ask for details on the breach your address was in or the password used, I operate this as a free service in my available time and don't have the capacity to reply to even a tiny fraction of the 226M people in this incident. Get a password manager, use strong and unique passwords, that is all.

Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security

Remember when only desktop computers in our homes had connections to the internet? Thanks to the latest developments in smart device technology, almost everything now can be connected— security cameras, smart TVs, gaming consoles, and network storage, to name just a few. While a home network provides lots of benefits, it can also expose us to safety and privacy risks.

But checking for those risks need not be costly. How about a network security checker available for free? Yes, you read that right. Trend Micro’s free Housecall for Home Networks (HCHN) scans the connected devices in your home network and detects those that pose security risks. And in doing so, it gives you a sense for what real network security entails. We have a solution for that also.

Want to know more?

Trend Micro HCHN uses intelligent network scanning technology to scan the devices connected to your home network for vulnerabilities. These can range from a low risk type—such as an easily identifiable Wi-Fi Name that hackers can use to attack your router and home network—to high risk types, such as SSL-Poodle (for man-in-the-middle attacks), Shellshock (for remote code execution attacks), Heartbleed (which puts website passwords at risk) and WannaCry (which is a Windows ransomware cryptoworm). These and other vulnerabilities can be detected through the help of this handy tool.

In addition, HCHN checks devices for open ports that are usually targeted by hackers and malware and can be exploited for cybercriminal activities. Examples include ports 20 and 21, used via the File Transfer Protocol (FTP) to transfer files between an FTP client (20) and FTP server (21), which can deliver a multitude of vulnerabilities to the internet; as well as port 23, which sends data in Clear Text, which can be used by attackers to listen in, watch for credentials, or inject commands, enabling the hacker to perform Remote Code Executions.

Moreover, HCHN gives you a report about the status of your home network and its connected devices and offers helpful advice for keeping your network and devices secure.

Lastly, HCHN provides you a notification when:

  • A new device joins the network
  • Connecting to a new network
  • A new vulnerability is found in the network.


Ready to install?

HCHN is easy to use and accessible from any device, be it Windows (7, 8 and 10), MacOS (10.12 or later), Android (5.0 or later) or iOS (8.0 or later). For your computer hardware, you just need to have Intel Pentium or compatible processor, a 256MB of RAM (512MB recommended) with at least 50MB available disk space and you’re set.

  • Download and install the application from the Web, Google Play Store or Apple App Store.
  • During install, accept the Privacy and Personal Data Collection Disclosure Agreement which indicates the necessary information gathered in order to check for and identify vulnerabilities in devices connected to your home network and you’re good to go.
  • Once installed, inspect your home network’s security risk exposure by clicking (applies to Windows and MacOS) or tapping (applies to Android and iOS) Scan Now. You’re then presented with the result.


Are my home network and connected devices safe?

Here’s a few scans we did–from a Windows PC, then from and Android and iOS devices.

When the scan is complete on a Windows computer it shows two tabs: Home Network and Devices.

The first tab indicates a snapshot of your home network, identifying the devices at risk.

Figure 1. HouseCall for Home Networks – Home Network

The second tab indicates a list of the devices scanned and the details of any device risks found.

Figure 2. HouseCall for Home Networks – Device List

On the Android device, once the scan has finished, the screen will reveal any security risks detected. You can view the issue to see more details of the security risk in your home network. You can then slide to the next panel and check to verify all the connected devices on your network.

Figure 3. HCHN – At Risk Devices

Similarly, upon completing the network scan from an iOS device, the app will display the risk that needs your attention. Just as with the Android device, you can move to the next panel to review the list of connected devices that were identified by Trend Micro HCHN.

Figure 4. HCHN – Needs Attention

A Few Reminders and Recommendations …

  • Use HCHN regularly to check the posture of your home network security, since new vulnerabilities and network risks may appear in the device after a time due to lack of firmware updates or a failure by the manufacturer to address a newfound risk.
  • Ensure that the devices (including mobile devices such as phones or tablets) are on and connected to the network when a scan is performed.
  • Some security products installed from the device initiating the network scan might detect the scan as suspicious and show a warning message or block user access. This doesn’t mean that HCHN is a malicious application. Add HNCN to your security product’s exception list, so it’s allowed to examine your network and connected devices for security risks.
  • The HNCN app does not automatically block dangerous network traffic or suspicious devices from connecting to your network. For that, and more home network security features, you should increase your home’s network protection with Trend Micro Home Network Security. To that we now turn.

What Home Network Security Provides

While a free network scan helps to determine the underlying dangers in your home network, to fully protect not only your home network but your family, you should consider Trend Micro Home Network Security (HNS) as a permanent enhancement to your network. It can shield your home against a wide variety of threats, including network intrusions, risky remote connections, phishing, ransomware, harmful websites and dangerous downloads. Additional features include the following:

  • New Device Approval gives you control over the devices that are allowed access to your home network.
  • Remote Access Protection limits malicious individuals from using remote desktop programs to connect to your devices at home.
  • Voice Control lets you issue voice commands to Alexa or Google Home to perform specific functions on HNS such as conducting a scan, obtaining your home network’s security status, pausing internet usage, disabling internet access for a user, and so on.
  • Parental Controls’ flexible and intuitive feature set, comprised of Filtering, Inappropriate App Used, Time Limits and Connection Alerts, can help any parent to provide a safe and secure internet experience for their kids. Combined with Trend Micro Guardian, parents can extend these protections to any network their children connect to, Wi-Fi or cellular.

Download the HNS App on your Android or iOS device to give it a spin. Note that the HNS App, when used by itself, performs the same functions as the HCHN app on those devices.

If you like what you see, pair the HNS App to a Home Network Security Station to get the full range of protections. (Note too that once you do, the HCHN App will be disabled on all your devices and network and replaced by Home Network Security.)

Figure 5. Home Network Security (HNS) App

Figure 6. HNS App Paired with the Home Network Security Station

Final Words

Home networks come with security risks. As the tech-savvy member of your household, you need to be aware of those risks. Using Trend Micro HouseCall for Home Networks (HCHN), you’ll be able to know which devices are connected to your home Wi-Fi network and whether these devices bear security risks that can be exploited by hackers and malicious software. Moreover, you’ll be provided with suggestions, in case your devices are found vulnerable.

However, just knowing the security risks is only half the battle in protecting your home network. You’ll need a more robust system that can automatically block suspicious and malicious traffic and do more— such as protecting your child’s online safety. Trend Micro Home Network Security (HNS) can address your home network’s security, even as it monitors your home network, prevents intrusions, blocks hacking attempts and web threats, and protects your family’s privacy, while keeping the internet safe for your kids.

Download Trend Micro Housecall for Home Networks from the Web, Google Play Store or Apple App Store to give it a try.

Go to Trend Micro Home Network Security to get more details on the solution, or to buy.

The post Trend Micro HouseCall for Home Networks: Giving You a Free Hand in Home Network Security appeared first on .

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).


Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.


Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National CyberSecurity Awareness Month, where users and organizations are encouraged to double their efforts to be aware of cybersecurity issues in all their digital dealings—and to take concrete steps to increase their privacy and security as necessary. The Cybersecurity & Infrastructure Security Agency (CISA), in conjunction with the National Cyber Security Alliance (NCSA) has announced a four-week security strategy under the theme “Do Your Part. #BeCyberSmart”. (You can use the NCSAM hashtag #BeCyberSmart during October to promote your involvement in raising cybersecurity awareness.) Their schedule includes the following:



  • Week of October 5 (Week 1):If You Connect It, Protect It
  • Week of October 12 (Week 2):Securing Devices at Home and Work
  • Week of October 19 (Week 3):Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4):The Future of Connected Devices

Here in Trend Micro’s Consumer Division, we’d like to do our part by providing a breakdown of the security issues you should be aware of as you think about cybersecurity—and to give you some tips about what you can do to protect yourself and your family while working, learning, or gaming at home. To help, we’ve also taken a look back at articles we’ve written recently to address each category of threat—and to provide some quick links to access our library of relevant blogs all in a single place.

The range of threats

As you think about potential threats during Cybersecurity Awareness Month and beyond, keep in mind our basic breakdown of where and how threats arise, which we outlined at the beginning of the year in our Everyday Cyber Threat Landscape blog. An updated summary is given here:

Home network threats: Our homes are increasingly powered by online technologies. Over two-thirds (69%) of US households now own at least one smart home device: everything from voice assistant-powered smart speakers to home security systems and connected baby monitors. But gaps in protection can expose them to hackers. There were an estimated 105m smart home attacks in the first half of 2019 alone. With home routers particularly at risk, it’s a concern that 83% are vulnerable to attack. In the first half of 2020, Trend Micro detected over 10.6 billion suspicious connection attempts on home routers’ unavailable ports—an issue made more worrisome by recent lab-based evidence that home routers are riddled with insecurities, as the Fraunhofer Home Router Security Report 2020 shows. This means you need to take steps to mitigate your router’s weaknesses, while deploying a home network security solution to address other network insecurities and to further secure your smart devices.

Relevant Blogs:

Endpoint threats: These are attacks aimed squarely at you the user, usually via the email channel. Trend Micro detected and blocked more than 26 billion email threats in the first half of 2019, nearly 91% of the total number of cyber-threats. These included phishing attacks designed to trick you into clicking on a malicious link to steal your personal data and log-ins or begin a ransomware download. Or they could be designed to con you into handing over your personal details, by taking you to legit-looking but spoofed sites. Endpoint threats sometimes include social media phishing messages or even legitimate websites that have been booby-trapped with malware. All this means is that installing endpoint security on your PCs and Macs is critical to your safety.

Relevant Blogs:

Mobile security threats: Hackers are also targeting our smartphones and tablets with greater sophistication. Malware is often unwittingly downloaded by users, since it’s hidden in normal-looking mobile apps, like the Agent Smith adware that infected over 25 million Android handsets globally in 2019. Users are also extra-exposed to social media attacks and those leveraging unsecured public Wi-Fi when using their devices. Once again, the end goal for the hackers is to make money: either by stealing your personal data and log-ins; flooding your screen with adverts; downloading ransomware; or forcing your device to contact expensive premium rate phone numbers that they own. The conclusion? Installing a mobile security solution, as well as personal VPN, on your Android or iOS device, should be part of your everyday security defense.

Relevant Blogs:

Identity data breaches are everywhere: The raw materials needed to unlock your online accounts and help scammers commit identity theft and fraud are stored by the organizations you interact with online. Unfortunately, these companies continued to be targeted by data thieves in 2019. As of November 2019, there were over 1,200 recorded breaches in the US, exposing more than 163 million customer records. Even worse, hackers are now stealing card data direct from the websites you shop with as they are entered in, via “digital skimming” malware. That said, an increasingly popular method uses automated tools that try tens of thousands of previously breached log-ins to see if any of them work on your accounts. From November 2017 through the end of March 2019, over 55 billion such attacks were detected. Add these to the classical phishing attack, where email hoaxes designed to get you to unwittingly hand over your data—and your data and identity can be severely compromised. In this category, using both a password manager and an identity security monitoring solution, is critical for keeping your identity data safe as you access your online accounts.

Relevant Blogs:

How Trend Micro can help

Trend Micro fully understands these multiple sources for modern threats, so it offers a comprehensive range of security products to protect all aspects of your digital life—from your smart home network to your PCs and Macs, and from your mobile devices to your online accounts. We also know you need security for your email and your social networks, or simply when browsing the web itself.

Trend Micro Home Network Security: Provides protection against network intrusions, router hacks, web threats, dangerous file downloads and identity theft for every device connected to the home network.

Trend Micro Premium Security Suite: Our new premium offering provides all of the products listed below for up to 10 devices, plus Premium Services by our highly trained pros. It includes 24×7 technical support, virus and spyware removal, a PC security health check, and remote diagnosis and repair. As always, however, each solution below can be purchased separately, as suits your needs.

  • Trend Micro Security:Protects your PCs and Macs against web threats, phishing, social network threats, data theft, online banking threats, digital skimmers, ransomware and other malware. Also guards against over-sharing on social media.
  • Trend Micro Mobile Security:Protects against malicious app downloads, ransomware, dangerous websites, and unsafe Wi-Fi networks.
  • Trend Micro Password Manager:Provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign-in to.
  • Trend Micro WiFi Protection:Protects you on unsecured public WiFi by providing a virtual private network (VPN) that encrypts your traffic and ensures protection against man-in-the-middle (MITM) attacks.
  • Trend Micro ID Security (AndroidiOS): Monitors underground cybercrime sites to securely check if your personal information is being traded by hackers on the Dark Web and sends you immediate alerts if so, so you can take steps to address the problem.

The post Cyber Security Awareness: A Critical Checklist appeared first on .

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

  • Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.
  • Malicious mobile apps disguised as legitimate software.
  • Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.
  • Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.
  • Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.
  • Stealing devices or finding lost/misplaced devices in public places.
  • Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.
  • Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.


The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

  • Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.
  • Log-in to your online bank accounts to drain it of funds.
  • Open bank accounts/credit lines in your name (this can affect your credit rating).
  • Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).
  • Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.
  • File fraudulent tax returns to collect refunds on your behalf.
  • Claim medical care using your insurance details.
  • Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

  • Using strong, long and unique passwords for all accounts, managed with a password manager.
  • Enable two-factor authentication (2FA) if possible on all accounts.
  • Don’t overshare on social media.
  • Freeze credit immediately if you suspect data has been misused.
  • Remember that if something looks too good to be true online it usually is.
  • Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.
  • Change your password immediately if a provider tells you your data may have been breached.
  • Only visit/enter payment details into HTTPS sites.
  • Don’t click on links or open attachments in unsolicited emails.
  • Only download apps from official app stores.
  • Invest in AV from a reputable vendor for all your desktop and mobile devices.
  • Ensure all operating systems and applications are on the latest version (i.e., patch frequently).
  • Keep an eye on your bank account/credit card for any unusual spending activity.
  • Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

  • Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.
  • Credit Card Checker will do the same as the above but for your credit card information.
  • Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.
  • Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.


The post Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis appeared first on .

Lockscreen and Authentication Improvements in Android 11

[Cross-posted from the Android Developers Blog]
As phones become faster and smarter, they play increasingly important roles in our lives, functioning as our extended memory, our connection to the world at large, and often the primary interface for communication with friends, family, and wider communities. It is only natural that as part of this evolution, we’ve come to entrust our phones with our most private information, and in many ways treat them as extensions of our digital and physical identities.

This trust is paramount to the Android Security team. The team focuses on ensuring that Android devices respect the privacy and sensitivity of user data. A fundamental aspect of this work centers around the lockscreen, which acts as the proverbial front door to our devices. After all, the lockscreen ensures that only the intended user(s) of a device can access their private data.

This blog post outlines recent improvements around how users interact with the lockscreen on Android devices and more generally with authentication. In particular, we focus on two categories of authentication that present both immense potential as well as potentially immense risk if not designed well: biometrics and environmental modalities.

The tiered authentication model

Before getting into the details of lockscreen and authentication improvements, we first want to establish some context to help relate these improvements to each other. A good way to envision these changes is to fit them into the framework of the tiered authentication model, a conceptual classification of all the different authentication modalities on Android, how they relate to each other, and how they are constrained based on this classification.

The model itself is fairly simple, classifying authentication modalities into three buckets of decreasing levels of security and commensurately increasing constraints. The primary tier is the least constrained in the sense that users only need to re-enter a primary modality under certain situations (for example, after each boot or every 72 hours) in order to use its capability. The secondary and tertiary tiers are more constrained because they cannot be set up and used without having a primary modality enrolled first and they have more constraints further restricting their capabilities.

  1. Primary Tier - Knowledge Factor: The first tier consists of modalities that rely on knowledge factors, or something the user knows, for example, a PIN, pattern, or password. Good high-entropy knowledge factors, such as complex passwords that are hard to guess, offer the highest potential guarantee of identity.

    Knowledge factors are especially useful on Android becauses devices offer hardware backed brute-force protection with exponential-backoff, meaning Android devices prevent attackers from repeatedly guessing a PIN, pattern, or password by having hardware backed timeouts after every 5 incorrect attempts. Knowledge factors also confer additional benefits to all users that use them, such as File Based Encryption (FBE) and encrypted device backup.

  1. Secondary Tier - Biometrics: The second tier consists primarily of biometrics, or something the user is. Face or fingerprint based authentications are examples of secondary authentication modalities. Biometrics offer a more convenient but potentially less secure way of confirming your identity with a device.

We will delve into Android biometrics in the next section.

  1. The Tertiary Tier - Environmental: The last tier includes modalities that rely on something the user has. This could either be a physical token, such as with Smart Lock’s Trusted Devices where a phone can be unlocked when paired with a safelisted bluetooth device. Or it could be something inherent to the physical environment around the device, such as with Smart Lock’s Trusted Places where a phone can be unlocked when it is taken to a safelisted location.

    Improvements to tertiary authentication

    While both Trusted Places and Trusted Devices (and tertiary modalities in general) offer convenient ways to get access to the contents of your device, the fundamental issue they share is that they are ultimately a poor proxy for user identity. For example, an attacker could unlock a misplaced phone that uses Trusted Place simply by driving it past the user's home, or with moderate amount of effort, spoofing a GPS signal using off-the-shelf Software Defined Radios and some mild scripting. Similarly with Trusted Device, access to a safelisted bluetooth device also gives access to all data on the user’s phone.

    Because of this, a major improvement has been made to the environmental tier in Android 10. The Tertiary tier was switched from an active unlock mechanism into an extending unlock mechanism instead. In this new mode, a tertiary tier modality can no longer unlock a locked device. Instead, if the device is first unlocked using either a primary or secondary modality, it can continue to keep it in the unlocked state for a maximum of four hours.

A closer look at Android biometrics

Biometric implementations come with a wide variety of security characteristics, so we rely on the following two key factors to determine the security of a particular implementation:

  1. Architectural security: The resilience of a biometric pipeline against kernel or platform compromise. A pipeline is considered secure if kernel and platform compromises don’t grant the ability to either read raw biometric data, or inject synthetic data into the pipeline to influence an authentication decision.
  2. Spoofability: Is measured using the Spoof Acceptance Rate (SAR). SAR is a metric first introduced in Android P, and is intended to measure how resilient a biometric is against a dedicated attacker. Read more about SAR and its measurement in Measuring Biometric Unlock Security.

We use these two factors to classify biometrics into one of three different classes in decreasing order of security:

  • Class 3 (formerly Strong)
  • Class 2 (formerly Weak)
  • Class 1 (formerly Convenience)

Each class comes with an associated set of constraints that aim to balance their ease of use with the level of security they offer.

These constraints reflect the length of time before a biometric falls back to primary authentication, and the allowed application integration. For example, a Class 3 biometric enjoys the longest timeouts and offers all integration options for apps, while a Class 1 biometric has the shortest timeouts and no options for app integration. You can see a summary of the details in the table below, or the full details in the Android Android Compatibility Definition Document (CDD).

1 App integration means exposing an API to apps (e.g., via integration with BiometricPrompt/BiometricManager, androidx.biometric, or FIDO2 APIs)

2 Keystore integration means integrating Keystore, e.g., to release app auth-bound keys

Benefits and caveats

Biometrics provide convenience to users while maintaining a high level of security. Because users need to set up a primary authentication modality in order to use biometrics, it helps boost the lockscreen adoption (we see an average of 20% higher lockscreen adoption on devices that offer biometrics versus those that do not). This allows more users to benefit from the security features that the lockscreen provides: gates unauthorized access to sensitive user data and also confers other advantages of a primary authentication modality to these users, such as encrypted backups. Finally, biometrics also help reduce shoulder surfing attacks in which an attacker tries to reproduce a PIN, pattern, or password after observing a user entering the credential.

However, it is important that users understand the trade-offs involved with the use of biometrics. Primary among these is that no biometric system is foolproof. This is true not just on Android, but across all operating systems, form-factors, and technologies. For example, a face biometric implementation might be fooled by family members who resemble the user or a 3D mask of the user. A fingerprint biometric implementation could potentially be bypassed by a spoof made from latent fingerprints of the user. Although anti-spoofing or Presentation Attack Detection (PAD) technologies have been actively developed to mitigate such spoofing attacks, they are mitigations, not preventions.

One effort that Android has made to mitigate the potential risk of using biometrics is the lockdown mode introduced in Android P. Android users can use this feature to temporarily disable biometrics, together with Smart Lock (for example, Trusted Places and Trusted Devices) as well as notifications on the lock screen, when they feel the need to do so.

To use the lockdown mode, users first need to set up a primary authentication modality and then enable it in settings. The exact setting where the lockdown mode can be enabled varies by device models, and on a Google Pixel 4 device it is under Settings > Display > Lock screen > Show lockdown option. Once enabled, users can trigger the lockdown mode by holding the power button and then clicking the Lockdown icon on the power menu. A device in lockdown mode will return to the non-lockdown state after a primary authentication modality (such as a PIN, pattern, or password) is used to unlock the device.

BiometricPrompt - New APIs

In order for developers to benefit from the security guarantee provided by Android biometrics and to easily integrate biometric authentication into their apps to better protect sensitive user data, we introduced the BiometricPrompt APIs in Android P.

There are several benefits of using the BiometricPrompt APIs. Most importantly, these APIs allow app developers to target biometrics in a modality-agnostic way across different Android devices (that is, BiometricPrompt can be used as a single integration point for various biometric modalities supported on devices), while controlling the security guarantees that the authentication needs to provide (such as requiring Class 3 or Class 2 biometrics, with device credential as a fallback). In this way, it helps protect app data with a second layer of defenses (in addition to the lockscreen) and in turn respects the sensitivity of user data. Furthermore, BiometricPrompt provides a persistent UI with customization options for certain information (for example, title and description), offering a consistent user experience across biometric modalities and across Android devices.

As shown in the following architecture diagram, apps can integrate with biometrics on Android devices through either the framework API or the support library (that is, androidx.biometric for backward compatibility). One thing to note is that FingerprintManager is deprecated because developers are encouraged to migrate to BiometricPrompt for modality-agnostic authentications.

Improvements to BiometricPrompt

Android 10 introduced the BiometricManager class that developers can use to query the availability of biometric authentication and included fingerprint and face authentication integration for BiometricPrompt.

In Android 11, we introduce new features such as the BiometricManager.Authenticators interface which allows developers to specify the authentication types accepted by their apps, as well as additional support for auth-per-use keys within the BiometricPrompt class.

More details can be found in the Android 11 preview and Android Biometrics documentation. Read more about BiometricPrompt API usage in our blog post Using BiometricPrompt with CryptoObject: How and Why and our codelab Login with Biometrics on Android.

Announcing new reward amounts for abuse risk researchers

It has been two years since we officially expanded the scope of Google’s Vulnerability Reward Program (VRP) to include the identification of product abuse risks.

Thanks to your work, we have identified more than 750 previously unknown product abuse risks, preventing abuse in Google products and protecting our users. Collaboration to address abuse is important, and we are committed to supporting research on this growing challenge. To take it one step further, and as of today, we are announcing increased reward amounts for reports focusing on potential attacks in the product abuse space.

The nature of product abuse is constantly changing. Why? The technology (product and protection) is changing, the actors are changing, and the field is growing. Within this dynamic environment, we are particularly interested in research that protects users' privacy, ensures the integrity of our technologies, as well as prevents financial fraud or other harms at scale.

Research in the product abuse space helps us deliver trusted and safe experiences to our users. Martin Vigo's research on Google Meet's dial-in feature is one great example of an 31337 report that allowed us to better protect users against bad actors. His research provided insight on how an attacker could attempt to find Meet Phone Numbers/Pin, which enabled us to launch further protections to ensure that Meet would provide a secure technology connecting us while we're apart.

New Reward Amounts for Abuse Risks

What’s new? Based on the great submissions that we received in the past as well as feedback from our Bug Hunters, we increased the highest reward by 166% from $5,000 to $13,337. Research with medium to high impact and probability will now be eligible for payment up to $5,000.

What did not change? Identification of new product abuse risks remains the primary goal of the program. Reports that qualify for a reward are those that will result in changes to the product code, as opposed to removal of individual pieces of abusive content. The final reward amount for a given abuse risk report also remains  at the discretion of the reward panel. When evaluating the impact of an abuse risk, the panels look at both the severity of the issue as well as the number of impacted users.

What's next? We plan to expand the scope of Vulnerability Research Grants to support research preventing abuse risks. Stay tuned for more information!

Starting today the new rewards take effect. Any reports that were submitted before September 1, 2020 will be rewarded based on the previous rewards table.

We look forward to working closely together with the researcher community to prevent abuse of Google products and ensure user safety.

Happy bug hunting!

What Security Means to Elders

senior using smartphone

What Security Means to Elders

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

Findings from Pew Research Center show that internet usage by elders has risen from an average of 14% in 2000 to 67% on average 2017. As these numbers continue to rise, we wanted to find out what was important to them—particularly as more and more of their lives go online.

While many of us take shopping, surfing, and banking online for granted, they mark a dramatic shift for elders. They’ve gone from the days when banking meant banker’s hours and paper passbook to around-the-clock banking and a mobile app. And even if they use the internet sparingly, banking, finances, and commerce have gone digital. Their information is out there, and it needs to be protected.

The good news is, elders are motivated.

What’s on the minds of elders when it comes to their security?

Most broadly, this sentiment captures it well: Technology may be new to me, but I still want to be informed and involved. For example, elders told us that they absolutely want to know if something is broken—and if so, how to fix it as easily as possible. In all, they’re motivated to get smart on the topic of security, get educated on how to tackle risks, and gain confidence that they go about their time on the internet safely. Areas of interest they had were:

Identity protection: This covers a few things—one, it’s monitoring your identity to spot any initial suspicious activity on your personal and financial accounts before it becomes an even larger one; and two, it’s support and tools for recovery in the even your identity is stolen by a crook. (For more on identity theft, check out this blog.)

Social Security monitoring:  Government benefits are very much on the mind of elders, particularly as numerous agencies increasingly direct people to use online services to manage and claim those benefits. Of course, hackers and crooks have noticed. In the U.S., for example, Social Security identified nearly 63,000 likely fraudulent online benefit applications in fiscal 2018, according to the agency’s Office of the Inspector General, up from just 89 in fiscal 2015.

Scam prevention: An article from Protect Seniors Online cities some useful insights from the National Cyber Security Alliance and the Better Business Bureau. According to them there are five top scams in the U.S. that tend to prey on older adults.

  • Tech support scams are run by people, sometimes over the phone, that pretend to be from a reputable company, which will then ask for access to your computer over the internet, install malware, and then claim there’s a problem. After that, they’ll claim to “help” you by removing that malware—for an exorbitant fee.
  • Ransomware scams, where a crook will block access to your computer until you pay a sum of money. This is like the tech support scam, yet without the pretense of support—it’s straight-up ransom.
  • Tax scams that attempt to steal funds by instructing people to make payments to a scammer’s account. In the U.S., note that the IRS will not call to demand payment or appeal an amount you owe.
  • False debt collectors are out there too, acting in many ways like tax scammers. These will often come by way of email, where the hacker will hope that you’ll click the phony link or open a malicious attachment.
  • Sweepstakes and charity scams that play on your emotions, where you’re asked to pay to receive a prize or make a donation with your credit card (thereby giving crooks the keys to your account).

Where can professionals get started?

With that, we’ve put together several resources related to these topics. Drop by our site and check them out. We hope you’ll find some basic information and knowledge of behaviors that can keep you safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Survey conducted in October 2019, consisting of 600 computer-owning  adults in the U.S


The post What Security Means to Elders appeared first on McAfee Blogs.

Pixel 4a is the first device to go through ioXt at launch

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

What Security Means to Families

digital parenting

What Security Means to Families

One truth of parenting is this: we do a lot of learning on the job. And that often goes double when it comes to parenting and the internet.

That’s understandable. Whereas we can often look to our own families and how we were raised for parenting guidance, today’s always-on mobile internet, with tablets and smartphones almost always within arm’s reach, wasn’t part of our experience growing up. This is plenty new for nearly all of us. We’re learning on the job as it were, which is one of the many reasons why we reached out to parents around the globe to find out what their concerns and challenges are—particularly around family safety and security in this new mobile world of ours.

 Just as we want to know our children are safe as they walk to school or play with friends, we want them to be just as safe when they’re online. Particularly when we’re not around and there to look over their shoulder. The same goes for the internet. Yet where we likely have good answers for keeping our kids safe around the house and the neighborhood, answers about internet safety are sometimes harder to come by.

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

What concerns and questions do parents have about the internet?

The short answer is that parents are looking for guidance and support. They’re focused on the safety of their children, and they want advice on how to parent when it comes to online privacy, safety, and screen time. Within that, they brought up several specific concerns:

Help my kids not feel anxious about growing up in an online world.

There’s plenty wrapped up in this statement. For one, it refers to the potential anxiety that revolves around social networks and the pressures that can come with using social media—how to act, what’s okay to post and what’s not, friending, following, unfriending, unfollowing, and so on—not to mention the notion of FOMO, or “fear of missing out,” and anxiety that arises from feelings of not being included in someone else’s fun.

Keep my kids safe from bullying, or bullying others.

Parents are right to be concerned. Cyberbullying happens. In a study spanning 30 countries, one child in three has said they’ve been the victim of cyberbullying according to a study conducted by UNICEF. On the flip side of that, a 2016 study of more than 5,000 students in the U.S. by the Cyberbullying Research Center reported that 11.5% of students between 12 and 17 indicated that they had engaged in cyberbullying in their lifetime.

Feel like I can leave my child alone with a device without encountering inappropriate content.

If we think of the internet as a city, it’s the biggest one there is. For all its libraries, playgrounds, movie theatres, and shopping centers, there are dark alleys and derelict lots as well. Not to mention places that are simply age appropriate for some and not for others. Just as we give our children freer rein to explore their world on their own as they get older, the same holds true for the internet. There are some things we don’t want them to see and do.

Balance the amount of screen time my children get each day.

Screen time is a mix of many things—from schoolwork and videos to games and social media. It has its benefits and its drawbacks, depending on what children are doing and how often they’re doing it. The issue often comes down to what is “too much” screen time, particularly as it relates to the bigger picture of physical activity, face-to-face time with the family, hanging out with friends, and getting a proper bedtime without the dim light of a screen throwing off their sleep rhythms.

Where can parents get started?

Beyond our job of providing online security for devices, our focus at McAfee is on protecting people. Ultimately, that’s the job we aim to do—to help you and your family be safer. Beyond creating software for staying safe, we also put together blogs and resources that help people get sharp on the security topics that matter to them. For parents, check out this page which puts forward some good guidance and advice that can help. Check it out, and we hope that you’ll find even more ways you can keep you and your family safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.



  • Survey conducted in October 2019, consisting of 600 computer-owning adults in the U.S.


The post What Security Means to Families appeared first on McAfee Blogs.

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)


There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)


This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.


In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 it means that in have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.


The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.


Please check those variables ( and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one ( but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "",
       note = "[Online; July 2020]"

Secure IT: Shop Safe Online

Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

  1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

  2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

  3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.

  4. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

  5. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

To recap:

  • Visit and use sites you know and trust
  • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
  • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
  • Look for anything that is not familiar to your known experience with the site.
  • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
  • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
  • If a site offers a second factor to authenticate you, use it.
  • Check all your payment card statements regularly to look for rogue purchases.
  • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

Safe shopping!

The post Secure IT: Shop Safe Online appeared first on Connected.

Be a Conscientious Risk Manager

Whether you are a CIO or CISO in the Federal, State or Local, Education, or Commercial Business areas, you are all faced the with same challenge, whether you accept it or not. In the security risk management world, if the malicious actor wants into your network, they will figure out a way to get in. You of course still need to build a comprehensive risk governance and management plan, but that plan must be built on the premise of how you will respond, when the breach occurs.

Having spent 38 years in Information Security, the one constant that I see, is that the individuals who make it their business to steal or disrupt your data, are better funded, better trained, and have unlimited hours to execute their trade. What we hope to achieve is being a half-step behind them at worst case. There is no way to stay in step, and a step ahead is out of the question.

So what does this really mean to the conscientious risk manager. Create a strategy whereby you frequently identify the threat, and measure the risk against that threat in your as-built infrastructure. Test frequently, outside and inside, using he same tools and techniques the malicious actors use. Test user security awareness, as we know it only takes one click of a phishing email malicious link, to potentially bring down and entire enterprise. Measure, document, prioritize, and build a risk roadmap strategy to keep risk mitigation focus on those most critical exploitable areas.

Three Top Security Imperatives
Keep in mind that your top three security imperatives are: Reducing your threat exposure, enhancing your response and recovery times, and increasing security visibility. What does security visibility mean, implementing the people, process, and technology in key security areas, to give you a fighting chance to detect, and react to malicious and advanced persistent threats.

Let’s talk people, process, and technology. We all know users are the weakest link in any security chain. Not because they have sinister intent, although sometimes they do, but primarily because in today’s high-powered technical, mobile, and social world, it is commonplace for a lapse in judgment to occur. We live in a rapid–fire, high-availability, high-output world, and mistakes can and will be made. So make is less commonplace, train and educate often, and monitor closely for when that lapse in judgment occurs.

Process: Again our high-powered technical, mobile, and social world often demands we run at warp speed.  Who has time to document? Well — make the time.  Good documentation to include process, policies and standards, as well as a documented and managed configuration control process, will help keep you more secure. Every process, policy and standard document has to have an assigned owner, has to have a designated review date, and has to have an oversight or governance process. All roles and responsibilities need to be included in the documentation, and the expected outcome needs to be defined. Make the time to prepare and socialize your critical information security program documentation.

Technology: Many risk owners fall prey to purchasing every piece of security technology available, at what I like to call the security “choke points”, end-point, network, edge, gateway, etc. This is just what everyone does. However, why not use the process we discussed above — measure, document, prioritize, and build a risk roadmap strategy — as your guideline for what you purchase and deploy for technology. Ask yourself — what is so wrong with selecting and implementing a product, only after you validate how it will help you manage your documented security risk? Of course the answer to that is — nothing.

Focus on Seamless Collaboration
You have documented your risk, you have prioritized your risk roadmap, and as a result you know the very specific technology, or set of technologies, you need to implement first. Most importantly, your technology selections should focus on products that collaborate in a seamless way. In other words, your end-point, edge, network, gateway, sandbox, etc., security technologies all talk to each other. We call this approach to complete security visibility across the whole landscape, Unified Security Stack. And, don’t forget that all technology must have a people and process component as well.

Good information security risk management and risk governance does not come by accident.  It takes planning and execution. In the end, although you may not keep the bad guy out, you will be better prepared for when.

The post Be a Conscientious Risk Manager appeared first on Connected.

Protecting Critical Infrastructure from Cyber Threats

The basic infrastructure that supports our daily lives is deeply dependent on the Internet, and, therefore, continually exposed to the risk of new threats and cyber attacks. As security breaches grow in frequency and sophistication every day, it’s crucial to build resiliency and then take steps to protect critical infrastructure to remain safe and secure online.

It’s important to identify current and future strategies to protect your infrastructure and manage your risk. Cyber security is one of the biggest challenges organizations face today. Regardless of size or industry, every organization must ask themselves, is my security strategy up to date? If your organization is looking to stay on the front line of cyber security, it’s imperative to know how an end-to-end risk management strategy can help you properly secure your infrastructure.

Our security experts have an abundance of experience, and several areas of expertise we can put to work for you. We are committed to keeping your organization safe and secure, and can help design, deploy, and support solutions to address your critical risks and defend your critical infrastructure. For more information, contact one of our security experts today!

The post Protecting Critical Infrastructure from Cyber Threats appeared first on Connected.

Protecting Critical Infrastructure

In this blog, the focus is on protecting critical infrastructure—the essential systems that support our daily lives such as the electric grid, financial institutions, and transportation. Unfortunately, attacks on critical infrastructure have become a concern worldwide. A devastating attack isn’t just a theoretical possibility anymore. As we’ve recently seen with Equifax, and other security breaches in healthcare and other industries, the growing threat of serious attacks on critical infrastructure is real. These days, hackers have become much more formidable, and we will undoubtedly see more of these attacks in the future. It’s no longer a matter of if there will be another attack, but when.

Protecting your infrastructure requires constant vigilance and attention to evolving cyber attacks. Risk is inherent in everything we do, so trying to stay ahead of the cyber security curve is key. Our team of security experts can help you build a security strategy to detect, protect, and react to the complete threat lifecycle. The threats we all need to manage today evolve quickly, and we can help you minimize your risk and maximize your defenses to improve your cyber resiliency.

The post Protecting Critical Infrastructure appeared first on Connected.

The Internet Wants YOU: Consider a Career in Cyber Security.

With the continuous state of change in the global threat landscape, organizations face cyber attacks and security breaches that are growing in frequency and sophistication every day. But now, consider this: according to a study by the Center for Cyber Safety and Education, there will be a shortage of 1.8 million information security workers by 2022. This gap should be of great concern to organizations.

Skilled people make the difference in protecting sensitive data, so it’s more critical than ever that organizations begin to attract and retain the cybersecurity talent needed to defend against the evolving threat landscape. At Connection, we help inspire individuals coming out of universities to engage in co-op or intern-related opportunities, and I strongly encourage other organizations to see what they can do to help young people today who are really interested in building their skills in this area.

The figures don’t lie. The demand for cyber security will only continue to grow. Through local collaborative efforts between employers, training providers, and community leaders, we can ensure individuals have the opportunity to build on their tech knowledge and participate in a secure, thriving economy.

The post The Internet Wants YOU: Consider a Career in Cyber Security. appeared first on Connected.

Cyber Security Careers Are in High Demand

It’s impossible to overstate the importance of security in today’s digital world. Cyber attacks are growing in frequency and sophistication every day, and a key risk to our economy and security is the lack of professionals to protect our growing networks. According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. So, it’s critical that that we begin now to prepare our students—and any others who are interested in making a career move—to fill these gaps. Many colleges and universities have developed information assurance programs that help technical, security-minded students achieve a great foundation in this industry. We also challenge corporations to offer intern and co-op opportunities for students in these degree programs, so they can see what security looks like in practical, business-world applications.

Connection is committed to promoting cyber security and online safety.  Cyber security is a viable and rewarding profession and we encourage people from all backgrounds to see information security as an essential career path.

Read this next:

The post Cyber Security Careers Are in High Demand appeared first on Connected.

What To Do If Your Credit Card Is Declined On An Overseas Trip

Earlier this week I was in Istanbul, Turkey, and visited the famous Grand Bazaar. This is a Turkish-style shopping mall; a collection of 4,000 shops that sell all forms of jewelry, gold, clothing, designer bags, spices, leather goods, and lots of “genuine fake” counterfeit stuff, just like I wrote about [...]