Category Archives: security

Popular free Android VPN apps on Play Store contain malware

By Waqas

If you want to ensure optimal privacy while surfing the web, a VPN (virtual private network) is the only reliable option. In this regard, a majority of web and smartphone users rely upon free VPN services, which according to the latest research is a risky step. In 2017, researchers identified that 38% of Android VPN apps on […]

This is a post from Read the original post: Popular free Android VPN apps on Play Store contain malware

The danger of stolen data: credential stuffing attacks

credential stuffing

When we talk about cyberattacks, for companies, there is one word that normally comes to mind: malware, every computer’s nightmare, that can infect their systems and take with it not just the company’s most sensitive information, but also that of their users, clients, providers, employees, and so on.

However, malware isn’t always a cybercriminal’s tool of choice; in fact, in 2017 it started to give way to other kinds of attack, which are having similar levels of success at achieving the same goal: breaking through their victims’ corporate cybersecurity.

What is credential stuffing?

A credential stuffing attack is a kind of cyberattack in which, using details gathered from a data breach, the perpetrator manages to access user accounts on a platform by bombarding credentials until they hit upon the correct combination.

To carry out an attack of this kind, the cybercriminal must first get, steal, or buy a database made up of user accounts, with their login names and passwords. Their next step is to try to log in to the affected platform using these login details. As it is not always guaranteed that the details will coincide, the strategy is to launch multiple automatic logins until the details match up. What’s more, the identification processes are carried out by specialized botnets so that the platform believes them to be authentic. If it is possible to log in, the credential stuffing attack will have been a success.

The victims: Dunkin Donuts, Yahoo…

These cyberattacks are affecting an increasing number of companies.  The latest victim was Dunkin Donuts. In November, the company detected the theft of credentials and their subsequent use in an attack on the users of DD Perks, its loyalty and rewards program. The credentials stemmed from a data breach, although Dunkin Donuts stated that this breach didn’t happen on their system, rather on the system of a supplier, which gave access to third parties. Specifically, the user information came from a previous leak, and so the cybercriminals used this information both to access DD Perks accounts and to log in to other platforms that used the same credentials.

But there is, unfortunately, one incident that takes the crown for credential stuffing attacks: in 2016, around 500 million Yahoo accounts were seriously compromised by the prior leaking of a vast amount of information after another data breach. In this case, the breach had one more outcome: when Yahoo went public with the incident, many users received emails from people claiming to belong to the company, which contained a link to resolve the breach. These emails, however, were a phishing attempt by another group of cybercriminals.

Success rate and how to avoid them

When it comes to evaluating the potential damage of credential stuffing, it is important to get some perspective. According to a Shape Security study carried out in 2018, their success rate is usually, at best, 1%, a figure that may make this attack seem insignificant.

credential stuffing

However, we must bear in mind the fact that these cyberattacks usually use databases that can contain credentials of several million users. This means their success rate, though modest in relative terms, is large enough in absolute terms for the affected company’s reputation to be seriously damaged by the exposure of its corporate cybersecurity.

Companies must therefore take appropriate steps to avoid both data breaches and possible credential stuffing attacks.

1.- Two factor authentication? Two-factor authentication (2FA) is one of the most commonly used methods for companies and platforms that want ensure a secure login for their users. However, as we have already seen, two factor authentication is not infallible, since it can be broken by getting users to introduce their details on fake portals.

2.- Cybersecurity solutions. A company’s security cannot rely 100% on users correctly managing their passwords, especially since the attack very often comes first: i.e., data breaches are often a consequence of poor corporate cybersecurity management, rather than as a result of poor password management by users. This is where Panda Adaptive Defense comes in: it has a data protection module, Panda Data Control, that is able to monitor data in all its states, including when it is at rest, helping the solution to know at all times what processes are being run and what data is being used.

3.- Employee awareness Companies must also instill in their employees a series of prevention measures, as they are often the easiest point of entry for cybercrime. Employees must remain alert, as well as not giving out their credentials via email (to avoid phishing, tech support scams or BEC scams) and, if they come across any problems, report the incident to the company’s head of IT.

The post The danger of stolen data: credential stuffing attacks appeared first on Panda Security Mediacenter.

Protecting Critical Infrastructure and Roadways: How Smart Cities Create New Risks

Advanced technology has changed countless facets of everyday life, from internal enterprise processes to consumer pursuits and beyond. Even the design, management and support for large and small cities has shifted thanks to innovative smart city systems.

While advanced components to support utilities, critical infrastructure, traffic and more can bring numerous benefits, these solutions also open both urban and rural areas to new risks and cyber threats.

We’re taking a closer look at city infrastructure and roadways, including energy and water utilities and highway transportation systems, the changes being made in these areas and how new technologies must be balanced with proper risk assessment.

Upgrading water and energy infrastructure

There’s simply no doubt that access to water and energy resources are some of the most important elements for residents. In many areas, city managers and officials are looking to upgrade their existing systems – some of which are considerably legacy, and have been in place for decades – with updated, intelligent technology.

As Trend Micro pointed out, such systems are able to run in the background, helping to manage and maintain water and energy infrastructures with little human interaction. This, in turn, boosts efficiency and, in theory, helps reduce the chances of long-term outages that result from inclement weather or other critical infrastructure issues.

At the same time, though, upgrading water and energy systems with smart technologies could, as Trend Micro researchers noted, “come at a cost.” Putting intelligent platforms in place where there previously were none could create significant risks that must be considered and mitigated ahead of time.

“Using Shodan and other tools, Trend Micro researchers looked into the possible weaknesses of exposed industrial control systems (ICS) across the energy and water industries,” researchers explained. “The results give a glimpse of security gaps found in ICS and human machine interfaces (HMIs) … that could lead to bigger problems due to the interdependent nature of critical infrastructure sectors and, more importantly, the natural dependence of people on these infrastructures.”

In many instances, the security risks that could potentially impact water utilities overlap with those that threaten access to energy resources:


Unsurprisingly, a leading concern here is the possibility of cyberattacks that could prevent access to these resources, or create situations of extended downtime. A long-term power outage or inability to access running water could have severe consequences for small and large cities alike, creating panic and potential public health impacts among residents. The ways in which attackers might achieve a successful intrusion and cyberattack differ, and are delved into more deeply below, but the potential for this risk is clear across utility sectors.

Exposed devices

As Trend Micro explained in its report, “Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries,” researchers discovered that several devices – including human machine interfaces, report desktop protocols, virtual network computing systems and other components – are currently exposed on the internet. These exposed devices provide an ideal point of attack for cybercriminals looking to support an intrusion.

Researchers found different levels of exposure and different reasons behind this issue, including improper setup of remote access functions, unsecured access provided to a third-party, and/or incorrectly configured network settings. These security issues make it possible for attackers to access exposed devices and leverage them to steal sensitive personally identifiable customer information; to gain entry to the network and subsequently support sabotage or fraudulent processes; to run illegal operations using the network, including DDoS attacks, botnets, cryptocurrency mining and other malicious activity.

Once an exposed device has been identified, the potential for misuse by attackers leading to other security issues and attacks is nearly limitless. Worse still, this issue impacts all different types of energy and utility plants, including those for oil and gas, solar energy, hydroelectric plants, water treatment, and other industrial facilities.

Example of a real-world threat scenario

Within the report, Trend Micro researchers look into several potential real-world threat scenarios that could take place thanks to exposed human machine interfaces and other devices within the industrial sector.

“One of the greatest concerns for organizations in this sector is the possible effect of direct cyberattacks on their operations, thereby leading to a disruption of supply to and from the plant,” Trend Micro researchers explained. “This is especially true for water facilities that either purify water for distribution or use water in their operations.”

A water treatment plant, for instance, could be attacked via exposed human machine interface controls through public methods. Controls that are not properly secured and therefore exposed over the internet could provide the ideal opening for an attack that interrupts operations and prevents the plant from supplying drinking water.

Attacks on highway infrastructure

As Trend Micro researchers noted in the report, “Cyberattacks Against Intelligent Transportation Systems: Assessing Future Threats to ITS,” intelligent transportation systems create similar risks to smart infrastructure.

Successful attacks on transportation systems can have numerous malicious consequences, including vehicular accidents; traffic jams that impact service delivery, the movement of freight and daily commutes; additional ripple effects that create financial loss for businesses, individual people or cities.

The intelligent systems that could be impacted here include autonomous vehicles, as well as connected vehicles equipped with LAN or Wifi connections. Roadway reporting systems encompassing elements like lane cameras, roadway weather stations and other platforms fall under this risk umbrella; as do traffic flow controls like traffic signals, message signs and toll collection systems.

The potential risk of attack here differs depending on the scenario, but as Trend Micro pointed out in its report, several real-world attacks have already taken place. In one instance, an individual hijacked a dynamic traffic sign and changed its message to “Drive Crazy Y’all” as a prank. Surprisingly, this attack was made possible through default login credentials that were easy to guess.

In a more damaging example, San Francisco’s Municipal Transportation agency was attacked in 2016 by ransomware that shut down internal and commuter systems. Fare payment machines were made inaccessible, displaying “OUT OF SERVICE” messages across screens and preventing riders from paying for fares. In response, the transportation agency had to allow free rides on its light rail until the issue was resolved.

As this scenario shows, an attack on transportation infrastructure can be considerably impactful, and have significant financial repercussions. Other instances might affect emergency services, or other crucial transportation-dependent needs.

These issues highlight the critical responsibility on the part of utility providers and organizations involved with transportation management. These groups must be sure they are aware of these potential threats and are working proactively to mitigate them.

To find out more and to read about other potential and actual attack scenarios involving critical infrastructures, check out Trend Micro’s reports, “Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries,” and “Cyberattacks Against Intelligent Transportation Systems.”

The post Protecting Critical Infrastructure and Roadways: How Smart Cities Create New Risks appeared first on .

More Than Half of PC Applications Installed Worldwide Are Out-of-Date

Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report: The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated data from 163 million devices across the globe, also found that Windows 10 is now installed on 40% of all PCs globally, which is fast approaching the 43% share held by Windows 7. However, 15% of all Windows 7 users and 9% of all Windows 10 users worldwide are running older and no longer supported versions of their product, for example, the Windows 7 Release to Manufacturing version from 2009 or the Windows 10 Spring Creators Update from early 2017.

Read more of this story at Slashdot.

Security Affairs: 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed

Researchers from 0patch, a community of experts that aims at addressing software flaws, released unofficial patches for three Windows vulnerabilities that Microsoft has yet to be fixed.

The list of vulnerabilities addressed by 0patch include a denial-of-service (DoS) bug, a file read issue, and a code execution flaw.

“While we’re busy ironing out the wrinkles before 0patch finally exits its adolescence (i.e., Beta) and becomes a fully responsible adult able to pay for its own rent, we did find some time to produce… not one, … not two, … but three 0day micropatches in the past few days.” reads the blog post published by 0patch.

“That’s right, at this very moment you can get three 0days on your Windows computer micropatched for free!  “

One of the patches addressed a flaw publicly disclosed last month by the researcher known as SandboxEscaper, the vulnerability could be exploited by an attacker with low privileges to elevate them on the vulnerable system. The expert shared the PoC exploit code (deletebug.exe) to delete critical system files, an operation that requests admin level privileges.ù

Security experts noticed that the flaw only affects Windows 10 and recent versions of Windows Server editions because older versions of the Microsoft operating systems don’t implement the Microsoft Data Sharing service.

This vulnerability could be exploited to overwrites some important system file and cause a DoS condition.

0patch also released a patch for another flaw disclosed last month by SandboxEscaper, it is an arbitrary file read vulnerability that could be exploited by a low-privileged user or a malicious program to read the content of any file on a Windows system.

The Windows zero-day flaw affects the”MsiAdvertiseProduct” function that generates an advertise script or advertises a product to the computer. The MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product. The script can be written to be consistent with a specified platform by using MsiAdvertiseProductEx.

According to the SandboxEscaper, the lack of proper validation could allow an attacker to force installer service into making a copy of any file as SYSTEM privileges and read its content.

The third flaw addressed by 0patch was disclosed by the expert John Page via ZDI.

The security expert discovered a zero-day vulnerability in the processing of VCard files that could be exploited by a remote attacker, under certain conditions, to hack Windows PC. 

An attacker can use create a specially crafted VCard file that contains in the contact’s website URL field that points to a local executable file. 
This second file can be sent within a zipped file as an email attachment or delivered via drive-by-download attacks.

When the victim clicks that website URL, the Windows operating system would execute the malicious file without displaying any warning. John Page also published proof-of-concept exploit code for the vulnerability,

Further details on the patches released by 0patch experts, including their codes are available here:

Pierluigi Paganini

(SecurityAffairs – security patches, Microsoft)

The post 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed appeared first on Security Affairs.

Security Affairs

0patch releases unofficial security patches for 3 Windows flaws yet to be fixed

Researchers from 0patch, a community of experts that aims at addressing software flaws, released unofficial patches for three Windows vulnerabilities that Microsoft has yet to be fixed.

The list of vulnerabilities addressed by 0patch include a denial-of-service (DoS) bug, a file read issue, and a code execution flaw.

“While we’re busy ironing out the wrinkles before 0patch finally exits its adolescence (i.e., Beta) and becomes a fully responsible adult able to pay for its own rent, we did find some time to produce… not one, … not two, … but three 0day micropatches in the past few days.” reads the blog post published by 0patch.

“That’s right, at this very moment you can get three 0days on your Windows computer micropatched for free!  “

One of the patches addressed a flaw publicly disclosed last month by the researcher known as SandboxEscaper, the vulnerability could be exploited by an attacker with low privileges to elevate them on the vulnerable system. The expert shared the PoC exploit code (deletebug.exe) to delete critical system files, an operation that requests admin level privileges

Security experts noticed that the flaw only affects Windows 10 and recent versions of Windows Server editions because older versions of the Microsoft operating systems don’t implement the Microsoft Data Sharing service.

This vulnerability could be exploited to overwrites some important system file and cause a DoS condition.

0patch also released a patch for another flaw disclosed last month by SandboxEscaper, it is an arbitrary file read vulnerability that could be exploited by a low-privileged user or a malicious program to read the content of any file on a Windows system.

The Windows zero-day flaw affects the”MsiAdvertiseProduct” function that generates an advertise script or advertises a product to the computer. The MsiAdvertiseProduct function enables the installer to write to a script the registry and shortcut information used to assign or publish a product. The script can be written to be consistent with a specified platform by using MsiAdvertiseProductEx.

According to the SandboxEscaper, the lack of proper validation could allow an attacker to force installer service into making a copy of any file as SYSTEM privileges and read its content.

The third flaw addressed by 0patch was disclosed by the expert John Page via ZDI.

The security expert discovered a zero-day vulnerability in the processing of VCard files that could be exploited by a remote attacker, under certain conditions, to hack Windows PC. 

An attacker can use create a specially crafted VCard file that contains in the contact’s website URL field that points to a local executable file. 
This second file can be sent within a zipped file as an email attachment or delivered via drive-by-download attacks.

When the victim clicks that website URL, the Windows operating system would execute the malicious file without displaying any warning. John Page also published proof-of-concept exploit code for the vulnerability,

Further details on the patches released by 0patch experts, including their codes are available here:

Pierluigi Paganini

(SecurityAffairs – security patches, Microsoft)

The post 0patch releases unofficial security patches for 3 Windows flaws yet to be fixed appeared first on Security Affairs.

SN 698: Which Mobile VPN Client?

  • Which is the right VPN client for Android, and which should you avoid at all costs?
  • A very worrisome WiFi bug affecting billions of devices
  • Hack a Tesla Model 3 at Pwn2Own
  • Russia's ongoing, failing and flailing efforts to control the Internet
  • The return of the Anubis Android banking malware
  • Google's changing policy for phone and SMS App access
  • Tim Cook's note in TIME Magazine
  • News of a nice Facebook Ad auditing page
  • Another Cisco default password nightmare in widely used lower-end devices

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Apple’s Security Expert Joined the ACLU To Tackle ‘Authoritarian Fever’

An anonymous reader quotes a report from Motherboard: Apple security expert Jon Callas, who helped build protection for billions of computers and smartphones against criminal hackers and government surveillance, is now taking on government and corporate spying in the policy realm. Jon Callas is an elder statesman in the world of computer security and cryptography. He's been a vanguard in developing security for mobile communications and email as chief technology officer and co-founder of PGP Corporation -- which created Pretty Good Privacy, the first widely available commercial encryption software -- and serving the same roles at Silent Circle and Blackphone, touted as the world's most secure Android phone. As a security architect and analyst for Apple computers -- he served three stints with the tech giant in 1995-1997, 2009-2011, and 2016-2018 -- he has played an integral role in helping to develop and assess security for the Mac and iOS operating systems and various components before their release to the public. His last stretch there as manager of a Red Team (red teams hack systems to expose and fix their vulnerabilities) began just after the FBI tried to force the tech giant to undermine security it had spent years developing for its phones to break into an iPhone belonging to one of the San Bernardino shooters. But after realizing there's a limit to the privacy and surveillance issues technology companies can address, Callas decided to tackle the issues from the policy side, accepting a two-year position as senior technology fellow for the American Civil Liberties Union. Callas spoke to Motherboard about government backdoors, the need for tech expertise in policymaking, and what he considers the biggest challenge for the security industry.

Read more of this story at Slashdot.

Security Affairs: Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure

Adobe released security updates to address multiple XSS vulnerabilities in the Experience Manager and Experience Manager Forms that can lead to information disclosure.

Adobe released security updates for the Experience Manager and Experience Manager Forms to address flaws that can lead to information disclosure.

The Experience Manager is affected by a stored cross-site scripting (XSS) issue and a reflected XSS issue.

The former is rated as ‘important’ severity, the latter as ‘moderate’ severity, both can result in the exposure of sensitive data. .

“Adobe has released security updates for Adobe Experience Manager. These updates resolve one reflected cross-site scripting vulnerability rated Moderate, and one stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure. ” reads the security advisory published by Adobe.

The good news is that Adobe is not aware of threat actors attempting to exploit these vulnerabilities in the wild. Anyway, the tech giant is urging administrator to install the updates within 30 days.

Adobe also addressed a stored XSS vulnerability in the Experience Manager Forms, the bug was discovered by the security researchers Adam Willard.

“Adobe has released security updates for Adobe Experience Manager Forms. These updates resolve a stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure.” reads the security advisory.

The company addressed other issues in its products in January; the company Patch Tuesday security updates for January 2019 fixed two flaws rated as “important” in the Connect and Digital Editions products.

The first Adobe security updates for 2019 addressed two critical vulnerabilities in the Acrobat and Reader products.

Pierluigi Paganini

(SecurityAffairs – Adobe, XSS)

The post Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure appeared first on Security Affairs.

Security Affairs

Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure

Adobe released security updates to address multiple XSS vulnerabilities in the Experience Manager and Experience Manager Forms that can lead to information disclosure.

Adobe released security updates for the Experience Manager and Experience Manager Forms to address flaws that can lead to information disclosure.

The Experience Manager is affected by a stored cross-site scripting (XSS) issue and a reflected XSS issue.

The former is rated as ‘important’ severity, the latter as ‘moderate’ severity, both can result in the exposure of sensitive data. .

“Adobe has released security updates for Adobe Experience Manager. These updates resolve one reflected cross-site scripting vulnerability rated Moderate, and one stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure. ” reads the security advisory published by Adobe.

The good news is that Adobe is not aware of threat actors attempting to exploit these vulnerabilities in the wild. Anyway, the tech giant is urging administrator to install the updates within 30 days.

Adobe also addressed a stored XSS vulnerability in the Experience Manager Forms, the bug was discovered by the security researchers Adam Willard.

“Adobe has released security updates for Adobe Experience Manager Forms. These updates resolve a stored cross-site scripting vulnerability rated Important that could result in sensitive information disclosure.” reads the security advisory.

The company addressed other issues in its products in January; the company Patch Tuesday security updates for January 2019 fixed two flaws rated as “important” in the Connect and Digital Editions products.

The first Adobe security updates for 2019 addressed two critical vulnerabilities in the Acrobat and Reader products.

Pierluigi Paganini

(SecurityAffairs – Adobe, XSS)

The post Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure appeared first on Security Affairs.

DarkHydrus Phishery tool spreading malware using Google Drive

By Waqas

DarkHydrus is back in action with a new variant of RogueRobin malware to target Middle Eastern Politicians by abusing Google Drive. The primary focus of cybercriminals nowadays is to use the infrastructure of genuine services in their attacks in order to prevent detection from security tools. The same strategy has been adopted by DarkHydrus group […]

This is a post from Read the original post: DarkHydrus Phishery tool spreading malware using Google Drive

Wiltshire Payments Security Specialist Selected Again For Top Industry Body In Brazil.

A leading UK payments and cyber security company has been selected for the second year running by the PCI Security Standards Council (PCI SSC) to shape the payments industry in Brazil.

Wiltshire based Foregenix, which opened its São Paulo office in early 2018, is one of 20 companies to be selected by the PCI SSC Brazil Regional Engagement Board.

The board, introduced as a pilot initiative in 2018, brings together some of Brazil’s leading companies from all sectors in the payments space – including vendors, merchants, processors, banks and industry associations. PayPal and Worldpay are amongst the new international board members to join this year.

In 2019, board members will continue to represent the perspectives of PCI SSC Participating Organizations and the payment card industry in Brazil, providing feedback and guidance to the PCI SSC on standards and programs development and adoption in the region. The group will meet regularly throughout the year to discuss payment data security issues, trends and market changes in the region.

Key priorities will include working with the PCI SSC to develop content and resources for the Brazilian payment card industry; encouraging increased involvement from Brazilian companies in the PCI SSC as Participating Organizations; fostering greater payment security awareness and understanding through PCI Training; and shaping the agenda for the 2019 PCI Latin America Forum, taking place in São Paulo on 15 August 2019.

‘The Brazil Regional Engagement Board is an important way for us to engage and learn from the industry leaders in the region. The REB provides insights into the needs and challenges in the region and collaboration on solutions to foster adoption of PCI Security Standards and improve payment security,’ said PCI SSC Executive Director Lance J. Johnson. ‘We are excited to be able to continue this effort in 2019 with a newly expanded board that will provide more broad representation of payment card industry stakeholders in Brazil.’

Guilherme Scheibe, Managing Consultant, Foregenix Latam comments: ‘It’s a real honour to be selected once again to help contribute to the development of payments security in Brazil. We’re looking forward to collaborating with so many distinguished members, offering our recent experience in payments security in Brazil and across the globe, to help Brazilian companies trade more securely.’

‘With cybercrime on the rise in Brazil, it is an important time for the industry here to be even more engaged in the work we are doing at the PCI Security Standards Council to help businesses detect, mitigate and prevent cyber attacks and breaches,’ said PCI SSC Associate Regional Director for Brazil Carlos Caetano. ‘We are especially pleased to be adding more companies to the board. Their knowledgeable members will bring different perspectives to thetable that will benefit payment security in Brazil and globally.’

The post Wiltshire Payments Security Specialist Selected Again For Top Industry Body In Brazil. appeared first on IT Security Guru.

BEC Will Reach Two Levels Deeper


In our predictions report for 2019, “Mapping the Future: Dealing with Pervasive and Persistent Threats,” we foresaw an increase in the rate of BEC (business email compromise) attacks: “Business email compromise will go two levels down in the org chart.” From the report:



“Business email compromise (BEC) remains a very potent and lucrative means of funneling money from companies. We believe that as a result of the focus on C-level officers as targets of fraud in news articles about BEC,14 cybercriminals will attack employees further down the company hierarchy. For instance, cybercriminals will target the CxO’s secretary or executive assistant, or a high-ranking director or manager in the finance department.”

The risk may be even greater than that, however.

2014 was a peak year for huge data breaches. Yahoo, Starwood, and Facebook each lost in the hundreds of millions of user identities. This vast treasure trove of identity information offers the holders of that data the opportunity to aggregate and model the organizational structure of most major corporations in the US. This data provides a massive set of identity information in a common format. That common format makes big data analytics easy to apply.

From the Yahoo and Starwood data, researchers have a census of Internet users who travel. The travel profile indicates which users have corporate accounts, and which corporations they work for. From Facebook, researchers can determine social relationships among employees of a particular company. By using a professional LinkedIn subscription, researchers can supplement these data points with detailed organizational structure, reporting relationships, and career paths. LinkedIn has suffered no breach, as far as we know. The information LinkedIn holds is available to all premium subscribers.

To date, most business email compromise (BEC) attacks have mimicked a CEO asking a CFO to draft a check or approve an invoice. With the more detailed information from the 2014 hacks, the next generation of BEC can mimic a manager from a remote office requesting privileged access for an employee from an administrator in an IT service center. So an IT technician or administrator might receive an email like this:

Hi Ted,

Joseph Needham in my group has replaced Ffloyd Farkle, who left abruptly for a better job across town. Because Ffloyd was our local admin, I can’t update any permissions for my team. Can you grant Joseph (employee number 123456) the same set of permissions Ffloyd had? I sent in a ticket but things haven’t been moving as quickly as they should, and the quarter end is looming. Thanks for your attention to this matter.

Chuck Itall

In this case, Joseph is a real local admin but he hasn’t actually left the business. Chuck Itall is a real manager, but his account was compromised silently. He is on a business trip and out of contact for the next day or so. Floyd is a real employee whose account was also compromised, but he’s not available because he may be on vacation (from his Facebook postings). Ted is an actual employee in central IT administration.

Ted has to choose if he is going to grant the emergency request and wait for the ticket to come through, or ignore the request and incur the wrath of the remote manager Chuck. Suppose you were Ted. Would you grant the permissions or not?

As these hostile threat actors become more proficient analyzing and updating their trove of identity data, they will continuously improve the accuracy of their databases. By more targeted spear phishing campaigns, these threat actors will deepen and confirm their models of target organizations. This has happened in specific industries. In the 2010 – 2014 years, threat actors targeted LinkedIn profiles with the honorific “Esq.,” leading to numerous hacks of law firms. In those cases, spam and phishing gave relatively easy access to threat actors. The result put critical confidential information on mergers and acquisitions, and pre-patent intellectual property, at risk. The larger-scale hacks of 2014 opened a broader range of targets to threat actors.

Organizations can take steps to reduce their attack surfaces. First, make sure that individuals who can grant enhanced permissions know what to do when they get an unexpected request. Build a reliable system to verify such requests. Consider how users might ask for enhanced permissions, and deploy processes with adequate audit and logging for real-time alerting and later analysis.

To view the entire report, see

Let me know what you think! Either comment below, or contact me @WilliamMalikTM .

The post BEC Will Reach Two Levels Deeper appeared first on .

Plexal Bolsters Global Cybersecurity Hub With Two International Partnerships.

Innovation centre Plexal, which delivers LORCA, the government-backed cybersecurity programme, today announces partnerships with the Global Cyber Alliance, City of New York, and the New York Economic Development Corporation. The partnerships are designed to help cybersecurity companies scale internationally while also expanding Plexal’s role as a major global cybersecurity cluster.

Plexal is announcing that the Global Cyber Alliance (GCA) has become a supporting partner, meaning that Plexal members and members of the LORCA cohort will benefit from access to the alliance’s global partners (of which there are over 200), such as Bank of America, IBM, KPMG, Microsoft and Sony. As well as mentoring and networking opportunities, the GCA will bring a wealth of cybersecurity expertise from government and the private sector to share with cyber innovators in Plexal’s network to help them shape their products into viable solutions that solve real-world challenges.

Plexal is also announcing its partnership with the City of New York Mayor’s Office of the Chief Technology Officer and the New York Economic Development Corporation. This will see Plexal be the UK lead for the NYCx Cybersecurity Moonshot Challenge, with a focus on creating better cybersecurity solutions for SMEs. Plexal will both ensure UK innovators are well represented as challenge participants and also act as the primary UK landing pad for challenge winners. Plexal will provide consultation, demo opportunities and a base for winners to develop in the UK through free coworking space and support at Plexal’s hub at Here East, London. The partnership will establish strong connections between cyber innovators based in NYC and the UK, enabling sharing of knowledge and resources that is vital to solving cybersecurity challenges on a global scale.

Global cooperation at LORCA
These partnerships build on the launch of the London Office for Rapid Cybersecurity Advancement (LORCA) in June 2018, hosted and delivered by Plexal with £13.5m of funding from the Department for Digital, Culture, Media & Sport (DCMS). As the UK’s dedicated space for industry-led cybersecurity innovation, LORCA supports the most promising cybersecurity innovators in scaling and growing solutions to meet the most pressing industry challenges. In terms of its international remit, LORCA’s Industry Advisory Board includes representation from Cyber Spark (the Israeli cyber hub) and the National University of Singapore, among others. LORCA also works closely with the Department for International Trade and the Foreign and Commonwealth Office to connect LORCA members to international networks through delegations and trade missions.

Andrew Roughan, Managing Director of LORCA, says: “Sharing knowledge and being open to cooperation between global cyber innovators and industry is more important than ever. We’re looking forward to deepening our links with new global partners and acting as the UK landing pad and connector. These important partnerships with the New York Development Corporation and the Global Cyber Alliance will mean the emerging cyber stars we support can have even greater direct access to new markets and the networks they need to succeed.”

Andy Bates, GCA Executive Director for UK and EMEA, Global Cyber Alliance, says: “Innovation and entrepreneurship are key to shoring up cyber defences. GCA is pleased to partner with Plexal and LORCA and participate in their program to work with scaleups working on cybersecurity challenges.”

James Patchett, President and CEO at the New York City Economic Development Corporation, says: “Cybersecurity is one of our world’s greatest threats, and we need to be ambitious about protecting ourselves. That’s why we’re making New York City a hotbed for cyber innovation, to protect every New Yorker and every business – all while creating good-paying jobs. We’re proud to help launch this important challenge, which will benefit New York City and create game-changing technology for the world to share.”

The post Plexal Bolsters Global Cybersecurity Hub With Two International Partnerships. appeared first on IT Security Guru.

SolutionsPT To Host Cryptomining Webinar For OT Professionals.

Industrial IT software provider SolutionsPT will host a free webinar exploring the evolving cyber security threat posed by Cryptomining infections and how they can be prevented, on Thursday, February 21st.

Designed for Operational Technology (OT) professionals, the Introduction to Cryptomining webinar will examine the specific threat Cryptomining poses to OT environments and discuss the solutions that will enable organisations to guard against it.

Cryptomining is a malware threat that affects Industrial Control Systems (ICS), enabling hackers to use an infected PC’s resources to mine for digital currency. The webinar will explore how, if left unchecked, the infections can disrupt OT environments, causing hardware failure, massively increasing energy consumption and preventing systems from carrying out mission-critical tasks.

Unlike other malware attacks, Cryptomining attacks can also be extremely difficult to detect, even after a system has become infected, making them especially dangerous.

Chris Whitehead, Managed Platform Product Manager at SolutionsPT, said: “There has been a significant increase in the number of cyber security attacks against Industrial Control Systems in recent years, with Cryptomining attacks emerging as the top malware threat of 2018. It’s vital that OT professionals are aware of the dangers they pose and our webinar will provide them with a great amount of usable information to take away.

“Our experts will also use the webinar to discuss various solutions to the problems posed by Cryptomining, from increasing the visibility of their industrial networks to ensuring they have both pre-emptive and reactive solutions in place.”

The 30-minute webinar begins at 11am. Attendance is free but attendees must register in advance here:

The post SolutionsPT To Host Cryptomining Webinar For OT Professionals. appeared first on IT Security Guru.

Omron addressed multiple flaws in its CX-Supervisor product

The electronics firm Omron released a security update to address flaws in its CX-Supervisor product that can be exploited DoS attacks and remote code execution.

CX-Supervisor allows to rapidly create human-machine interfaces (HMIs) for supervisory control and data acquisition (SCADA) systems thanks to the availability of a large number of predefined functions and libraries. The software is widely adopted in multiple industries, mainly in the energy sector.

The vulnerabilities were reported through Trend Micro’s Zero Day Initiative (ZDI). by the security expert Esteban Ruiz of Source Incite. One of the vulnerabilities, tracked as CVE-2018-19027 received a “high” severity rating.

The CVE-2018-19027 flaw affects the CX-One products, the flaw was reported to the vendor on 2018-07-02 while it was publicly disclosed on 2019-01-14.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-One CX-Protocol. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reported the advisory published by ZDI.

“The specific flaw exists within the handling of PSW files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process.”

CX-Supervisor Omron

The ICS-CERT published an advisory that includes details for all the vulnerabilities discovered by the expert, The addressed issues include a use-after-free, lack of proper validation for user-supplied input, and type confusion issues that can be exploited by attackers to execute arbitrary code on the vulnerable systems.

The “IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77″ could allow and attacker to inject commands to delete files and/or delete the contents of a file on the system by using a specially crafted project file. The exploitation of this bug, tracked as CVE-2018-19013 can cause a DoS condition, the issue has received a CVSS v3 base score of 5.0.

The vulnerabilities have been addressed with the release of version of CX-Supervisor.
The ICS-CERT also suggest to upgrade development projects and save them in the new format, then rebuilt in the latest format.

Pierluigi Paganini

CX-Supervisor, ICS (SecurityAffairs – CX-Supervisor, ICS)

The post Omron addressed multiple flaws in its CX-Supervisor product appeared first on Security Affairs.

Unpatched Cisco critical flaw CVE-2018-15439 exposes small Business Networks to hack

Unpatched critical flaw CVE-2018-15439 could be exploited by a remote, unauthenticated attacker to gain full control over the device.

Cisco Small Business Switch software is affected by a critical and unpatched vulnerability (CVE-2018-15439) that could be exploited by a remote, unauthenticated attacker to gain full control over the device.

Cisco Small Business Switch SOHO devices allow to manage small local area networks, they are widely adopted in cloud-based, managed and unmanaged “flavors.”

CVE-2018-15439 cisco soho

The flaw has received a critical base CVSS severity rating of 9.8, it ties the default configuration on the devices that includes a default, privileged user account.

This account was created for the initial login and cannot be deleted from the Cisco Small Business Switch devices.

“A vulnerability in the Cisco Small Business Switches software could allow an unauthenticated, remote attacker to bypass the user authentication mechanism of an affected device.” reads the security advisory published by Cisco.

“The vulnerability exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system. An attacker could exploit this vulnerability by using this account to log in to an affected device and execute commands with full admin rights.”

The advisory also includes a workaround that consists of disabling this account by adding at least one user account with access privilege set to level 15 in the device configuration.
Users can “configure an account by using admin as user ID, setting the access privilege to level 15, and defining the password by replacing <strong_password> with a complex password chosen by the user,”

“However, if all user-configured privilege level 15 accounts are removed from the device configuration, an affected software release re-enables the default privileged user account without notifying administrators of the system.” continues the advisory.

“Under these circumstances, an attacker can use this account to log in to an affected device and execute commands with full admin rights.”

Experts pointed out that a successful exploit could allow a remote attacker to compromise the entire network.

The vulnerability affects Cisco Small Business 200 Series Smart Switches, 250 Series Smart Switches, 300 Series Managed Switches, 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, 500 Series Stackable Managed Switches and 550X Series Stackable Managed Switches.

The Cisco 220 Series and 200E Series Smart Switches aren’t affected, and neither are devices running Cisco IOS Software, Cisco IOS XE Software or Cisco NX-OS Software, according to the networking giant.

At the time there isn’t a patch to address the vulnerability, but likely Cisco will fix the flaw in the future.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting this vulnerability.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business Switch, CVE-2018-15439)

The post Unpatched Cisco critical flaw CVE-2018-15439 exposes small Business Networks to hack appeared first on Security Affairs.

Bug Bounties Aren’t Silver Bullet for Better Security

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

Read more of this story at Slashdot.

Popular WordPress Plugin WPML Hacked By Angry Former Employee

A very popular WordPress plugin was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. From a report: In a follow-up mass email, the plugin's developers blamed the hack on a former employee, who also defaced their website. The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages. According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official plugins repository. But on Saturday, ET timezone, the plugin faced its first major security incident since its launch in 2007. The attacker, which the WPML team claims is a former employee, sent out a mass email to all the plugin's customers.

Read more of this story at Slashdot.

Malicious apps deploy Anubis banking trojan using motion detection

By Waqas

Google has left no stone unturned in preventing malware and banking trojan from invading the applications uploaded on its official Play Store. Despite having anti-malware protection, shady applications somehow make it to the platform. In fact, malware developers have become so advanced in their skills and tactics that they are now using motion detection technology […]

This is a post from Read the original post: Malicious apps deploy Anubis banking trojan using motion detection

6 Reasons We Need to Boost Cybersecurity Focus in 2019

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals, too.

For people who still need some convincing that cybersecurity is an essential point of focus, here are six reasons.

1. The Average Cost of a Cyberattack Exceeds $1 Million

It’s no surprise that cyberattacks are costly, but some people will likely be shocked at the massive expenses that could result. According to a recent report from Radware, the total costs are more than $1 million. Additionally, victims report issues not directly related to financial losses, such as decreases in productivity or negative customer experiences.

Based on the above statistic, enterprises should conclude that although it costs money to invest in cybersecurity strategies, the expenses could be more substantial if organizations choose not to put enough of their resources toward experts and tools that minimize threats.

2. The U.S. Government Says It’s Time to Come Up With a Better Plan

The U.S. government, as well as the authorities from other nations, continually struggle to safeguard against digital attacks from rivals. The challenges are so immense that government bodies and officials warn that the United States needs an improved way to stop adversaries.

A State Department report warned that the country is increasingly dependent on networked information systems, and foes from other nations have learned to exploit that dependence and use it to disrupt the lives of Americans.

Most people who live in the U.S. can at least imagine the consequences of a severe cyber attack that affected the country’s ability to proceed with normal operations. Since government authorities researched the possibility and asserted there’s no time to waste in coming up with an improved approach to cybersecurity, that’s all the more reason to take action this year.

3. The Methods of Attack Are Diversifying

A decade or so ago, people typically felt sufficiently secure online by installing anti-virus software on their computers. That’s still a worthy precaution to take, but it’s no longer adequate for preventing all or even most of the attacks a hacker might try.

According to a 2014 report, cybercriminals orchestrated 75 percent of attacks through publicly known software vulnerabilities. But, they also try to gain people’s credentials through phishing attacks, lock down their systems with ransomware or infiltrate poorly secured connected devices to name but a few possibilities.

People have a growing number of ways to use technology and rely on connected devices, but that also means the likelihood goes up for potentially unfamiliar kinds of attacks. Focusing on cybersecurity this year requires, in part, understanding the most recent and common types of threats and protecting networks against them.

4. Recent Breaches Victimized Millions

Equifax and Starwood/Marriott dealt with breaches that compromised the data of well over 100 million victims. The earlier revelation about the financial costs of cyber attacks is damning in itself, but it’s crucial for brands — and consumers themselves — to recognize that data breaches can be unintentional or malicious, but in any case, they could affect millions of people.

Then, affected companies have to engage in damage control in an attempt to restore lost trust. Even when those entities put forth the effort, they may still find that customers behave differently following breaches.

More specifically, an April 2018 study examined the connection between consumer trust and spending. It involved respondents giving a trust score to businesses. The survey revealed that 15 percent of low-trust customers decreased how much they spent at companies. But, in cases of high instances of trust, the decrease in consumer spending was only 4 percent.

5. It Takes Months to Identify and Contain Breaches

If a person or business has a significant water leak in a well-used area, the problem is usually easy to spot and fix. But, it’s typically not so straightforward with cyber-related issues.

Research from 2018 published by IBM found that, on average, it takes 197 days to identify a breach and 69 days to contain it. Those timeframes give hackers plenty of time to do damage that may prove irreparable. Then, once headlines indicate how long a breach remained unnoticed, the reputational damage could be severely harmful, too.

Making cybersecurity a focal point this year could minimize the time spent looking for areas of concern within a network, especially if using artificial intelligence-based strategies that learn normal conditions and give warnings about deviations.

6. Cybercrime Is Extremely Profitable

Some criminals alter their methods once it becomes apparent that their current wrongdoings are no longer profitable. But, that probably won’t happen for a while concerning online-based crimes. Research from a criminology expert published in April 2018 highlighted how the worldwide revenues from cybercrime are at least 1.5 trillion annually.

The investigation talked about how cybercrime represents an interconnected web of profit possibilities with blurred lines between legal and illegal activities. If people don’t fight back against online criminals at both personal and organizational levels, hackers will have more opportunities than ever to continue making income while others suffer.

Failing to Focus on Cybercrime This Year Could Cause an Assortment of Issues

This list highlights some of the most prominent reasons why it’s essential to make cybersecurity a priority in 2019. Hackers get progressively more skilled at carrying out attacks, and they can cause significant catastrophes on unprotected or poorly defended

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – 2019 Cybersecurity predictions, cyberattacks)

The post 6 Reasons We Need to Boost Cybersecurity Focus in 2019 appeared first on Security Affairs.

Security Affairs 2019-01-19 05:57:28

A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners, fortunately, no customer data was exposed.

The Register in exclusive reported that Microsoft partner portal ‘exposed ‘every’ support request filed worldwide.’ Tickets submitted from all over the world were exposed to all Microsoft support partners due to the glitch.

“At the moment in the Microsoft Partner Portal you can see every ticket title for every support request worldwide!” Stuart Crane of IT biz Everon told The Register.

Microsoft partner

“Another Microsoft small biz specialist contacted us to say “Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours”.” reported The Register.

According to another Microsoft partner quoted by The Register, the bug exposed case number and title of the tickers, but not their content. This means that the problem will not cause Microsoft big problems with data protection laws or watchdogs.

Microsoft quickly addressed the flaw and downplayed the issue explaining that only a limited number of features in the Partner Centre portal were affected.

“We’ve addressed an issue that impacted a small subset of functions on our Partner Centre portal and we’re working to restore normal operation.”
said a spokesperson for Microsoft.

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post appeared first on Security Affairs.

Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few. "I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

Read more of this story at Slashdot.

Twitter bug exposed private tweets of Android users to public for years

By Carolina

A security bug in Twitter exposed private tweets of users to the public. The flaw only affected Android users of the Twitter app while iPhone users were not affected. According to Twitter, private tweets of users from November 3, 2014, to January 14, 2019, were exposed. Although the company did not say how many people were affected […]

This is a post from Read the original post: Twitter bug exposed private tweets of Android users to public for years

This Week in Security News: Risky Radio Remotes and Cybercrime

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about Trend Micro’s new research on radio frequency technology and the risks of radio remote controllers. Also, understand why there is a rise in physical crime in the cybercrime underground.

Read on:

Exclusive: Hackers Take Control Of Giant Construction Cranes

Trend Micro Research discovered that the lack of implemented security in radio frequency technology could lead to production sabotage, system control, and unauthorized access to industrial machines. 

New Magecart Attack Delivered Through Compromised Advertising Supply Chain

Trend Micro found a malicious skimming code loaded on e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites. 

Tesla is Entering the Model 3 Into Pwn2Own, One of the World’s Toughest Hacking Contests

Trend Micro is partnering with Tesla to include a Model 3 sedan in Pwn2Own Vancouver this year, the first time a car has been included in the annual high-profile hacking contest.

Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics

Trend Micro found two malicious apps, that were disguised as useful tools, on Google Play that drop wide-reaching banking malware.

As the Government Shutdown Drags On, Security Risks Intensify

Cybersecurity risks grow during the US government shutdown as organizations within the Department of Homeland Security—including the new Cybersecurity and Infrastructure Security Agency —are operating with skeleton crews.

Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers: Security Analysis and Recommendations

Radio frequency technology is being used to control various industrial machines. However, the lack of implemented security could lead to production sabotage, system control, and unauthorized access.

Hackers Breach and Steal Data from South Korea’s Defense Ministry

Hackers have breached 30 computers in the South Korean government agency that oversees weapons and munitions acquisitions, stealing documents from at least ten of those computers.

The Rise of Physical Crime in the Cybercrime Underground

While underground forums have long been the purview of digital crimes, recent developments have shown signs of increasing synergy and interaction between traditional criminals and cybercrime actors. 

Firms fined $1M for SingHealth Data Security Breach

SingHealth and Singapore’s public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country’s personal data protection act.

Are you surprised that there is rise in threat actors who delve in both traditional crime and cybercrime? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Risky Radio Remotes and Cybercrime appeared first on .

How to use emerging technology in the fight against cybercrime

How to use technology in the fight against cybercrime

The digital transformation brings with it a litany of advantages and opportunities for all kinds of organizations, from an increase in productivity and efficiency, to larger markets in which to operate.

But these advantages and the breaking down of barriers for the sake of increased globalization go hand in hand with some drawbacks, one of which is the incredible increase in the amount of cyberattacks carried out. We need look no further than last year, when there were almost double the amount of cybersecurity incidents in companies compared to the previous year. What’s more, there were around 159,000 data breaches driven by ransomware or new attack methods. And the economic consequences of these incidents are staggering: the global cost of cybercrime is expected to exceed $2 trillion by 2019.

It is clear that in order to tackle figures like these, it is necessary to invest in qualified professionals. However, with the increase in the scale and sophistication of attacks, the development of cybersecurity professionals has been outstripped by the growth and the sophistication of cyberthreats.

In this context, it is clear that there is a lack of cybersecurity professionals; in fact, 22% of organizations report that their cybersecurity teams are not large enough to take on everything that is required of them. The Information System Security Certification Consortium, or (ISC)2, estimates there to be a skills gap of just under 3 million professionals.

Download the whitepaper

Addressing the shortage with technology

The boom of the Internet of things (IoT) means that there are ever more data points to track and more points of entry into systems. The use of machine learning and artificial intelligence (AI) can help address this problem, and at the same time mitigate the skills gap. These technologies can gather and analyze data, trace threats, search for vulnerabilities, respond to breaches, and thus reduce the IT team’s workload. At Panda Security, we make this technology a reality with our Threat Hunting and Investigation service, which allows the automatic classification of 99.98% of threats, leaving just 0.02% of them to analysts. This way we can focus on the really dangerous attacks.

Some of the advantages that technology can bring to our organizations are:

Prevention. With AI, systems can be developed to search for security flaws and deploy solutions in real time.

Detection. AI can help cybersecurity analysts to detect and analyze high risks incidents, and to investigate threats.

Response. Machine learning and artificial intelligence can segregate networks to isolate assets or to redirect attackers away from vulnerabilities or valuable data.

Choosing the right cybersecurity solution for my company: what does it need to have?

Panda Security leverages a combination of solutions and services for their customers to provide visibility of all endpoint activity, control of all running processes, and to reduce the attack surface. This includes device management and control features, EDR and EPP solutions, 100% Classification and Threat Hunting services, all the data gathered by its Collective Intelligence for more than 28 years, and external IOAs and IOCs, all perfectly synchronized. These advantages are grouped together on the security platform, Panda Adaptive Defense.

The Cybersecurity Tech Accord – the key accord in the interest of defending equitable, global cybersecurity of which Panda Security has been a member since last year – has prepared a whitepaper, “Addressing the Cybersecurity Skills Gap through Cooperation, Education and Emerging Technologies”. In it, you can discover what challenges the skills gap presents, what initiatives have been proposed to resolve it, and more details on how emerging technology can put a stop to this problem.

Download the whitepaper

The post How to use emerging technology in the fight against cybercrime appeared first on Panda Security Mediacenter.

Oracle critical patch advisory addresses 284 flaws, 33 critical

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated “critical”.

Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.

The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload,  disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.

The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.

A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.

The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.

The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine cryptocurrency.

Oracle also addressed an arbitrary file upload flaw (CVE-2018-9206) in the OCA’s Services Gatekeeper that also impacted Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it was in CVE-2019-2453:

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Performance Management.” reads the description provided by

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “

Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

The list is very long, it also includes patches for a DoS in the Derby
Apache tool used in the WebLogic server (CVE-2015-1832) and an RCE bug in the Spring framework used by Oracle Tuxedo and the Sun Tape Library ACSLS component.

People interested in the full list could visit the following address:

Pierluigi Paganini

(SecurityAffairs – hacking, critical patch advisory)

The post Oracle critical patch advisory addresses 284 flaws, 33 critical appeared first on Security Affairs.

It’s oh so quiet: get ready for stealthy malware in 2019

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.  

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.  

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.

New ransomware steals PayPal data with phishing link in ransom note

By Uzair Amir

Ransomware is a reality and threat actors are using it quite avidly and frequently nowadays in order to make easy money. According to the new findings of MalwareHunterTeam, there is in-development ransomware that can encrypt your files, steal credit card information and steal PayPal credentials using the phishing page. The ransomware is not extraordinary in its […]

This is a post from Read the original post: New ransomware steals PayPal data with phishing link in ransom note

NanoCore Trojan Malware Cannot be Killed By Users

Most people are now familiar with how destructive and damaging computer viruses such as a Trojan can be. Many are

NanoCore Trojan Malware Cannot be Killed By Users on Latest Hacking News.

At Least Five LiDAR Challenges for Vehicles

Sensors Online has a nice summary of the current product management view for LiDAR manufacturers. They spell out these five concerns: Size Cost Reliability Range Eye Safety Conspicuously missing from the list (pun not intended) is integrity of the data. Reliability in the above list refers only to environmental risks (“replace the moving parts with … Continue reading At Least Five LiDAR Challenges for Vehicles

773 million records with emails & plain text passwords leaked online

By Waqas

It’s a whopping 87GB data – Find out if you are affected by the massive data breach. Security researcher and founder of Have I Been Pwned, Troy Hunt, has revealed that around 773 million ‘unique’ email IDs and 22 million ‘unique’ passwords were available on MEGA cloud service. Later on, the same data was found posted […]

This is a post from Read the original post: 773 million records with emails & plain text passwords leaked online

Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6

Drupal released security updates for Drupal 7, 8.5 and 8.6 that address two “critical” security vulnerabilities that could be exploited for arbitrary code execution.

The first vulnerability could be exploited by a remote attacker to execute arbitrary PHP code. The flaw resides in the phar stream wrapper implemented in PHP and is related to the way it handles untrusted phar:// URIs.

“A remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. ” reads the security advisory.

“Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability, This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.”

The development team marked .phar as a potentially dangerous extension, this means that .phar files uploaded to a website running on the popular CMS will be automatically converted to .txt to prevent malicious execution.
Note that the replacement stream wrapper is not compatible with PHP versions lower than 5.3.3.

The development team has disabled the phar:// wrapper for Drupal 7 sites running a version of PHP earlier than 5.3.3.

“Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.” continues the advisory.

The second flaw affects the PEAR Archive_Tar, a third-party library that handles .tar files in PHP. An attacker could use a specially crafted .tar file to delete arbitrary files on the system and possibly even execute remote code.

“Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.” reads the security advisory.

The development team behind the Archive_Tar have patched flaw and released the update it in the core of the CMS.

Drupal 8.6.6, 8.5.9 and 7.62 patch both flaws, experts highlighted that Drupal 8 versions prior to 8.5.x will no longer receive security updates because they have reached the end of life.

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

The post Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6 appeared first on Security Affairs.

Watch as hackers take over a construction crane

By Waqas

Trend Micro Researchers Prove How Easy it is Hackers to Hack a Construction Crane and Cause Destruction. Hacking a crane at a construction site might seem to you like an impossible act from cybercriminals. It just appears so unbelievable. After all, what would they get by hacking a crane? However, researchers at Trend Micro, a […]

This is a post from Read the original post: Watch as hackers take over a construction crane

The 773 Million Record “Collection #1” Data Breach

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

The 773 Million Record

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper.

Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)

In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion. (I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives.)

The unique email addresses totalled 772,904,991. This is the headline you're seeing as this is the volume of data that has now been loaded into Have I Been Pwned (HIBP). It's after as much clean-up as I could reasonably do and per the previous paragraph, the source data was presented in a variety of different formats and levels of "cleanliness". This number makes it the single largest breach ever to be loaded into HIBP.

There are 21,222,975 unique passwords. As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements. Regardless of best efforts, the end result is not perfect nor does it need to be. It'll be 99.x% perfect though and that x% has very little bearing on the practical use of this data. And yes, they're all now in Pwned Passwords, more on that soon.

That's the numbers, let's move onto where the data has actually come from.

Data Origins

Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image:

The 773 Million Record

As you can see at the top left of the image, the root folder is called "Collection #1" hence the name I've given this breach. The expanded folders and file listing give you a bit of a sense of the nature of the data (I'll come back to the word "combo" later), and as you can see, it's (allegedly) from many different sources. The post on the forum referenced "a collection of 2000+ dehashed databases and Combos stored by topic" and provided a directory listing of 2,890 of the files which I've reproduced here. This gives you a sense of the origins of the data but again, I need to stress "allegedly". I've written before about what's involved in verifying data breaches and it's often a non-trivial exercise. Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all.

However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I've personally seen and verified), but per the quoted sentence above, the data contains "dehashed" passwords which have been cracked and converted back to plain text. (There's an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless.) In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.

So that's where the data has come from, let me talk about how to assess your own personal exposure.

Checking Email Addresses and Passwords in HIBP

There'll be a significant number of people that'll land here after receiving a notification from HIBP; about 2.2M people presently use the free notification service and 768k of them are in this breach. Many others, over the years to come, will check their address on the site and land on this blog post when clicking in the breach description for more information. These people all know they were in Collection #1 and if they've read this far, hopefully they have a sense of what it is and why they're in there. If you've come here via another channel, checking your email address on HIBP is as simple as going to the site, entering it in then looking at the results (scrolling further down lists the specific data breaches the address was found in):

The 773 Million Record

But what many people will want to know is what password was exposed. HIBP never stores passwords next to email addresses and there are many very good reasons for this. That link explains it in more detail but in short, it poses too big a risk for individuals, too big a risk for me personally and frankly, can't be done without taking the sorts of shortcuts that nobody should be taking with passwords in the first place! But there is another way and that's by using Pwned Passwords.

This is a password search feature I built into HIBP about 18 months ago. The original intention of it was to provide a data set to people building systems so that they could refer to a list of known breached passwords in order to stop people from using them again (or at least advise them of the risk). This provided a means of implementing guidance from government and industry bodies alike, but it also provided individuals with a repository they could check their own passwords against. If you're inclined to lose your mind over that last statement, read about the k-anonymity implementation then continue below.

Here's how it works: let's do a search for the word "P@ssw0rd" which incidentally, meets most password strength criteria (upper case, lower case, number and 8 characters long):

The 773 Million Record

Obviously, any password that's been seen over 51k times is terrible and you'd be ill-advised to use it anywhere. When I searched for that password, the data was anonymised first and HIBP never received the actual value of it. Yes, I'm still conscious of the messaging when suggesting to people that they enter their password on another site but in the broader scheme of things, if someone is actually using the same one all over the place (as the vast majority of people still do), then the wakeup call this provides is worth it.

As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.

Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about. If you have a bunch of passwords and manually checking them all would be painful, give this a go:

This is 1Password's Watchtower feature and it can take all your stored passwords and check them against Pwned Passwords in one go. The same anonymity model is used (neither 1Password nor HIBP ever see your actual password) and it enables bulk checking all in one go. I'm conscious that many people reading this won't be using a password manager of any kind in the first place and that's an absolutely pivotal part of how to deal with this incident so I'll come back to that a little later. Apparently, this feature along with integrated HIBP searches and notifications when new breaches pop up is one of the most-loved features of 1Password which is pretty cool! For some background on that, without me knowing in advance, they launched an early version of this only a day after I released V2 with the anonymity model (incidentally, that was a key motivator for later partnering with them):

For those using Pwned Passwords in their own systems (EVE Online, GitHub, Okta et al),  the API is now returning the new data set and all cache has now been flushed (you should see a very recent "last-modified" response header). All the downloadable files have also been revised up to version 4 and are available on the Pwned Passwords page via download courtesy of Cloudflare or via torrents. They're in both SHA1 and NTLM formats with each ordered both alphabetically by hash and by prevalence (most common passwords first).

Why Load This Into HIBP?

Every single time I came across a data set that's not clearly a breach of a single, easily identifiable service, I ask the question - should this go into HIBP?  There are a number of factors that influence that decision and one of them is uniqueness; is this a sufficiently new set of data with a large volume of records I haven't seen before? In determining that, I take a slice of the email addresses and ran them against HIBP to see how many of them had been seen before. Here's what it looked like after a few hundred thousand checks:

The 773 Million Record

In other words, there's somewhere in the order of 140M email addresses in this breach that HIBP has never seen before.

The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum. In terms of the risk this presents, more people with the data obviously increases the likelihood that it'll be used for malicious purposes.

Then there's the passwords themselves and of the 21M+ unique ones, about half of them weren't already in Pwned Passwords. Keeping in mind how this service is predominantly used, that's a significant number that I want to make sure are available to the organisations that rely on this data to help steer their customers away from using higher-risk passwords.

And finally, every time I've asked the question "should I load data I can't emphatically identify the source of?", the response has always been overwhelmingly "yes":

People will receive notifications or browse to the site and find themselves there and it will be one more little reminder about how our personal data is misused. If - like me - you're in that list, people who are intent on breaking into your online accounts are circulating it between themselves and looking to take advantage of any shortcuts you may be taking with your online security. My hope is that for many, this will be the prompt they need to make an important change to their online security posture. And if you find yourself in this data and don't feel there's any value in knowing about it, ignore it. For everyone else, let's move on and establish the risk this presents then talk about fixes.

What's the Risk If My Data Is in There?

I referred to the word "combos" earlier on and simply put, this is just a combination of usernames (usually email addresses) and passwords. In this case, it's almost 2.7 billion of them compiled into lists which can be used for credential stuffing:

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.

In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem.

By pure coincidence, just last week I wrote about credential stuffing attacks and how they led many people to believe that Spotify had suffered a data breach. In that post, I embedded a short video that shows how easily these attacks are automated and I want to include it again here:

Within the first 20 seconds, the author of the video has chosen a combo list just like the one three quarters of a billion people are in via this Combination #1 breach. Another 20 seconds and the software is testing those accounts against Spotify and reporting back with email addresses and passwords that can logon to accounts there. That's how easy it is and also how indiscriminate it is; it's not personal, you're just on the list! (For people wanting to go deeper, check out Shape Security's video on credential stuffing.)

To be clear too, this is not just a Spotify problem. Automated tools exist to leverage these combo lists against all sorts of other online services including ones you shop at, socialise at and bank at. If you found your password in Pwned Passwords and you're using that same one anywhere else, you want to change each and every one of those locations to something completely unique, which brings us to password managers.

Get a Password Manager

You have too many passwords to remember, you know they're not meant to be predictable and you also know they're not meant to be reused across different services. If you're in this breach and not already using a dedicated password manager, the best thing you can do right now is go out and get one. I did that many years ago now and wrote about how the only secure password is the one you can't remember. A password manager provides you with a secure vault for all your secrets to be stored in (not just passwords, I store things like credit card and banking info in mine too), and its sole purpose is to focus on keeping them safe and secure.

A password manager is also a rare exception to the rule that adding security means making your life harder. For example, logging on to a mobile app is dead easy:

I chose the password manager 1Password all those years ago and have stuck with it ever it since. As I mentioned earlier, they partnered with HIBP to help drive people interested in personal security towards better personal security practices and obviously there's some neat integration with the data in HIBP too (there's also a dedicated page explaining why I chose them).

If a digital password manager is too big a leap to take, go old school and get an analogue one (AKA, a notebook). Seriously, the lesson I'm trying to drive home here is that the real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible. It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web. Just think about it - you go from your "threat actors" (people wanting to get their hands on your accounts) being anyone with an internet connection and the ability to download a broadly circulating list Collection #1, to people who can break into your house - and they want your TV, not your notebook!


Because an incident of this size will inevitably result in a heap of questions, I'm going to list the ones I suspect I'll get here then add to it as others come up. It'll help me handle the volume of queries I expect to get and will hopefully make things a little clearer for everyone.

Q. Can you send me the password for my account?
I know I touched on it above but it's always the single biggest request I get so I'm repeating it here. No, I can't send you your password but I can give you a facility to search for it via Pwned Passwords.

Q. How long ago were these sites breached?
It varies. The first site on the list I shared was 000webhost who was breached in 2015, but there's also a file in there which suggests 2008. These are lots of different incidents from lots of different time frames.

Q. What can I do if I'm in the data?
If you're reusing the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it's available.

Q. I'm responsible for managing a website, how do I defend against credential stuffing attacks?
The fast, easy, free approach is using the Pwned Passwords list to block known vulnerable passwords (read about how other large orgs have used this service). There are services out there with more sophisticated commercial approaches, for example Shape Security's Blackfish (no affiliation with myself or HIBP).

Q. How can I check if people in my organisation are using passwords in this breach?
The entire Pwned Passwords corpus is also published as NTLM hashes. When I originally released these in August last year, I referenced code samples that will help you check this list against the passwords of accounts in an Active Directory environment.

Q. I'm using a unique password on each site already, how do I know which one to change?
You've got 2 options if you want to check your existing passwords against this list: The first is to use 1Password's Watch Tower feature described above. If you're using another password manager already, it's easy to migrate over (you can get a free 1Password trial). The second is to check all your existing passwords directly against the k-anonymity API. It'll require some coding, but's its straightforward and fully documented.

Q. Is there a list of which sites are included in this breach?
I've reproduced a list that was published to the hacking forum I mentioned and that contains 2,890 file names. This is not necessarily complete (nor can I easily verify it), but it may help some people understand the origin of their data a little better.

Q. Will you publish the data in collections #2 through #5?
Until this blog post went out, I wasn't even aware there were subsequent collections. I do have those now and I need to make a call on what to do with them after investigating them further.

Q. Where can I download the source data from?
Given the data contains a huge volume of personal information that can be used to access other people's accounts, I'm not going to direct people to it. I'd also ask that people don't do that in the comments section.

Comments Are Now Closed

After several hundred comments in a very short period of time, I'm closing this post for further contributions. Moderating them has consumed a significant amount of time that I've mostly dealt with whilst flying from Australia to Europe. I now need to focus on a short period of downtime followed by a couple of weeks of conference talks. Thank you all for your engagement, I'll talk more about this post in the next weekly update video I'll post on Friday 25.

Malware can fully compromise building control systems

By Waqas

Enterprise security vendor ForeScout’s operational technology research unit has developed a PoC (Proof-of-Concept) malware that exposed the vulnerabilities in building automation systems (BAS) by compromising them due to the presence of two very critical bugs in the BAS’s PLC (programmable logic controller). ForeScout researchers claim that the first of the two bugs use a hard-coded secret when the […]

This is a post from Read the original post: Malware can fully compromise building control systems

Ten corporate cybersecurity New Year’s resolutions

corporate cybersecurity resolutions

New Year is a moment when many of us set ourselves a series of resolutions to try to improve some part of our lives. And one resolution that should be on everyone’s list is an improvement in cybersecurity habits. With this in mind, we’re sharing these 10 tips for online security that will help you to protect your digital life, as well as that of your company.

In our PandaLabs Annual Report 2018, we compiled many cases where cybersecurity went wrong. And the fact is that many of these incidents — and the serious consequences they entailed — could have been avoided by following some basic security tips.

Download the infographic

Good practices for 2019

  • One good habit to bear in mind is the use of firewalls to block unwanted access to our devices. In many cases, this solution is the first line of defense against cyberattacks. The most dramatic example of what can happen if we do away with firewalls is the case of Exactis. This US data broker left around 350 million records exposed in June last year. Anyone could have accessed details about hundreds of millions of US citizens. The cause? A lack of firewalls to protect this information.
  • Multifactor authentication. This method of confirming a user’s identity when logging in adds another layer of protection by asking for a code received on a mobile phone or on a computer. It means that, even if someone gets their hands on our password, accessing our account is more complicated. In July last year, the app Timehop gave us an example of what can happen if we don’t use multifactor authentication: the company blamed a data breach that affected 21 million users on a lack of multifactor authentication on a cloud account.corporate cybersecurity
  • Updating operating systems and installing patches helps to minimize the threats of malware and vulnerabilities. This is especially important if we consider one of the predictions found in our PandaLabs Report: in 2019, new catastrophic vulnerabilities will be discovered, similar to Meltdown and Spectre, which were discovered at the start of last year. Installing all necessary updates and patches is the only way to protect yourself against the vulnerabilities that may threaten corporate cybersecurity, and thus reduce the attack surface.
  • It is very important to be selective when it comes to sharing personal information on the Internet. This information could be used to guess passwords and logins. Discretion is particularly relevant for another of our predictions for 2019. The massive analysis of data, through readily available Big Data tools, allows detailed profiles of personal preferences and trends in many areas to be extracted. Personal information spread over different social networks (Facebook, Twitter, LinkedIn, etc.), correctly analyzed and correlated, can allow the development of highly sophisticated and personalized social engineering attacks with malicious intentions.

Discover the 10 corporate cybersecurity resolutions for 2019 in our infographic, and stay protected this year.

Download the infographic

The post Ten corporate cybersecurity New Year’s resolutions appeared first on Panda Security Mediacenter.

SN 697: Zerodium

  • The implications of the recent increase in bounty for the purchase of 0-day vulnerabilities.
  • The intended and unintended consequences of last week's Windows Patch Tuesday.
  • Speaking of unintended consequences, the US Government shutdown has had some, too!
  • A significant privacy failure in WhatsApp.
  • Another Ransomware decryptor (with a twist).
  • Movement on the DNS-over-TLS front.
  • An expectation of the cyberthreat landscape for 2019.
  • A cloudy forecast for The Weather Channel App.
  • A successful 51% attack against the Ethereum Classic cryptocurrency.
  • Another court reversing compelled biometric authentication.
  • An update on the lingering death of Flash... now in hospice care.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Cryptopia cryptocurrency exchange hacked; suffers “significant losses”

By Waqas

Cryptopia, a New Zealand based cryptocurrency exchange has undercome a cyber attack leading to “significant losses.” The incident took place on January 14 and upon detecting the attack Cryptopia was forced to halt services by taking their website and exchange offline. Initially, on its Twitter account, Cryptopia claimed that the website has been taken down for “unscheduled maintenance” and displayed a […]

This is a post from Read the original post: Cryptopia cryptocurrency exchange hacked; suffers “significant losses”

Bug bounty: Hack Tesla Model 3 to win your own Model 3

By Waqas

Tesla is partnering with Pwn2Own’s bug bounty to identify vulnerabilities in its Model 3 car software. Electric car maker Tesla announced recently that the company is partnering with Pwn2Own hacking contest organizers in order to help the company identify security issues in its automobiles. Tesla will be a partner in the Pwn2Own bug bounty program […]

This is a post from Read the original post: Bug bounty: Hack Tesla Model 3 to win your own Model 3

The Pirate Bay malware can empty your Cryptocurrency wallet

By Waqas

The malware was found hidden in the Windows shortcut file on The Pirate Bay. A new malware has been identified in popular torrent forum The Pirate Bay. The malware is discovered in a shortcut file for a movie and it has the capability to manipulate web pages along with changing the addresses for Bitcoin and […]

This is a post from Read the original post: The Pirate Bay malware can empty your Cryptocurrency wallet

A city in Texas is using paper after suffering ransomware attack

By Waqas

Another day, another devastating ransomware attack; this time, computers at The City Hall of Del Rio, Texas have suffered a massive ransomware attack forcing authorities to completely shut down the targeted network. The attack took place on Thursday, January 10th after which the City’s Management Information Services (MIS) Department went on to isolate the malware by turning off the […]

This is a post from Read the original post: A city in Texas is using paper after suffering ransomware attack

Government shutdown impacts .gov websites, puts Americans in danger

If you are in the United States, then you likely already know that we are on our 24th day of a government shutdown. While it is considered a “partial” shutdown, there are still plenty of government workers who are furloughed, which impacts the services they run—both online and off.

Last week, TechCrunch posted a concerning story about the shutdown, which covered the findings of NetCraft, a UK Internet service company, who discovered that numerous US government websites are now inaccessible due to expired security certificates.

This is a quick post to explain what happened, and more importantly, how cybercriminals will use this situation to their advantage.

Security certificates

We aren’t going to dig deep into how security certificates work for websites, but the gist is that every vendor or organization that uses a website requires a security certificate for users to access their site with trust. Today, a few browsers, like Chrome, require these certificates before they even let users access the websites. You can recognize when a website uses a valid security certificate, usually indicated by a green lock on the URL bar.

The certificate confirms that the identity of the website that you are communicating with is legitimate. In addition, these certificates make it possible for users to establish a secure connection with the web server hosting the site, which is incredibly important when sending financial or personal information over the Internet.

Since some of the most popular browsers won’t even let users visit a website if it doesn’t have a valid certificate, we now have a lot of users who can’t access government websites because the certificates have expired.

Why did they expire?

If a security certificate lasted forever, what would be the assurance that it hasn’t been stolen by criminals who could then use it on their own malicious websites? Because of this, the organization that owns the website must purchase and deploy a new certificate each year. Think of it as a yearly registration fee, not unlike renewing your car tags.

The reason these certificates were allowed to lapse is because no one’s at work renewing them. Apparently, most US government websites maintain their own certificates. This is why not all US .gov websites are down—just a few of them (at least for now). With the partial shutdown, the people in charge of making sure citizens can access their websites by keeping these certificates up-to-date are unable to do their jobs, which eventually leads to users being unable to access these sites at all.

What’s the problem?

Obviously, not being able to access some government websites is a pain, but is it dangerous? The answer is: yes, because you can bet that cybercriminals are going to take advantage of the situation.

That is why we want to share some vital warnings about how this shutdown may help cybercriminals. Please, share this with everyone you know, at least until the shutdown is over.

Cybercriminals frequently use real-world events to trick users into clicking on a link or opening an attachment. You can look back at a couple of instances where events in Syria directly influenced the actions of cybercriminals, be it state sponsored or otherwise. In another case, the Boston bombing was used to try and scam people. From terrorist attacks to natural disasters, threat actors jump on the chance to exploit episodes of fear and uncertainty.

Fake YouTube page set up to infect Syrian rebels

You can expect that users who are looking for government websites, especially if they offer a service or require personal information or a login to access, are going to find copies of these sites presented as an alternative to access the same website.

Fake Singapore government website. Photo credit: Gov.SG

Users who rely on social services—typically older folks, veterans, or the disabled—will be looking for a way to access the government sites they frequent. When they search for the site, their first link might take them to a dead end, since the security certificate has expired. However, the second or third link might work and take the user to a page that looks exactly like where they want to go.

Classic phishing attack.

What to do about it

The best thing to do right now is share this information with those closest to you so they don’t make a mistake and give away valuable personal info just because the government has issues keeping itself open. Also, be vigilant moving forward, not just in this case but anytime there is sensational news. Don’t just accept what the Internet tells you. Investigate. Think twice. And please, please, when in doubt, do not submit your personal information online.

The bad guys know human behavior, and they know that people can’t help clicking on links that are either convenient or scandalous and sensational. Prove them wrong.

Stay safe out there!

The post Government shutdown impacts .gov websites, puts Americans in danger appeared first on Malwarebytes Labs.

The seven most serious data breaches of 2018

data breaches 2018 data leaks

Cybercrime grows every year, and 2018 was no exception. Cybercriminals can change their attack methods, their targets, or the way they act, but the challenge is always the same: breaking through companies’ corporate cybersecurity and getting access to as much data as possible.

Many companies, unfortunately, learn this lesson the hard way: Adidas, Ticketmaster, T-Mobile and British Airways are just a few. But, serious though these cases were, they didn’t top the list. The following are the seven most serious data breaches of 2018.

1.- Aadhaar: 1.1 billion records.

India has a serious cybersecurity problem. To be more precise, its national ID database, Aadhaar, which contains information on close to 1.1 billion citizens does. The database was leaked, and made available to anyone willing to invest (very little) money to get it.

In January, several Indian journalists discovered that throughout the country, there were circulating several WhatsApp groups in which anyone could buy the file of a specific citizen. The price, 500 rupees (a little under 6 euros), granted access to not only names and surnames, but also to personal data and bank details. Despite the fact that the government denied this leak, it went much further than this: researchers also discovered that, for a period of time, citizens who visited their own profile online could access other citizens’ profiles simply by changing their ID in the private URL on the Aadhaar website.

2.- Marriott: 500 million customers

Marriott is one of the largest hotel groups in the world, and its most serious weak point has just been discovered.  The company announced in November that the booking system for other hotel chains in its group had been hacked. The data leak had been in progress since 2014, and had affected no fewer than 500 million customers, whose bank details and personal data are now at the disposal of whoever wants to buy them.

3.- Facebook and its pact with Netflix, Microsoft…

One of the biggest scandals of the year, and yet another black mark for Facebook. The New York Times revealed that Mark Zuckerberg’s social network has, for years, shared its users’ data (without their knowledge) with over 100 tech giants. Among the companies that bought this information were some as important as Amazon, Bing, Yahoo!, and Netflix, all of which had access to users’ publications and even their private messages.

Data breaches 2018 infographic

4.- Exactis: 340 million records.

The plans of the American data broker Exactis were laid to waste last June. This time not because of theft, or even a cybercriminal act. So what had happened? The agency had left around 340 million records exposed on a public server.

In this case, there were none of the users’ bank details in the records, but they did contain 150 fields of information, with perhaps even more sensitive information: number of children in a house and their ages; the kind of payment card used by that person; an estimation of the value of their house; if they have shares in companies; their hobbies; the company with which they have their mortgage; their ethnic group; along with many others. The million dollar fines for GDPR infringement won’t take long to arrive.

5.- Under Armour: 150 million records.

If you use MyFitnessPal, one of the most widely used nutrition apps in the world, your data is at serious risk. The company that developed the app, Under Armour, was forced to admit in March that a cybercriminal had accessed the registration details of around 150 million users. Among the data stolen from each user are both the email address used to register and the password used to access the account.

6.- Panera Bread: 37 million records.

Is there anything worse than being the victim of information theft? Yes: ignoring those who have been telling you about it for eight months. This is exactly what happened to the restaurant chain Panera Bread, which had to announce that its website had exposed the registration details of at least 37 million customers. Now these customers know (or at least they should) that their names, email addresses, physical addresses and the last four digits of their credit cards have been at the mercy of whoever wanted to take or buy them.

7.- 35 million US voters

As if the elections in the States hadn’t suffered enough: suspicions of vote tampering, the spreading of all kinds of information using voter details… Then this: in October, it was discovered that a website was selling electoral records of around 35 million voters. This incident, which affected 19 states in the country, wouldn’t have allowed any alteration of votes, but it would have been enough to change voter lists at polling stations, stopping citizens from being able to vote correctly.

As we can see, many companies have been forced to make data protection the leading priority to protect their corporate cybersecurity. To fight this problem, there are tools such as Panda Data Control, the data protection module of Adaptive Defense. It stops uncontrolled access to the company’s personal and sensitive data by monitoring all system processes, sending out alerts in real time about leaks, use, and suspicious, unauthorized movements. Ultimately, it proactively and immediately detects any kind of threat, helping companies not only to protect their corporate cybersecurity, but also to comply with the GDPR and avoid its million euro fines.

The fact is that data has become the oil of the modern age, and this goes far beyond tech companies. Any kind of company, regardless of its sector or its size, can be exposed to cybercriminals. It is therefore essential that they know how to protect their greatest asset: their data.

The post The seven most serious data breaches of 2018 appeared first on Panda Security Mediacenter.

Man whose DDoS attacks took down entire country’s Internet jailed

By Waqas

A court in London has sentenced a British and Israeli cyber criminal Daniel Kaye aka “BestBuy and Popopret” to two years and eight months in prison for conducting large scale DDoS attacks on Lonestar Cell MTN disrupting country’s Internet and causing tens of millions of dollars in damages. Kaye (30) was charged for DDoS attacks against British and German […]

This is a post from Read the original post: Man whose DDoS attacks took down entire country’s Internet jailed

This Week in Security News: Adware and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about an adware that disguised itself as different apps and monitors mobile devices. Also, learn more about the different ransomware attacks Trend Micro has been tracking.

Read on:

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

This adware discovered by Trend Micro is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. 

Reddit locks out users with poor password hygiene after spotting ‘unusual activity’

Some Redditors have been locked out of their accounts over a mysterious security problem that the internet forum’s admins have blamed on people reusing old passwords.

German Man Admits to Politician Data Breach

A 20-year-old man has admitted to police that he was behind the recent data breach that exposed the personal data and documents of almost 1,000 German politicians and public figures online. 

Tech Support Scams: What are They and How do I Stay Safe?

If you’re still unsure what tech support scams are, and how you can protect yourself, this handy guide will tell you everything you need to know.

Chubb Announces Key Cyber Security Trends to Watch in 2019

 As business decision-makers look to the year ahead, it is critical to address existing and new cyber security concerns. To help with that process, Chubb has launched its first annual cyber security predictions, which focus on the top risks in 2019 and beyond.

Millions of Android Users Tricked Into Downloading 85 Adware Apps From Google Play

Researchers at Trend Micro discovered 85 apps that were pushing adware designed to squeeze money out of around 9 million affected Android users. 

Ransomware MongoLock Immediately Deletes Files, Formats Backup Drives

Trend Micro has been following MongoLock ransomware attacks that demands a payment of 0.1 bitcoin from victims within 24 hours to retrieve the files allegedly saved in the cybercriminals’ servers. 

Samsung Phone Users Perturbed to Find They Can’t Delete Facebook

With consumers becoming more alert about their digital rights and privacy, Android phone users have begun to question Samsung’s deal to sell phones with a permanent version of Facebook.

JavaScript Malware in Spam Spreads Ransomware, Miners, Spyware, Worm

Trend Micro observed a sudden spike in JavaScript malware in more than 72,000 email samples that sourced and spread at least eight other kinds of malware beginning December 31, 2018. 

Kitchenware Companies Breached in Dual Attacks

OXO International, a maker of kitchen utensils, and, which sells a variety of kitchenware promotional materials, each reported attacks this week.

Do you think adware and ransomware will continue to be prominent cybersecurity issues this year? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Adware and Ransomware appeared first on .

Upcoming cybersecurity events featuring BH Consulting

Here is a summary of upcoming cybersecurity events, conferences, webinars and training programmes where BH Consulting staff will deliver presentations about issues relating to cybersecurity, data protection, GDPR, and privacy. Each listing includes links for more information and registration.

Data Protection Officer certification course: Maastricht, 14-18 January 

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. This event is fully booked but it runs several times a year. More details are available here

Medico-Legal Society of Ireland: Dublin, 16 February

Our COO Valerie Lyons will be speaking at the annual academic day of the Medico-Legal Society of Ireland. Its theme this year is cyberspace, medicine and the law. The event takes place on Saturday 16 February at the Honorable Society of King’s Inns in Dublin. For more details, visit the society’s events listing.

Cloud & Cyber Security Expo: London, 12-13 March

Brian Honan will be presenting at this two-day event which takes place in London’s ExCel venue. There will be close to 150 speakers at the conference, which aims to help organisations implementing a digital transformation strategy to do so securely. General information is available at the event website, and organisers are still finalising the full speaker lineup. You can register via the site or directly at this link

Security BSides Dublin, 23 March 2019

The hugely successful and growing Security BSides series is coming to Dublin for the first time. The event will take place at the Convention Centre Dublin on Saturday 23 March 2019. We at BH Consulting have been long-time supporters of the community-driven series, and we’ll be sponsoring the inaugural Dublin event. The organisers are still accepting calls for papers from industry newcomers and veterans like. Visit here to find out more.

Data Protection Officer certification course: Maastricht, 1-5 April

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at this course, and a link to book a place is available here

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

What is a firewall?

You’ve probably heard the word “firewall” a few times in recent years. There was even a 2006 Hollywood movie of the same name starring Harrison Ford, Paul Bettany and Virginia Madsen.

But what is a firewall, and why do they matter?

Keeping the bad guys out

At the most basic level, a firewall is a system that prevents unauthorised access to a network. The firewall acts like a bouncer at the entrance to the network, checking the identification of everyone who tries to enter. Any unauthorised access attempt is blocked automatically.

How does a firewall work?

Before you can properly understand why firewalls matter, you first need to understand a tiny bit about how data is sent between computers.

Say you email a document to a colleague. Your computer splits the document into tiny pieces called packets which are then sent one at a time to your colleagues computer. Each packet contains additional information that tells the recipient’s computer how to rebuild the document from the packets – and where the packets are coming from. This whole process can be completed in a matter of seconds.

Network data transfers aren’t fool proof though. Packets can get corrupted or lost during transfer. Or they can be intercepted and modified by hackers.

A firewall adds an important layer of protection into the data transfer mechanism. The firewall sits between your computer and the recipient’s, checking every packet that passes through. Any network traffic that has been faked, is coming from an unauthorised or unrecognised source, or is otherwise suspicious is blocked automatically.

The firewall does a lot more besides too. It monitors all network traffic, preventing hackers from breaking into your computer or other internet-connected devices.

Why do firewalls matter?

In a business environment, the firewall is installed at the edge of the network; all network traffic has to pass through the firewall, and is analysed in transit. And the same is true of application firewalls like those included with Panda Dome that are installed on home computers.

Effective network security works on the principle of blocking suspicious traffic before it reaches your computer. In a corporate network, that means stopping hackers before they can access the network. At home, you need to drop/block bad network traffic before it can reach the data stored on your computer.

A firewall is not the same as antivirus – it does not check to see whether incoming packets contain malware. But it does automatically block the most suspicious network traffic to keep criminals out. Like antimalware systems however, a good firewall is also regularly updated so that it is capable of blocking the latest threats and suspicious activities.

And this automated checking is an important tool for raising the overall level of protection for your home computer and data.

To learn more about firewalls, please take a look at the Panda knowledgebase. And if you’d like to protect your computer with a firewall now, please download a free trial of Panda Dome Security.

Download Panda FREE VPN

The post What is a firewall? appeared first on Panda Security Mediacenter.

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

SN 696: Here Comes 2019!

  • The NSA announces the forthcoming release of an internal powerful reverse-engineering tool for examining and understanding other people's code.
  • Emergency out-of-cycle patches from both Adobe and Microsoft.
  • PewDiePie hacker strikes again.
  • Prolific 0-day dropper SandboxEscaper ruffles some feathers.
  • A new effort by the US government to educate industry about the risks of Cyber attacks.
  • Welcome news on the ransomware front.
  • VERY welcome news of a new Windows 10 feature.
  • A note about a just-published side-channel attack on OS page caches.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Tech Support Scams: What are They and How do I Stay Safe?

If you read this blog regularly you’re no doubt aware that cyber-criminals are a determined bunch, with a large range of tools and tactics at their disposal to rob you of your identity and hard-earned cash. Tech support scams (TSS) are an increasingly popular way for them to do just this. In 2017, Microsoft Customer Support Services received 153,000 reports from customers around the world who encountered or fell victim to these scams, a 24 percent increase on the year previous. Many lost hundreds of dollars in the process.

Yet the real scale of the problem is likely to be many times bigger.

If you’re still unsure what tech support scams are, and how you can protect yourself, this handy guide will tell you everything you need to know.

What types of tech support scam are there?

Tech support scams target users of any devices, platforms and software and can involve a variety of tactics. Typically, they include both an online element and/or a phone call with the scammer, who pretends to be technical support worker for a reputable company like Microsoft or your ISP. They try to trick you into believing there’s something wrong with your computer so that you agree either to hand over money (and credit card details) to ‘fix’ it, and/or allow them remote access to your machine — which enables them to download covert info-stealing malware.

Here are the two main ways a TSS can begin:

  • Cold calling: You could get a call at any time from one of these fake ‘tech support’ workers. They may even hijack Caller ID to appear legitimate. They’ll try to bamboozle you with tech jargon and create a sense of urgency that your machine and the data on it is in danger if you don’t act immediately.
    They’ll usually persuade you to download a special tool so they can remotely access your PC. They’ll then pretend your machine is infected with malware and ask for payment to remove it, or to buy a meaningless maintenance, support, or security package. Ironically, by giving them access to your PC, you’ve provided an opportunity for the scammers to download real malware to steal more of your personal information.
  • Online issues: A scam could also start online, if you accidentally visit a malicious website. How might you do this? Potentially, by mistyping the address of your favorite site into the address bar, or by clicking on a scam link in an unsolicited email. You might even have been searching for some breaking news on a particular high-profile story, only to find a link high up on the search listings took you to a malicious website.
    After doing so you might suddenly be presented with pop-ups saying your computer is infected with malware or malfunctioning. Sometimes they put your browser onto full screen mode with alerts which can’t be removed, effectively locking your screen. The message they display is likely to have a ‘tech support’ phone number you’re urged to call to sort the non-existent problem out. That will put you through to those same scammers that cold call users in scenario 1.

The bottom line is that if you fall for one of these tactics, you may lose an initial sum of money by paying the scammer, but also be exposed to further fraud on that card in the future as they’ll have your details on file. You could also be at risk of identity theft if the bad guys have downloaded malware to steal more personal info from your machine, like banking log-ins, Social Security numbers and more.

Microsoft claimed last year that three million users are subject to these scams every month, and more than half (56%) are from the US. The FBI, meanwhile, estimated tech support fraud losses in 2017 amounted to $15 million, an 86 percent increase on the previous year.

How do I stay safe, or recover, from a scam?

Fortunately, there are several things you can do to prevent the scammers getting what they want, and even if you are caught out, some quick thinking can help to minimize the impact on your life and finances.

Staying safe:

  • If you receive an unsolicited phone call claiming to come from Apple, Microsoft, Verizon or similar, hang up, or get more details and call the company back directly. Don’t hand over any personal or financial information and don’t allow the caller to download anything to your computer.
  • Stay up-to-date with the latest browser and software/OS versions to minimize the chances the bad guys can take you to malicious sites or launch pop-ups on your machine.
  • Take extra care when typing website names into your address bar.
  • Be cautious online: don’t click on any links in unsolicited emails or on websites.
  • Only download software from legitimate vendor websites/app stores.
  • Invest in third-party security software from a reputable supplier like Trend Micro, to detect TSS malware.

If you’ve been scammed:

  • Immediately delete any remote-access software the scammer may have encouraged you to install.
  • Download and use software from a provider like Trend Micro to detect and remove any installed malware.
  • Once malware has been fully removed, change all your computer and online account passwords.
  • Call your bank/credit or debit card provider to cancel relevant cards and claim back any money already lost.
  • Continue to monitor bank and online account activity and take action if there’s anything suspicious.
  • Upgrade your software, OS and browser to the latest versions.
  • Beware of follow-on scams in the coming days, weeks, or months.
  • Report the scam to Microsoft, Apple or other relevant provider.

How can Trend Micro help?

For the online side of tech support scams, Trend Micro Security offers comprehensive multi-layered protection from the malicious sites, pop-ups, browser takeovers and malware associated with tech support scams. Here are just some of the techniques we use to keep you safe:

  • Web Reputation Service: Blocks access to any malicious URLs linked to scams.
  • Script Analyzer Lineup: Scans websites for any malicious code run on the web pages, to detect the presence of potential tech support threats.
  • Real-time Virus Scanner: Blocks any suspected malware downloads from support scam sites.
  • Static Intelligence Engine: Leverages machine learning to greatly enhance the detection of tech support scams.
  • Scanning/malware removal: Cleans-up any malware installed on infected machines if you have been caught out by a support scam.

Visit Trend Micro Security to find out more about how TMS protects you, or to buy the product.

The post Tech Support Scams: What are They and How do I Stay Safe? appeared first on .

No, Spotify Wasn’t Hacked

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

No, Spotify Wasn't Hacked

Time and time again, I get emails and DMs from people that effectively boil down to this:

Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breach

Many years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Very often, those addresses are accompanied by other personal information such as passwords. When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me.

Here's a perfect example of what I'm talking about, this one eventually triggering an email to me just last week:

No, Spotify Wasn't Hacked

Let's imagine you're the first person on the list; you get a notification from HIBP, you check out the paste and see your Hotmail account listed there alongside your Spotify password and the plan you're subscribed to. Clearly a Spotify breach, right?

No, and the passwords are the very first thing that starts to give it all away. Just looking at them, they're obviously terrible, but plugging the first one into Pwned Passwords give you a sense of just how terrible it is:

No, Spotify Wasn't Hacked

They may not all be that bad (the next one in the list has only been seen twice), but the point is that it's a password that's clearly been seen before and were I to dig back into the source data, there's a good chance it's been seen in a breach alongside that email address too. Then there's the fact that the password is in plain text and I don't know precisely how Spotify store their passwords, but it'd be a very safe bet that by now it's a decent modern-day hashing algorithm. If they had a breach then yes, hashes may be cracked, but that's not what's happening here.

We're simply seeing the successful result of credential stuffing attacks. Regular readers will appreciate the mechanics of this already but all those who I point here for whom this is new, this attack simply takes exposed credentials from a data breach and tries them on another site. The attack is simple but effective due to the prevalence of password reuse. If you were using the same password on LinkedIn when they had their data breach as you are on Spotify today and someone grabbed that password from the breach and tried it on Spotify, you can see the problem. That's it, job done, they're into your account.

Spotify "breaches" like this are enormously common. I just went and looked at the pastes HIBP has collected since the clock ticked over to 2019 and found 20 of them already:

No, Spotify Wasn't Hacked

Digging further, I found over a thousand pastes with "Spotify" in the title. These are often removed by Pastebin pretty quickly but looking through some that remain, it's precisely the same pattern as the earlier example. I grabbed a random email address out of one of them and checked it on HIBP:

No, Spotify Wasn't Hacked

The same address appears over and over in pastes and each time, the same password appears alongside it. Picking one from the list above that hasn't yet been removed shows a page full of examples like this (with a password Pwned Passwords has seen 4 times before):

No, Spotify Wasn't Hacked

This one is interesting for a couple of reasons and the first is the use of the term "combo". I've written about combo lists before and they're essentially combinations of email addresses and passwords used to test against services in credential stuffing attacks. Thousands. Millions. Billions of them, in some cases. The second interesting observation in that image is the "Spotify Cracker" reference. The first Google result for the term shows a popular cracking forum with the following image (password seen 447 times in Pwned Passwords):

No, Spotify Wasn't Hacked

This is a tool for breaking into Spotify accounts I wouldn't normally link through to content of that type, but context is important. For people wondering why they're getting alerts from HIBP because their Spotify account is in a paste somewhere, have a flick through some of those pages. 61 of them at the time of writing, each with 20 posts thanking the OP for their work in order to get access to the tool. So what does it do? Have a quick watch of this:

It's a slightly different piece of software based on what's visible, but the objective is the same and the premise is simple: download the tool, pass in the combo list then let it run. Credentials from the list are then tested against Spotify (yes, security friends, there's a very good question to be asked here as to why this is still possible...) and results appear on the screen.

Now, this isn't to say that someone who finds their Spotify account on one of these lists shouldn't worry because it wasn't a breach per se. Instead, they need to look inwardly and adjust their own security practices instead. Get a password manager (8 years on and I still use 1Password every day), create strong and unique passwords on every account and enable 2-factor authentication where available. Well, except that there's still no 2FA support on Spotify so just enable it on every other service that supports it (and most big ones do these days).

And why would someone "hack" (I use the term loosely because they literally logged in with the correct username and password) Spotify accounts? The obvious answer is that they have a monetary value, but I also posit that it's very often just curiosity driving this behaviour. Take a look at a video such as this SQL injection tutorial; I've used it in talks before to illustrate the randomness of attacks as well as the sophistication of those behind many of them. Is the person in this video an evil cyber hacker hell-bent on causing chaos, or just a curious kid whose moral compass is yet to be properly calibrated? That may not make Spotify users feel any better about the end result, but it's important context for this post.

In doing a bit of searching for this piece I found heaps of results for "spotify data breach" that led to discussions highlighting what I've covered above. For example, this one from August on the Spotify community site where the original post begins with:

Someone had access to my pasword [sic] (which is totally unbreakable and diferent [sic] from the one i use in other accounts)

I don't know what their password was, but I do know that I've had dozens of discussions with people making precisely the same claims only to discover "their" password is in Pwned Passwords a few hundred times! Or they entered it into a phishing site somewhere. If we apply Occam's Razor to this (the simplest solution is the most likely one), the password was compromised. I want to illustrate this point via the following Tweet:

This is Scott Helme, a world-renowned security researcher who understands these concepts as well as anyone I can imagine. This tweet is part of a broader discussion where his Pinterest account was logged into by an unknown party and per the image above, Scott was convinced his password was both strong and unique. A couple of hours later, Scott's view is, well, somewhat "different":

I spoke to Scott about this incident again whilst writing this post and we both reflected on just how easy it is to have issues like this, even you're convinced your security is spot on. It's precedents like this which cause me to pause and question every strongly made claim of personal security prowess in the wake of examples such as the Spotify community one above.

Reading through that thread only reinforces the view that this was a simple account takeover issue and not a sophisticated hack. For example, this comment:

It's such a shame to see Spotify blaming its users for getting hacked instead of fixing the problem. Got my playlists deleted and the hacker created a playlist called "Get Hacked".

Imagine you're a hacker - a real one with the capabilities to break into a company with hundreds of millions of users and worth billions of dollars - what are you going to do? Are you just going to mess with people's playlists "for the lulz"? No, at the very least you're going to cash in on their public bug bounty or if you're really the malicious type, you're going to monetise their users in a much more surreptitious fashion.

Scroll down a little further and someone is referencing HIBP as "proof" of a hack. Here's what happened to the guy's account:

I got a notification from and did nothing about it until some random kept playing weird music on a device I did not recognize while I was trying to listen on my normal device. It was annoying, I kept getting pulled out of my song because we started battling for control of what device and what song the audio was to be heard on. I started playing really loud and obnoxious noise music for the hacker while I changed my password.

Now again, let's apply Occam's Razor: is this an elite hacker who's discovered some previously unknown zero-day vulnerability, or someone who's exploited the victim's password and then simply has a different taste in music?

The community thread references a paste titled "Más de 300 cuentas premium de Spotify" ("More than 300 Spotify premium accounts") which has since been deleted from Pastebin (and HIBP doesn't save the contents beyond just the email addresses). But 4 days earlier there was a paste titled "Más de 50 cuentas premium de spotify" which still stands today and its content lines up very closely with the others discussed above; it's simply the output of another automated tool exploiting weak credentials.

I'll end on one final point because if I don't, it'll come through in the comments anyway: online security is a shared responsibility. Some people are quick to play the "victim blaming" card when I write about incidents that can be traced back to weak security practices. Clearly, that's not causing me to sugar-coat the root cause of these incidents but that said (and I touched on this earlier), this is prevalent enough that Spotify also needs to look internally at why this is still occurring. Their job is to stop this form of attack at the platform level and our job as users of the service is to protect our accounts via some basic security practices.

So no, Spotify wasn't hacked, they just allowed malicious parties to log in with other people's poor passwords.

Dust-sized battery-free AI sensor with RF-free wireless

The title of this post is the announcement I just received in a CES invite to assess product security. Well, technically it was a “VIP lounge” invite more than a “please break our product” invite, but I treat them the same if you know what I mean. Perhaps most infamously when I went to CES … Continue reading Dust-sized battery-free AI sensor with RF-free wireless

60% of Organizations Suffered a Container Security Incident in 2018, Finds Study

Many organizations have DevOps on their mind going into 2019. This is a global movement. In fact, Puppet and Splunk received responses for their 2018 State of DevOps Report from organizations on every continent except Antarctica. Those organizations varied in their industry, size and level of DevOps maturity, but they were all interested in learning […]… Read More

The post 60% of Organizations Suffered a Container Security Incident in 2018, Finds Study appeared first on The State of Security.

IBM Watson Sued by LA County for Secretly Tracking Users

Let’s get one thing out of the way. IBM’s Watson was instrumental to the Nazi Holocaust as he and his direct assistants worked with Adolf Hitler to help ensure genocide ran on IBM equipment. When IBM’s director of worldwide media relations, John Bukovinsky, was asked about the disclosures in 2001 and 2002 of the company’s … Continue reading IBM Watson Sued by LA County for Secretly Tracking Users

Massive data leak affects hundreds of German politicians

A number of German politicians have been the target of a massive data leak, one that contains extensive amounts of information. The data in question includes email addresses, private correspondence, passwords, phone numbers, work emails and photos, among other information, and those affected reportedly include journalists and celebrities as well as politicians. According to multiple reports, the data was leaked from the Twitter account @_0rbit -- which has since been suspended -- and the account began sharing the stolen information in December.

Via: TechCrunch

Marriott breach included 5 million unencrypted passport numbers

Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.

Via: Wall Street Journal

Source: Marriott

This Week in Security News: Spyware and Data Breaches

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a spyware that disguised itself as an Android application to gather information from users. Also, find out the biggest global data breaches of 2018 and how millions of personal records were compromised last year.

Read on:

Server Security for the Modern IT Ecosystem

The combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity and difficulties.

Cyberattack Targets Newspapers in US, Prevents Some From Publishing

Several U.S. newspapers came under attack from apparent hackers, preventing some from printing and distributing their daily editions. 

Spyware Disguises as Android Applications on Google Play

Trend Micro discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. 

PewDiePie Propaganda Hackers: We Exposed 72,000 Chromecasts And Smart TVs

A pair of hackers have found a way to broadcast propaganda for YouTube celebrity PewDiePie because thousands of people left their Google Chromecasts and smart televisions wide open.

The Biggest Global Data Breaches of 2018

Data breaches continued to be a major issue in 2018 with a series of serious cases ranging from retailers to social networks, resulting in millions of personal records being compromised.

In High-Tech Cities, No More Potholes, but What About Privacy?

Hundreds of cities have adopted or begun planning smart cities projects, but they frequently lack the expertise to understand privacy, security and financial implications of such arrangements.

What are your thoughts on smart cities and privacy? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Spyware and Data Breaches appeared first on .

Server Security for the Modern IT Ecosystem

A Changing Landscape

In recent years we’ve seen a fundamental shift in the IT landscape, accelerated towards cloud and containerized infrastructures. According to Forbes, by 2020 it is predicted that 83 percent of enterprise workloads will be in the cloud. Moving beyond the cloud, software development teams are driving further change with the adoption of microservice architectures and containers, a market poised to grow over 40 percent year over year. The adoption of these new technologies signals a major change in IT infrastructures for modern enterprises. However, this transition is not always seamless, and it can be difficult to refactor legacy applications for a new technology stack. As a result, teams are building and deploying applications across a variety of environments, including physical machines, virtual machines, containers, and cloud infrastructures. While these new technologies offer great benefits in terms of agility, scalability, and continuous integration (CI)/continuous delivery (CD), they also add a layer of complexity to security that can expose the organization to vulnerabilities and threats. Overall, the combination of new application technology with existing legacy architectures and deployment models leads to greater IT complexity, making it extremely difficult to achieve consistent security across the organization.

A Growing Threat to Servers

Enterprise security has traditionally been thought of as primarily an endpoint issue, however, the modernization of the IT landscape is resulting in attacks from all directions. Servers have become an important target for cybercrime, with more than 145 million U.S. citizens having their data compromised by the Equifax server breach. In recent years, we’ve seen a number of high-profile server-targeted vulnerabilities. For example, the Equifax attack leveraged a server-side vulnerability in the Apache Struts web application framework, and Heartbleed directly targeted servers to reveal private data.

Servers are the workhorses of the IT environment, and server workloads have fundamentally different security requirements from traditional endpoint protection. As threats increase in sophistication, there is no single miracle fix to server protection. Rather, it requires multiple techniques through a layered security approach. Security and risk managers should utilize offerings dedicated to cloud workload protection, or cloud workload protection platforms (CWPP). As stated in Gartner’s 2018 Market Guide, “The market for cloud workload protection platforms (CWPPs) is defined by offerings specifically designed for server workload-centric security protection and are typically agent-based for deep workload visibility and attack prevention capabilities.”* 

Market-Leading Performance

Additionally, Trend Micro believes that the Deep Security™ platform meets many capabilities and architectural considerations listed in Gartner’s Market Guide for Cloud Workload Protection Platforms.

Deep Security offers recommendations through the following:

  • Seamless integration with leading environments, including AWS, Azure®, and VMware®
  • Complete visibility and protection of workloads
  • Automatic discovery and deployment of security controls
  • Security integrated with your DevOps team’s toolsets
  • Support for microservices architectures and Docker® container protection

This is all done with minimal impact on performance, allowing companies to maintain their agility without sacrificing security. Learn more about our Hybrid Cloud Security solutions, and contact us to discover what makes Trend Micro the number one provider of corporate server security.

*Gartner, “Market Guide for Cloud Workload Protection Platforms”, Neil MacDonald, 26 March 2018 G00328483. 
451 Research’s Market Monitor: Cloud Enabling Technologies, Q3 2016
Trend Micro, “Critical Remote Code Execution Vulnerability (CVE-2018-11776) Found in Apache Struts”

The post Server Security for the Modern IT Ecosystem appeared first on .

Hackers seize dormant Twitter accounts to push terrorist propaganda

As much progress as Twitter has made kicking terrorists off its platform, it still has a long way to go. TechCrunch has learned that ISIS supporters are hijacking long-dormant Twitter accounts to promote their ideology. Security researcher WauchulaGhost found that the extremists were using a years-old trick to get in. Many of these idle accounts used email addresses that either expired or never existed, often with names identical to their Twitter handles -- the social site didn't confirm email addresses for roughly a decade, making it possible to use the service without a valid inbox. As Twitter only partly masks those addresses, it's easy to create those missing addresses and reset those passwords.

Source: TechCrunch

Hackers claim to have insurance data linked to 9/11 attacks

The hackers who stole Orange is the New Black are back, and they've hit a new low. The group known as TheDarkOverlord claims to have stolen 18,000 documents from Hiscox Syndicates, Lloyds of London and Silverstein Properties, and threatened to release files providing "answers" for 9/11 attack "conspiracies" unless it received a ransom. A Hiscox spokesperson confirmed the hack to Motherboard and indicated that this was likely insurance data tied to litigation involving the terrorist campaign.

Via: Motherboard

Source: TheDarkOverlord (Twitter, archived)

Incident Response In The Public Eye

Cyberattacks happen constantly. Every day organizations are attackers online whether they realize it or not. Most of these attacks are passing affairs. The mere fact that systems are on to the internet makes them a target of opportunity. For the most part, these attacks are non-events.

Security software, bugs in attack code, and updated applications stop most attacks. With 20 billion+ devices connected to the internet, it’s easy enough for the attack to move on.

But every couple of weeks there is a big enough attack to draw headlines. You’ve seen a steady stream of them over the past few years. 10 million records here, thousands of systems there, and so on.

When we talk about these attacks, for most people, it’s an abstract discussion. It’s hard to visualize an abstract set of data that lives online somewhere.

The recent attack on the Tribune Publishing network is different. This attack had a real world impact. Around the United States, newspapers arrived late and missing significant sections of content.


Late Thursday, some systems on the Tribune Publishing network were inaccessible. This is not an uncommon experience for anyone working in a large organization.

Technology has brought about many wonders but reliability isn’t typically one of them. When a system is inaccessible, it’s not out of the question to first think, “Ugh, this isn’t working. Call IT.”

Support tickets are often the first place cyberattacks show up…in retrospect. All public signs in the Tribune Publishing attack point this way. Once support realized the extent of the issue and that it involved malware, the event—a support request—turned into an incident. This kicks off an incident response (IR) process.

It’s this process that the teams at Tribune Publishing are dealing with now.


“Who is behind the attack?” Is the first question on everyone’s mind. It’s human nature—doubly so at a media organization—to want to understand the “who” and “why” as opposed to the “how”.

The reality is that for the incident response process, that’s a question that wastes time. The goal of the incident response process is to limit damage to the organization and to restore systems as fast as possible.

In that context, the response team only needs to roughly classify their attacker. Is the attacker:

  1. A low level cybercriminal who got lucky with an automated attack and has few resources to continue or sustain the attack?
  2. A cybercriminal intending on attacking a specific class of organization or systems?
  3. A cybercriminal targeting your organization?

Knowing which class of cybercriminal is behind the attack will help dictate the effort required in your response.

For a simple attack, your automated defences should take care of it. Even after an initial infection, a defence in depth strategy will isolate the attack and make recovery straight forward.

If the attack is part of a larger campaign (e.g., WannaCry, NotPeyta, etc.), incident response is more complex but the same principles hold true. The third class of attacker—specifically targeting your organization—is what causes a change in the process. Now you are defending against an adversary who is actively changing their approach. That requires a completely different mindset compared to other responses.

The Process

Incident response processes generally follow six stages:

  1. Prepare
  2. Identify
  3. Contain
  4. Eradicate
  5. Recover
  6. Learn

On paper the process looks simple. Preparation begins with teams gathering contact information, tools, and by writing out—or better yet, automating—procedures.

Once an incident has started, teams work to identify affected systems and the type of attack. They then contain the attack to prevent it from spreading. Then work to eradicate any trace of the attack.

Once the attack is over, the work shifts to recovering systems and data to restore functionality. Afterwards, an orderly review is conducted and lessons are shared about what worked and what didn’t.

Easy, right?

Any incident responders reading this post, can take a minute here having enjoyed a good laugh. The next section slams everyone back to the harsh reality of IR.


The six phases of incident response look great on paper but when you’re faced with implementing them in the real world, things never work out so cleanly.

The majority of a response is spent stuck in a near endless loop. Identifying new areas of compromises to try to contain the attack. Hopefully allowing responders to eradicate any foothold to recover the affected systems.

This is what most organizations struggle with. The time spent preparing is often insufficient because it’s all theoretical. Combined with the rapid pace of change on the network means that teams are struggling to keep up during an active incident.

With an organization like Tribune Publishing, things are even more difficult. By it’s very nature, it’s a 24/7 business with a wide variety of users around the country. This means there are a lot of systems to consider and each hour of downtime has a very real and significant impact on the bottom line.

As the incident progresses, the response team will make critical decision after critical decision. Shutting down various internal services to protect them. Changing network structures to isolate malicious activity. And a host of other challenges will pop up during the incident.

It’s difficult, hard driving work. Made doubly so with the eyes of senior management, customers, and the general public looking on.


As a CISO or incident response team leader, you need to focus on the IR process, not on attribution. That’s why it’s worrisome to see early attribution during an incident.

In the Tribune Publishing attack, it was publicly reported that the attack came from outside of the United State. This led to speculation around motivation. It’s likely that statement was based on the malware reportedly found and simple IP address information.

Early in the IR process, evidence like this will be found. It’s easily accessible but also highly unreliable. Malware is often sold in the digital underground and IP addresses are easily spoofed or proxied. The response team knows this but pressure from higher up may demand some form of answer…whether or not it helps resolve the situation.

The team must stay focused on resolving the incident, not spending valuable time and energy getting side tracked. Attribution has its place. It’s definitely not in the middle of the response to an incident.


The one hard truth of incident response is that nothing can substitute for experience. Given the—hopefully obvious—fact that you don’t actually want to be attacked, this leads to the concept of a game day or an active simulation.

Popular in cloud environments—AWS runs game days at their events—these exercises provide hands on experience. Usually held for the operations team, they are are of critical importance to the security team as well.

Security doesn’t operate in a vacuum, especially during an incident. Working with other teams during an incident is key. Practicing that way is a must. This type of work is a huge effort but one that will pay off significant when an organization is attacked.

Next Steps

Tribune Publishing was hit by a cyberattack with real world impact. This level of visibility is a stark reminder of how challenging these situations can be. The most critical phase of incident response is the first one: preparation.

As a CISO or senior security team member, you need to prepare not only the incident response plan. With a plan in hand, you need to get other teams on board and make it clear to senior management how this process works. Critical to success is making sure that management knows that the priority is recovery…not attribution.

Combine that with a lot of practice and when the next incident hits, you’ll have put your team in a reasonable position to respond and recover quickly.

The post Incident Response In The Public Eye appeared first on .

Hackers steal personal data from 997 North Korean defectors

Hackers just caused grief for North Korean defectors. South Korea's Unification Ministry has revealed that attackers stole the personal data of 997 defectors, including their names and addresses. The breach came after a staff member at the Hana Foundation, which helps settle northerners, unwittingly opened email with malware. The defectors' data is normally supposed to be isolated from the internet and encrypted, but the unnamed staffer didn't follow those rules, officials said.

Source: Wall Street Journal

Hackers defeat vein authentication by making a fake hand

Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication. Unfortunately, hackers have already figured out a way to crack that, too. According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.

Source: Motherboard

Why it’s Time to Switch from Facebook Login to a Password Manager

Social media sites are increasingly the focus of our digital lives. Not only do we share, interact and post on platforms like Facebook —we also use these sites to quickly log into our favorite apps and websites. But what happens when these social media gatekeepers are hacked? Awhile back, Facebook suffered a major attack when hackers obtained the digital keys to access at least 30 million accounts (originally thought to be 50 million), exposing highly sensitive personal details.

The attack not only gave the bad guys access to the Facebook accounts but raised the prospect of them also being able to access any linked apps or websites. The message is clear: it may be time to store log-ins for these third-party accounts in a password manager, rather than a frequently targeted social media company.

What happened, exactly?

As a Facebook user, you’re probably well-aware of the ease-of-use benefit of logging-in to your third-party website and application accounts using your Facebook credentials. Known as Facebook Connect, this is what’s called a “Single Sign-On” feature: a fast, simple, and straightforward way to log in to your various accounts, so you don’t have to remember multiple different passwords for different sites and apps.

Convenient, eh? But here’s the problem. At the end of September (in 2018), Facebook discovered a major security issue: attackers managed to steal the crucial access tokens which act as “digital keys” to keep you logged into the site without having to re-enter your password each time you use Facebook. These keys also provide access to all those third-party applications and websites you log-in to via Facebook: everything from Airbnb and Amazon to Tinder and your favorite news apps. Since there’s a chance that the bad guys were also able to illegally access these, they may have been able to gather more of your sensitive info across these accounts to commit identity theft—and thereby gain access to your credit cards as well.

How did the hackers grab these all-important access tokens? By exploiting several bugs in Facebook’s “View As” and video posting features. (View As is a feature that allows users to see what their own profile looks like to someone else). They ultimately stole access tokens for 30 million  users; accessed just name and contact details for 15 million; virtually all profile info including name, contact details, username, gender, language, relationship status, religion, etc. for 14 million; and no info at all for 1 million.

Facebook has been quick to point out that there are currently no signs the attackers did access any of third-party apps using Facebook SSO. However, that may change. It also doesn’t alter the fact that a similar incident like this, or worse, could happen in the future. Social media and web providers like Facebook are a major target for attackers, while human error will inevitably lead to some security mistakes in the future. A bug in Google’s code recently exposed the data of 500,000 users of its Google+ social platform, which has prompted their decision to shut down the consumer side of the site within the next 10 months (as of October 2018).

How can I stay safe?


Facebook has fixed the bugs in question and reset the access tokens of those affected by this breach, which should help to stop future attacks. However, if your account was illegally accessed in the attack, there are a few steps you should take:

  • Visit this link to get a yes or no answer on whether you were affected.
  • Be on the lookout for scams: Fraudsters may call, email or send you messages using the info they’ve obtained from the breach.
  • Beware of phishing emails: scammers might try to capitalize on the notoriety of the incident to get you to part with sensitive info, by sending emails pretending to come from Facebook. Here’s how to confirm if they’re real or not.
  • You may need to call your bank: if you were in the second group of 14m users, the hackers may have enough personal info on you to answer security questions to access your accounts. Consider adding further layers of security.

Take preventative steps

After the above, consider the following options to keep all your accounts secure going forward:

  • Disable Facebook SSO. Go toyour Facebook settings and remove all apps under Active Apps and Websites. Then under Apps, Websites and Games go to Preferences and click on Edit then Turn Off.
  • Switch on two-factor authentication: this will add an extra layer of security to your Facebook log-in. Visit Facebook’s Settings> Security and login> Setting up extra security> Use two-factor authentication.
  • Consider Facebook’s app password generator: If you wish to maintain app and website connections, this function lets you generate unique passwords for your linked apps and websites, instead of using the Facebook SSO password. However, these passwords can’t be stored in a password manager, and if you log out of the app, you’ll have to generate a fresh password.
  • Better yet, invest in a password manager to securely generate and store strong and unique passwords for each of your Facebook linked apps and websites.

Will it affect my use of Facebook?

If you disable Facebook SSO there may be some loss of sharing functionality. For example, you might find that you can’t post/share articles from within news apps direct to Facebook, and instead have to cut and paste the link manually. It will depend, however, on the apps you’re using. At the end of the day, you need to decide what’s more important to you: tighter integration between apps/websites and Facebook, or keeping your passwords in a separate, secure place away from the social media company.

How can Trend Micro help?

Trend Micro Password Manager can help you to protect the privacy and security of your app and website account passwords across PCs and Macs, and Android and iOS mobile devices. Use it as a highly user-friendly but more-secure alternative to Facebook SSO. Trend Micro Password Manager

  • Generates highly secure, unique, and tough-to-hack passwords for each of your online accounts.
  • Securely stores and replays these credentials for log-ins, so you don’t have to remember them.
  • Offers an easy way to change passwords, if any do end up being leaked or stolen.
  • Makes it quick and easy to manage your passwords from any location, on any device and browser.
  • Works across both apps and websites, with particular benefit for apps you use in conjunction with Facebook on your mobile devices.

For more information, or to purchase the product, go to our Trend Micro Password Manager website. Note that Trend Micro Password Manager is automatically installed with Trend Micro Maximum Security.

The post Why it’s Time to Switch from Facebook Login to a Password Manager appeared first on .

SN 695: Our Best of 2018

The Best of Security Now from 2018!

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Arizona Rush to Adopt Driverless Cars Devolves Into Pedestrian War

Look, I’m not saying I have predicted this exact combat scenario for several years as described in my presentations (and sadly it also was my Kiwicon talk proposal for this year), I’m just openly wondering at this point why Arizona’s rabidly pro-gun legislators didn’t argue driverless cars are protected by Waymo’s 2nd Amendment right to … Continue reading Arizona Rush to Adopt Driverless Cars Devolves Into Pedestrian War

Dancho Danchev’s Threat Data – How to Request Free Access Including a Christmas Discount

Dear blog readers, I wanted to let everyone know that I'm currently offering unlimited and exclusive access to Threat Data - The World's Most Comprehensive Threats Database in the true spirit of the Christmas seasons to selected set of individuals and organizations that approach me at Key Summary Points: - the platform basically represents the majority of proprietary

Smart speakers: Christmas treat or lump of coal?

Christmas is nearly upon us, and thoughts are perhaps turning to various digital presents of a “smart” nature. Home security, hubs, speakers, cameras, and mashups of all of those and more besides.

With regards to speakers, the most immediate pieces of your home are theoretically at your beck and call.

There’s lots of good advice out there in terms of what to do with your new devices. Untick boxes, increase security, perhaps eliminate the “smart” feature entirely by ripping out batteries. However, is it possible that we’re taking things a little too far? Are our concerns justified? Is there, perhaps, a somewhat happy middle ground where these devices can co-exist with us minus an endless sense of panic?

Well, probably not. But maybe we can alleviate a few fears along the way.

Accidents will happen

This is a fact of life. Nothing is 100 percent secure, and nothing is 100 percent free from errors and mishaps. While this is scant consolation if something goes disastrously wrong, accepting that nothing is perfect sometimes goes a long way.

Many of the more “oh no, now what” news stories about smart speaker devices involved an accident, or an unforeseen use of the technology at hand.

Of dollhouses, cookies, and burgers

Many reported incidents are about accidental interactions between users and their devices. Of particular note is the 2017 story of a child somehow managing to place an order for a dollhouse and cookies through Amazon’s Alexa. This became even more confusing when a TV segment apparently caused chaos with a number of additional attempted orders. It’s worth noting that none of those additional attempts seem to have resulted in purchases, so either we’re missing some crucial part of the child’s story or something genuinely malfunctioned in their home.

We also have South Park pranks, and the infamous Burger King ad triggering Google Home to tell their owner all about burgers via text read out aloud from Wikipedia. While this is humorous, it could have easily invited some incredibly dubious messages into the home given anyone can edit Wikipedia text. In fact, the ad text was indeed sabotaged. What a world.

Privacy problems

Accidental recordings are perhaps the biggest potential problem, and certainly most likely to cause a privacy issue. In May 2018, a series of miscues caused private conversations to be sent to a random contact via an Echo speaker. This is, of course, horrendous and could easily have ended in disaster depending on context.

It’s also essential that device owners read all EULAs and privacy policies thoroughly. They’re complicated enough for simple mobile games, without pondering the ramifications of real-world interactions. As I mentioned on Top 10 VPN’s Privacy Central article about this very subject, even if you read through a lot of legal words, there’s no guarantee everything won’t change while you’re not looking.

Listen closely?

The potential threat of always listening devices is prone to overhyping. The biggest issue tends to be accidental activation, from adverts or background noise. It’s rare for speakers to malfunction and listen of their own accord.

Owners may wish to disallow voice-activated devices from being able to lock or unlock entry points into the house, as this is an area of deliberate activation which could cause the most harm. They certainly don’t collect everything said and are deliberately set up to avoid it. Grabbing everything 24/7 would mean device manufacturers simply couldn’t cope with all the data, so it’s in their best interests to be as concise and targeted as possible.

As evidenced by Mozilla’s recent “Privacy not included” list, people seem to have a strong aversion to smart speakers. Amazon and Google’s devices are currently rated “super creepy” by voters, whereas the only smart speaker to have a positive “not creepy” rating at all is the open source Mycroft Mark 1. With a lack of insight into how closed systems are operating inside the home, it perhaps makes sense that people would turn to open source devices where they can get a better understanding of what’s happening instead.

What’s the biggest area of concern?

As I’ve mentioned previously, I believe rogue IoT devices pose the biggest threat to victims of domestic abuse. This is due to ease of access to devices on the part of the malicious individual. The ability to control aspects of the home down to the smallest detail is a potential nightmare scenario. There are ways to combat this, but it’s risky and we always suggest professional support and assistance wherever possible.

Who speaks the truth?

All we can do is look at the evidence on offer and make an informed decision. If you’re okay with the possibility of occasional accidental misfires or mischievous triggers, you’re good to go. We can’t pretend these devices won’t continue to make their way into our homes. What we can do is ensure we take steps to limit harm wherever possible. Keep on top of possible threats as and when they surface, and you’ll hopefully have no problems this festive season.

The post Smart speakers: Christmas treat or lump of coal? appeared first on Malwarebytes Labs.

This Week in Security News: Deep Dives and NASA Data

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the span of a NASA hack that leaked data for current and former employees. Also, Trend Micro dives deep into the underground software business and its effect on the cybercrime industry.

Read on:

Cybercriminals Are Controlling Malware Through Twitter Memes

Researchers at Trend Micro have identified a Twitter account that’s hiding messages inside images — a technique referred to as steganography.

Latin America suffers 1 billion malware attacks in 2018

Latin America sees an average 3,7 million malware attacks a day and about 1 billion occurrences a year.

Why Old Threats Still Pose a Problem Alongside Newer Ones

Data from Trend Micro’s managed detection and response shows how the cybersecurity policies of organizations are reflected by the threats they most often face.

Christmas Comes Early for Capture the Flag Champions

Hackers from around the world battled it out in Tokyo during a Capture the Flag event hosted by Trend Micro.

Year-End Review: Business Email Compromise in 2018

Global losses to BEC have exceeded US$12 billion. To keep abreast of the scammer landscape, we look back on some of the incidents and trends that made BEC a headline staple this year.

Trend Micro Finds Major Flaws in HolaVPN

Researchers at Trend Micro have singled out HolaVPN, a free “community VPN,” for using customer computers and devices as exit points for spam, phishing messages and worse.

Security Architecture for Smart Factories

How should IIoT security be implemented? Identifying the building blocks of IIoT security is key to answering this question.

As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants

For years, Facebook gave tech giants more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules.

Examining the Thriving Underground Software Business

The modern cybercrime landscape has changed much from around a decade ago, when most criminals either built their own toolsets or hired other developers to create them.

NASA Reveals Data Breach Exposed Employee Personal Information

Hackers into one of NASA’s servers in October had access to the personal data of former and current employees.

Did the news of the latest Facebook scandal surprised you? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Deep Dives and NASA Data appeared first on .

Dancho Danchev – Cyber Threat Analyst – Join Me on Patreon Community!

Dear blog readers, In the true spirit of the Christmas season I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or

DOJ charges two Chinese nationals with ‘extensive’ hacking campaign

Today, the Department of Justice announced charges against Zhu Hua and Zhang Shilong, two Chinese nationals who engaged in an extensive hacking campaign against the US and other countries. First reported by CNBC, the campaign was allegedly successful at infiltrating at least 45 US and global technology companies and government agencies, and these actions were taken at the behest of the Chinese government. Incredibly, the hackers have been operating since 2006 through this year, according to the DOJ. This comes a week after the NSA warned it had evidence of China preparing for "high-profile" cyber-attacks.

Source: Department of Justice

Why the US South Needs You to Send More $50 Grant Bills

The Washington Post has a well researched and written story about why the US Republican party is defined by their racism. Oh, maybe I should say spoiler alert: …slavery’s enduring legacy is evident not only in statistics on black poverty and education. The institution continues to influence how white Southerners think and feel about race … Continue reading Why the US South Needs You to Send More $50 Grant Bills

Keep Your Online Transactions Secure with Trend Micro Security’s Pay Guard Browser

Nowadays, online transactions are often under threat from malware and browser injections that would steal your identity data or your money as you log in to your favorite banking, financial, or commercial accounts. Trend Micro’s new Pay Guard Browser, available with all three 2019 PC editions of Trend Micro Security, is specifically designed to secure and keep your data private by automatically providing a “hardened browser” for all your online transactions.

Pay Guard works by eliminating any vulnerabilities or third-party extensions in your default PC browser—whether Chrome, Firefox, or Internet Explorer. It then applies Trend Micro’s famous Trend Micro Toolbar to maximize your protection from cybercriminals who want to steal your credentials. Users can then also deploy Trend Micro Password Manager in Pay Guard Browser to further ensure that you only use strong, encrypted passwords when conducting transactions in your online accounts.

Trend Micro Security’s Pay Guard Browser is easy-to-use, fast and secure—so you never have to worry about threats when banking or shopping online. For more information or to download and buy Trend Micro Security, go to the Trend Micro Security Products Overview page.

For those of you who’d like to use Trend Micro Password Manager with Pay Guard, note that Password Manager is automatically installed with Trend Micro Maximum Security. Others can go to the Password Manager Software page for more information, or to download a Trial or buy the program.

Watch our YouTube video How to Use Trend Micro Pay Guard for instructions on how to use it with Trend Micro Security’s Toolbar and Password Manager.

The post Keep Your Online Transactions Secure with Trend Micro Security’s Pay Guard Browser appeared first on .

Nine for 2019: New Year tips for cybersecurity and privacy professionals

A new year is almost upon us, and that means one thing: resolutions. Easily made, even more easily broken, they’re nevertheless a useful way of setting goals for the next 12 months. We asked Brian Honan, Tracy Elliott, Sarah Clarke, Valerie Lyons and David Prendergast to share their tips for information security practitioners and privacy professionals. Here’s what you can do differently or better to protect your organisation and its critical data in 2019.

1 Attend security conferences

The first resolution is to attend at least two cybersecurity conferences this coming year. Choose the events well, and they can be a great source of knowledge and learning to apply in the daily security role. “It’s important to pick conferences that you feel will help you learn, not a vendor event that’s about how great their products are. Look for conferences that provide independent speakers, or topics on areas of interest to you,” says Brian.

Another reason to go to more conferences is the valuable opportunity to network with peers. “Sometimes we learn more from talking to others thanfrom training courses or reading articles,” adds Brian.

2 Collaborate more with your peers

Resolve to take key business leaders in your organisation out to lunch, to discuss the challenges they face and understand how security can help them to address those challenges. Those lunchtime conversations can uncover important business needs. For example, HR might have difficulty retaining staff. Devising a secure way to let certain employees work remotely, or from home, could help employee retention rates without putting sensitive data at risk. Similarly, the marketing department might need a way of exchanging large documents and files with external design houses or ad agencies. But how is this possible if the company restricts mailbox sizes and blocks file sharing platforms like Dropbox?

These lunches can help to position the security function as a business enabler, not an obstacle to getting things done. It’s about finding workable solutions that maintain security because otherwise, people will find their own workarounds – and that introduces risk. “When you meet with your business peers, you can better understand their challenges. It becomes about how I as a security professional support that business objective while protecting the company’s key assets. Rather than ‘no”, the security practitioner says ‘yes, but’. Or better still, ‘yes and this is how we recommend you do it’,” says Brian.

3 Rest up

Brian’s third tip for security practitioners is to try and sleep more. By his own admission, it’s slightly tongue-in-cheek but there’sa serious point behind it. There’s a growing conversation around the high levels of fatigue and stress in the profession, leading to burnout. “To be effective, we need to look after our own personal health. It’s important to take steps to ensure we can keep ourselves in the best condition to do our jobs. It’s trying to make sure you’re compliant as well as your security programme,” Brian advises.

4 Get Detailed on Privacy Regulations [GDPR]

Turning to privacy, Tracy Elliott predicts 2019 will see activity around the General Data Protection Regulation [GDPR] move from theory to practice. “A lot of 2018 was about writing data protection policies and putting governance structures in place. The next 12 months will focus on training people in specific jobs in what they need to know about data protection,” she says. 

The responsibility for training and awareness falls to an organisation’s designated data protection officer (DPO). That ranges from simple things like posters in staff canteens to help refresh people’s memory about, and awareness of, GDPR. Then DPOs should identify key roles in an organisation,who need tailored data protection training that reflects their specific job. For example, a nursing home healthcare assistant needs to know about speech privacy as part of protecting sensitive patient information.

5 Batten down for Brexit

Even as confusion surrounds Brexit, it’s time to plan for whatever the outcome might be. (Insert your own joke about seeing the words ‘Brexit’ and ‘plan’ in the same postcode, let alone the same sentence.)

Sarah Clarke points out that a future adequacy agreement is not certain between the UK and the EU. It’s possible that in the event of a no-deal Brexit, the UK will become a third country outside of the EEA. That would mean all transfer of data between Ireland and the UK will be considered as international transfers.

With this in mind, Tracy Elliott says data protection officers should review their organisation’s processing activities. They should identify what data they are transferring to the UK, and whether that includes data about EU citizens. “Consider your options of using a contract or possibly changing that supplier. If your data is hosted on servers in the UK, contact your hosting partner and find out what options are available,” she says.

Larger international companies may already have data sharing frameworks in place, but SMEs that routinely deal with UK, or that havesubsidiaries in the UK, might not have considered this issue yet. All communication between them, even if they’re part of the same group structure, will need to becovered contractually for data sharing. “There are five mechanisms for doing this, but the simplest and quickest way to do this is to roll out model contract clauses [MCCs]. They are a set of guidelines issued by the EU,” Tracy advises.

6 Plan for all outcomes

Here’s where contingency planning is vital. “Use of MCCs has its own risks as they are due an update to bring them into line with GDPR,and Privacy Shield [the EU-US data transfer mechanism] is still on trial,” Sarah warns. However in the short term, MCCs fits the bill both for international transfers between legal entities in one organisation, and for transfers between different organisations. “For intra-group transfers, binding corporate rules are too burdensome to implement ‘just in case’. You can switch if the risk justifies it when there is more certainty,” she adds.

Sarah points out that regulators won’t tolerate inactivity. That said, they may grant some leeway if an organisation decides on a particular approach and documents its reason for doing so – even if that approach needs to change later. In other words, doing nothing is not an option – a bit like the best New Year’s resolutions.

7 Prepare beyond regulations

Valerie Lyons writes: “If we look to the US patents office, we see the top patents of 2017 fell into cloud, AI, machine learningand big data. Privacy regulation alone will not be able to address the challenges associated with many of these technologies. Gartner agrees, highlighting Digital Ethics and Privacy as one of its top trends of 2019. Privacy practitioners should familiarise themselves with digital ethics frameworks and look not just at privacy governance but information strategy and data management.”

8 Complete one thing

Sometimes, working as a security or privacy professional can feel like the circus act who keeps plates spinning. There are so many things to do, and so many places in the organisation to start mitigating risks. All the time, there’s an audience of compliance officers, auditors, regulators and bosses, waiting to see if one of the plates will drop. “Stop prevaricating. Pick one initiative and get it done, rather than starting three things and finishing none. That way, you’ve achieved something tangible you can point to. And it’s one less task on the list,” says David Prendergast.

9 Just do it

When it comes to security awareness strategy, as a certain sportswear company might say, just do it. “Don’t wait for a big budget. You don’t need huge sacks of money to explain to people what the risks are, and why they need to change behaviour,” says David. “Security professionals can often be quite shy of talking to IT people because we think they want us to fail. They don’t. They read different press, and if you just tell them the basics, you might just win some allies.” David also agrees with Brian’s point about collaborating more during 2019. “Talk to your colleagues and talk to your peers; they’re probably struggling with the same issues you are. The only daft question is the one you didn’t ask,” he says.

What resolutions have you made for 2019? Let us know in the comments below.

The post Nine for 2019: New Year tips for cybersecurity and privacy professionals appeared first on BH Consulting.

Personality May Determine Employee Engagement

Interesting insights from the HBR, like emphasizing positive personalities in the workforce can harm leadership feedback loops: If leaders turn employee optimism and resilience into a key hiring criterion, then it becomes much harder to spot and fix leadership or cultural issues using employee feedback signals. And then they double-down on this assessment of overly … Continue reading Personality May Determine Employee Engagement

SN 694: The SQLite RCE Flaw

  • Rhode Island's response to Google's recent API flaw
  • Signal's response to Australia's anti-encryption legislation
  • The return of PewDiePie
  • US border agents retaining traveler's private data
  • This Week in Android Hijinks
  • Confusion surrounding the Windows v5 release
  • Another Facebook API mistake
  • The 8th annual most common passwords list (AKA "How's 'monkey' doing?")
  • Why all might not be lost if someone is hit with drive encrypting malware
  • Microsoft's recent 4-month run of 0-day vulnerability patches
  • The Firefox 64 update
  • A reminder of an awesome train game for iOS, Mac and Android
  • A look at a new and very troubling flaw discovered in the massively widespread SQLite library... and what we can do.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Joining Team Astalavista – Stay Tuned!

Dear blog readers I wanted to let everyone know that I will be shortly joining Team Astalavista - The World's Most Popular Information Security Portal acting a Managing Director following a successful career as Managing Director through 2003-2006 where I used to maintain a highly informative and educational Security Newsletter featuring exclusive content and security interviews (Security

Pay-Per-Exploit Acquisition Vulnerability Programs – Pros and cons?

As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the

HIstorical OSINT – Malicious Economies of Scale – The Emergence of Efficient Platforms for Exploitation – 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware. In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and

Historical OSINT – A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network

Historical OSINT – A Diversified Portfolio of Fake Security Software

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2008 and I've recently stumbled upon a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into falling victim into fake security software also known as scareware including a variety of dropped fake codecs largely relying on the acquisition of legitimate traffic through active blackhat SEO campaigns in this particular case various North Korea news

Historical OSINT – Spamvertized Swine Flu Domains – Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content. In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently came across to a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type

Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

Historical OSINT – Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild – Part Two

It's 2008 and I've recently came across to a massive black hat SEO campaign successfully enticing users into falling victim into fraudulent and malicious scareware-serving campaign. In this post I'll provide actionable intelligence on the infrastructure behind it. Related malicious domains and redirectors known to have participated in the campaign: hxxp:// hxxp://

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president. Related malicious domains known to have participated in the campaign: hxxp:// hxxp:// hxxp://

Historical OSINT – Malware Domains Impersonating Google

It''s 2008 and I've recently stumbled upon a currently active typosquatted portfolio of malware-serving domains successfully impersonating Google further spreading malicious software to hundreds of thousands of unsuspecting users. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Massive Scareware Dropping Campaign Spotted in the Wild

It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the

HIstorical OSINT – Latvian ISPs, Scareware, and the Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software. In

Historical OSINT – Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it. Sample

Question: “Why is Russia so good at getting women into technology?” Answer: Communist Propaganda

It is great to see someone is trying to drill into Russia’s technical hiring practices as some sort of example for study or exception, rather than the other way around (why does America suck at allowing women equal treatment). She believes there are several reasons for that: girls are expected to take up computer science … Continue reading Question: “Why is Russia so good at getting women into technology?” Answer: Communist Propaganda

Improved Ghillie Suits (IGS)

Personally I wish someone had pushed for the phrase “future update ghillie suits” (FUGS) when they were thinking about “future warfare”. Instead the US Army is talking about Improved Ghillie Suits (IGS) to address the shortcomings of past designs. Notable issues: If you dress like a tree, you may be as flammable as one (several … Continue reading Improved Ghillie Suits (IGS)

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me

Nterini – Fatoumata Diawara

In a story that I’m almost certain nobody has read (based on everyone I have asked about it)…hundreds of thousands of letters that were seized by British warships centuries ago, now are getting digitized for analysis by the Union of the German Academies of Sciences and Humanities. Somewhere in the U.K. National Archives in London, … Continue reading Nterini – Fatoumata Diawara

This Week in Security News: Security Predictions and Malware Attacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the span of categories for Trend Micro’s 2019 Security Predictions. Also, learn about a new exploit kit that targets home or small office routers which attacks victim’s mobile device or desktop through web applications.

Read on:

2019 Security Predictions Report Released

Good security predictions are very difficult to develop, and companies and consumers need to be selective about the security advice they take.


U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests

U.S. government investigators increasingly believe that Chinese state hackers were responsible for the Marriott breach that exposed the private information and travel details of as many as 500 million people.

What Happens When Victims Pay Ransomware Attackers?

Although ransomware infections have been around for years now, they continue to spur success – and high monetary profits – for attackers.

House Releases Cybersecurity Strategy Report

The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.

The 9 Best Ways to Protect Your New Tech Gifts

The time for all things merry and bright is here and there is nothing brighter than a shiny new smartphone or laptop! Exciting as it is to play with all their new features as soon as they come out of the box, new devices also bring new risks.

New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

Trend Micro identified a new exploit kit that targets home or small office routers and enables attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.

Cybersecurity, Trade Tensions Rank as Top Threats to Markets in 2019, Survey Finds

The biggest risk to markets going into the new year is the threat of a cybersecurity attack, according to a new survey of risk managers and non-risk professionals by the Depository Trust and Clearing Corp.

Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules.

Security Threats and Risks in Smart Factories

A single cyberattack can negate the benefits derived from a smart factory. That’s why security must not be left behind as organizations move forward with their “smart” agendas. 

Will Sophisticated Attacks Dominate in 2019?

Trend Micro released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape. 

New Version of Disk-Wiping Shamoon/Disttrack Spotted: What You Need to Know

Trend Micro came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. 

What are some of your 2019 Security Predictions? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Security Predictions and Malware Attacks appeared first on .

Chinese hackers reportedly hit Navy contractors with multiple attacks

Chinese hackers have been targeting US Navy contractors, and were reportedly successful on several occasions over the last 18 months. The infiltrators stole information including missile plans and ship maintenance data, according to a Wall Street Journal report that cites officials and security experts.

Source: Wall Street Journal

Insurance Companies Say NotPetya Means War (And Therefore No Coverage)

Add cyberwar to the long list of reasons for why insurance companies will deny claims Essentially, Zurich’s position is that NotPetya was a “hostile or warlike action” by a “government or sovereign power.” In fact, NotPetya is widely viewed as a state-sponsored Russian cyber attack masquerading as ransomware that was designed to target Ukraine but … Continue reading Insurance Companies Say NotPetya Means War (And Therefore No Coverage)


The previous OSSEC articles went through through the process of installing OSSEC and deploying a distributed architecture. This article will focus on configuring OSSEC to make better sense of WordPress...

Read More

The post OSSEC FOR WEBSITE SECURITY: PART III – Optimizing for WordPress appeared first on PerezBox.

SN 693: Internal Bug Discovery

  • Australia's recently passed anti-encryption legislation
  • Details of a couple more mega-breaches including a bit of Marriott follow-up
  • A welcome call for legislation from Microsoft
  • A new twist on online advertising click fraud
  • The DHS is interested in deanonymizing cryptocurrencies beyond Bitcoin
  • The changing landscape of TOR funding
  • An entirely foreseeable disaster with a new Internet IoT-oriented protocol
  • Google finds bugs in Google+ and acts responsibly -- again -- what that suggests for everyone else

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Google Lights $1M on Fire to Protest Separation of Test and Production

Advertising news sources are saying that it was an accident. On Tuesday at about 7 p.m. ET, many publishers both in the U.S. and Australia saw many–if not all–of their ad slots filled with display ads featuring nothing but the color yellow. They were up for 45 minutes. The costly mistake occurred during a Google … Continue reading Google Lights $1M on Fire to Protest Separation of Test and Production

“Top 10 Security Disasters in ML: How Laurel and Yanny Replaced Alice and Bob”: 2019 RSAC SF Presentation

I’ll be presenting again at the RSA Conference in SF, discussing how the information security industry shifted fundamentally after 2014 from ongoing confidentiality to growing integrity concerns. SESSION ID: MASH-F02 TITLE: Top 10 Security Disasters in ML: How Laurel and Yanny Replaced Alice and Bob SCHEDULED SESSION DAY AND TIME: Friday, Mar 08, 9:50 AM … Continue reading “Top 10 Security Disasters in ML: How Laurel and Yanny Replaced Alice and Bob”: 2019 RSAC SF Presentation

Apple Alert: SSD Data Loss in 13-inch Macbook Pro

In an awkwardly worded statement, the laptop manufacturer has alerted owners of its 13-inch Macbook Pro that SSD firmware flaws are causing serious data corruption and even complete failure. Apple has determined that a limited number of 128GB and 256GB solid-state drives (SSD) used in 13-inch MacBook Pro (non Touch Bar) units have an issue … Continue reading Apple Alert: SSD Data Loss in 13-inch Macbook Pro

SN 692: GPU RAM Image Leakage

  • Another Lenovo SuperFish-style local security certificate screw up
  • The Marriott breach and several other new, large and high-profile secure breach incidents
  • The inevitable evolution of exploitation of publicly exposed UPnP router services
  • The emergence of "Printer Spam"
  • How well does ransomware pay? We have an idea now.
  • The story of two iOS scam apps
  • Progress on the DNS over HTTPS front
  • Rumors that Microsoft is abandoning their EdgeHTML engine in favor of Chromium We also have a bit of
  • A Cyber Security related Humble Book Bundle just in time for Christmas
  • Some new research that reveals that it's possible to recover pieces of web browser page images that have been previously viewed.

We invite you to read our shown notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


2018 Ebola Crisis Worsens as US Regime Denies Aid

Here’s a pithy comment by Peter Salama, head of the new Health Emergencies Program at the World Health Organization, about factors leading to Ebola crisis unfolding this year in DRC: These viruses manage to exploit social vulnerabilities and fault lines. That’s what we’re seeing in this Ebola outbreak starkly. And even more to the point: … Continue reading 2018 Ebola Crisis Worsens as US Regime Denies Aid

Thousands of House GOP campaign committee emails were stolen in hack

The Republican Party's House campaign committee said it was a victim of "cyber intrusion" during the 2018 midterm campaign. Party officials told Politico that "thousands of sensitive emails" were stolen in the National Republican Congressional Committee hack. The party has reported the incident to the FBI.

Via: Associated Press

Source: Politico

Insecurity of US Regime Impacts Trade

China has downgraded the rating of US ability to partner or deliver goods, and is distancing itself from the instability of a white nationalist White House. …the economic relationship between the U.S. and China has been permanently altered. […] The president’s abrupt return to brinkmanship…underscored U.S. unpredictability. […] …imposition of tariffs on more than $250 … Continue reading Insecurity of US Regime Impacts Trade

Quora breach leaks data on over 100 million users

Today's big data breach has been announced by Q&A site Quora, affecting over 100 million registered users. What did the "unauthorized third party" get? According to CEO Adam D'Angelo:

Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
Public content and actions, e.g. questions, answers, comments, upvotes
Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Quora found the breach on November 30th and said it is still investigating. It has logged all users out, and forcing all accounts with a password to reset that password. It also said that the password data was salted and hashed to prevent attackers from using it, but to be cautious, users should also reset passwords on their other accounts if they shared the same one. There are emails going out notifying users of the breach, but right now all of the information available is organized in this FAQ.

Source: Quora, FAQ

Top Australian Soldier Accused of War Crimes

You may have noticed a post the other day about a decorated SEAL charged with war crimes. Some have decried this investigation as political maneuvering by those serving with the accused, while others have said they simply do not believe in challenging the accuracy of decorated war veteran records. Meanwhile I noticed a similar story … Continue reading Top Australian Soldier Accused of War Crimes

OSSEC For Website Security: PART II – Distributed Architectures Using Agents and Managers

This article assumes you already have OSSEC deployed. If you need a refresher, refer to the Part I of OSSEC for website security, written March 2013. OSSEC is popular open-source...

Read More

The post OSSEC For Website Security: PART II – Distributed Architectures Using Agents and Managers appeared first on PerezBox.

Hacker hijacks 50,000 printers to tell people to subscribe to PewDiePie

Over the course of this week, some printers have been printing out a strange message asking people to subscribe to PewDiePie's YouTube channel. The message appears to be the result of a simple exploit that allows printers to receive data over the internet, including print commands. A person with the online handle TheHackerGiraffe has claimed responsibility for the attack.

Via: The Verge

Source: TheHackerGiraffe

How to enable 2FA on Twitter with Authy, Google Authenticator or another Mobile Application

It’s been a long time since I have had to enable 2FA on Twitter and found the process completely infuriating. Twitter’s 2FA configuration uses SMS as the default option, this...

Read More

The post How to enable 2FA on Twitter with Authy, Google Authenticator or another Mobile Application appeared first on PerezBox.

Hackers targeted Dell customer information in attempted attack

Earlier this month, hackers attempted to breach Dell's network and obtain customer information, according to the company. While it says there's no conclusive evidence the hackers were successful in their November 9th attack, it's still possible they obtained some data.

Via: The Verge

Source: Dell (1), (2)

US Updates Antique Safety Standards to Allow Modern Train Technology

Interesting news from Streets Blog about the change in security standards that now allows foreign train technology to the US Building trains to unusual U.S. safety standards for the small American passenger rail market made rolling stock purchases needlessly expensive. Opening the door to standardized European train specifications will significantly lower prices. Rail operators are … Continue reading US Updates Antique Safety Standards to Allow Modern Train Technology

Florida Police Chief Sent to Jail For Conspiracy Against Black Men

The Biscayne Park police chief had tried to claim his department solved 100% of burglaries, when in fact the Justice Department reports he simply directed his staff to blame burglaries on black men and arrest them without evidence: Former Chief Atesiano previously pleaded guilty to acting under color of law as chief of police when … Continue reading Florida Police Chief Sent to Jail For Conspiracy Against Black Men

SN 691: ECCploit

  • Yesterday, the US Supreme Court heard Apple's argument about why a class action lawsuit against their monopoly App Store should not be allowed to proceed. How could this affect iOS security?
  • Google and Mozilla are looking to remove support for FTP from their browsers.
  • From our "what could possibly go wrong" department, we have browsers asking for explicit permission to leave their sandboxes.
  • The next step in the evolution of RowHammer attacks which do, as Bruce Schneier once opined, only get better... or in this case, worse!

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


SN 690: Are Passwords Immortal?

  • All the action at last week's Pwn2Own Mobile hacking contest
  • The final word on processor mis-design in the Meltdown/Spectre era
  • A workable solution for unsupported Intel firmware upgrades for hostile environments
  • A forthcoming Firefox breach alert feature
  • The expected takeover of exposed Docker-offering servershe recently announced successor to recently ratified HTTP/2
  • errata
  • The future of passwords: a thoughtful article written by Troy Hunt, the creator of the popular "Have I Been Pwned" web service

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Police arrest alleged Russian hacker behind huge Android ad scam

Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.

Source: Kommersant

SN 689: Self-Decrypting Drives

  • Last month's Patch Tuesday, this month
  • A GDPR-inspired lawsuit filed by Privacy International
  • Check these two router ports to protect against a new botnet that's making the rounds
  • Another irresponsibly disclosed zero-day, this time in Virtual Box
  • CloudFlare's release of a very cool app for iOS and Android
  • Microsoft's caution about the in-RAM vulnerabilities of the BitLocker whole drive encryption
  • A deep dive into last week's worrisome revelation about the lack of true security being offered by today's Self-Encrypting SSD drives.

We invite you to read our show notes.

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Income, tax and immigration data stolen in breach

The Centers for Medicare and Medicaid Services (CMS) now has details about the data stolen in the breach of that occurred last month. According to the government agency, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised in the breach. No financial information was stolen.

Via: TechCrunch

Source: Centers for Medicare and Medicaid Services

Social-Engineer Newsletter Vol 08 – Issue 110

Hi, It’s Your Bank Calling


So, you receive a call and it’s a local number or it’s the phone number of your bank, should you answer it or let go to voicemail? But the caller ID looks familiar, so you answer. Can you trust that the person that is calling is who they say they are? Was this a sales call, a real call or something called vishing?


Many people reason that if the number is showing as a known number, then the attacker is who they say they are. However, the recipient maybe unaware that the caller is looking to vish them. If you are unfamiliar with what vishing is, it is defined, according to The Social Engineering Framework, as the practice of eliciting information or attempting to influence action via the telephone. Vishing can literally be designed as voice phishing. The goal of vishing is similar to phishing in that it is to obtain valuable information that could contribute to the direct compromise of an organization or individual. Attackers can “spoof” their outgoing phone number to appear like a known number and pose as an authority figure, technician, or fellow employee in order to obtain sensitive information that could lead to the compromise of an organization or clean out your bank account.

Vishing has become one of the tools of choice by cybercriminals. An article from Fortune mentioned that the volume of mobile scam calls has increased from 3.7% of total calls in 2017 to 29.2% in 2018. They predict that the number will exceed 44% by early 2019.

Learn by example

To get an idea of what the scammers are doing, let’s look at some incidents that have been reported:

An article by WHNT News 19 discussed how an FBI agent’s mother fell for a call from someone pretending to be a relative that had a DUI and needed money. It also discussed how hundreds of credit union’s clients received fraudulent calls from fraudsters spoofing bank numbers and asking them to validate their cards by providing the 3 numbers on the back.

Another incident involved someone claiming to be from the Woodburn, Oregon police department that called and told the victim to call a second number. That number belonged to a person who claimed to be an attorney for the police department.

The alleged-attorney then directed the person to remain on the phone, go to a retail location, and buy a prepaid debit card to clear their fake warrant. When the person, being directed by the fake-attorney, arrived at the store, a store employee told the person it was a scam. The phone call was then ended. The fraudulent caller used a fake caller ID showing the actual Woodburn PD number.

Some additional scams are the IRS Scam, the Kidnapping Scam, the Social Security Scam, and the Tech Support Scam:

  • The IRS Scam involves someone who is pretending to be an agent of the IRS, they tell you they have a warrant for your arrest unless you pay some money immediately.
  • The Kidnapping Scam is where the scammer tells you he has kidnapped a family member, and that you need to make immediate payment for their release.
  • The Social Security Scam comes in many forms. One variant is where the caller poses as an SSA employee and needs personal information to round out your file. Another is you’re told that the SSA wants to increase your benefit payment but needs additional information to do so. A third variant involves a threat of stopping your Social Security benefits if you don’t give them the requested information.
  • The Tech Support Scam is where the caller attempts to have you pay for fraudulent tech support. Many of my friends have dealt with this and, unfortunately, two of them even fell for the call and paid money to the scammer.

“I’ll never fall for that”

You may reason that you are too tech savvy to become a victim of a vishing call. Many think that way and in the article Voice Phishing Scams Are Getting More Clever by Brian Krebs, he relates several experiences of tech savvy people that either fell for a scam or came critically close to falling for one.

What is it that makes people, even tech savvy people, fall for these calls? Let’s break down the call and see:

  • The caller ID looks familiar;
  • The caller is persistent, calling back multiple times, creating a sense of urgency or importance to get you to answer;
  • The caller uses a pretext that sounds believable;
  • The caller uses rapport and trust to convince you that everything they do and say is for your best interest;
  • The caller has personal information on you that you believe only the legitimate company would know. Information such as the last 4 digits of your credit card or Social Security number;
  • When you combine all these points and the fact that the caller will do all they can to influence you into giving them the information they need, even the most tech savvy person may fall for the call.

Do I need to answer?

What should you do to keep from becoming a victim of vishing? Corporations can help their employees by including vishing training as part of their security awareness program. Training employees to report any suspicious work calls to the appropriate team at the company. As an individual, if the call isn’t from someone in your contacts, let the call go to voicemail. You don’t have to answer every phone call. But if you really feel the need to answer the call then apply the following strategies:

  • Trust your gut. Most of the time, if a call is making you uncomfortable, realize you are probably right. Hang up and report the call.
  • If the caller says they are from your bank, hang up and call the number on the back of your card.
  • If the caller says he is a vendor or client, hang up and call a known number for that entity.
  • If any caller asks you for PII (personal identifying information) do not give anything to any unverified user, despite the threats they may say.
  • If you receive an urgent call from a supposed family member that had something tragic occur, call that family member or other close relatives to verify the story directly before you wire or send any money. (Do this even if they beg you not to)
  • Remember, scammers want to drive you to react emotionally, so if you receive a possible vishing call take pause, breathe, and take a moment to get your critical thinking back in place before you are manipulated into making a poor decision.

Keep these tips in mind as you keep your family, finances and personal information secure and safe from malicious vishers.

Stay safe and secure,

Written By: Mike Hadnagy

The post Social-Engineer Newsletter Vol 08 – Issue 110 appeared first on Security Through Education.

SN 688: PortSmash

  • A close look at the impact and implication of the new "PortSmash" attack against Intel (and almost certainly other) processors.
  • The new "BleedingBit" Bluetooth flaws
  • JavaScript is no longer optional with Google
  • A new Microsoft Edge browser 0-day
  • Windows Defender plays in its own sandbox
  • Microsoft and SysInternals news
  • The further evolution of the CAPTCHA
  • The 30th anniversary of the Internet's first worm
  • A bizarre requirement of Ransomware
  • A nice new bit of security non-tech from Apple

We invite you to read our show notes

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


US government accuses Chinese hackers of stealing jet engine IP

The Justice Department has charged ten Chinese nationals -- two of which are intelligence officers -- of hacking into and stealing intellectual property from a pair of unnamed US and French companies between January 2015 to at least May of 2015. The hackers were after a type of turbofan (portmanteau of turbine and fan), a large commercial airline engine, to either circumvent its own development costs or avoid having to buy it. According to the complaint by the Department of Justice, a Chinese aerospace manufacturer was simultaneously working on making a comparable engine. The hack afflicted unnamed aerospace companies located in Arizona, Massachusetts and Oregon.

Via: ZD Net

Source: US Department of Justice

How HTTPS Works – Let’s Establish a Secure Connection

The need to use HTTPS on your website has been spearheaded by Google for years (since 2014), and in 2018 we saw massive improvements as more of the web became...

Read More

The post How HTTPS Works – Let’s Establish a Secure Connection appeared first on PerezBox.

Uber hackers also reportedly breached LinkedIn’s training site

The hackers who were responsible for the Uber data breach that affected 57 million users around the world have been indicted... for another hack altogether, according to TechCrunch. Canadian citizen Vasile Mereacre and Florida resident Brandon Glover have been indicted for stealing account information from LinkedIn training site, but a TechCrunch source said they were also behind the massive Uber breach back in 2016. If true, then they got caught for a much smaller scheme: the Lynda cyberattack only compromised 55,000 accounts.

Source: TechCrunch

Cathay Pacific data breach affects up to 9.4 million customers

Cathay Pacific, the primary airline of Hong Kong known for its high-speed WiFi, was hit with a major data breach that affects up to 9.4 million passengers. The company said that personal information including passport numbers, identity card numbers, credit card numbers, frequent flyer membership program numbers, customer service comments and travel history had been compromised. No passwords were compromised, which may not be any consolation.

Via: The Guardian

Source: Cathay Pacific

Exclusive Interview with SPYSE team on free security tools and new projects

Exclusive Interview with SPYSE team on free security tools and new projects

I don't think many of you have heard of SPYSE (I didn't before this interview) before, but let me tell you - they are amazing people, great developers and believe me when I say they are contributing great to information security community with their amazing tools and projects. I got interested and frankly heard about them when I checked out on certdb and findsubdomains projects - remarkable sites and highly recommended to have a look! I authored a review on their projects - CertDB is a free SSL Search Engine, and Finding Sub-Domains for Open Source Intelligence and have spoken highly of them. So, in last few days I got a chance to ask them some questions on their project CertDB, and their ongoing efforts to share with you all.

What is CERTDB? Is it a project under some company, or a company in itself or an entrepreneurship idea from some smart team? Who's the backbone of CERTDB?

We are SPYSE team, skilled specialists in the field of web-analytics and digital security. In 2017 we formed a unit, that on voluntary basis will develop non-profit tools and services for exploration and analytics of general data available on the internet. - internet-wide search engine for research and analytics of digital certificates. This is the first project of the SPYSE team that gathered in 2017 with an ambition to make a search engines across the entire Internet infrastructure for educational, research and practical purposes, which combines the key capabilities of f.e. Censys, Shodan, Domaintools and other services, and significantly exceeds them in terms of data completeness and analytical capabilities. Our portfolio currently includes besides Certdb such services as designed to automate subdomains discovering. Currently we are working on another project related to DNS. We plan on releasing one project every month.

The mission of the project lies in blurring the widespread belief that an SSL Certificate is just a minor collection of the data files that digitally bond the cryptographic key to the businesses' details. On the opposite, the creators of CertDB aim to change the nature of things around the average users of the internet.

Future projects include analytic tools for domain/subdomain analysis, IP ranges, DNS addresses, and connections between organizations and their digital assets. We believe that our team is quite strong and we plan on releasing one project every month. In about 4 months, we intend to group these services together to create a search engine that would encompass all of these areas. We make a search engine across the entire Internet infrastructure, which combines the key capabilities of Censys, Shodan, Domaintools and other services, and significantly exceeds them in terms of data completeness and analytical capabilities. This tool will have a more complete pool of data than any existing resource on the web.

Examples of available queries: and CertDB use cases:

  1. Newly issued certificate could help identify a launch of a new service, merger between organizations and other market activities faster than any press release.
  2. It is of utmost importance to keep track of SSL certificates expiration times. Once SSL certificate expires, it could mean unpleasant consequences for both the website and the end user. These could include loss of trust, drop in profits due to abandoned shopping carts, damage to organization’s image and reputation, privacy risks.
  3. CertDB is not a mechanism that is of use only to the professionals in the IT field. Exploring SSL certificates one can analyze business activity of not only individual organizations but also whole industries or markets, and identify trends.
  4. The company of the focus may issue the certificate in an organization with the domains of other companies, which could mean the collaboration or purchase of one company by another. Such information could potentially generate profits as insight information or even lead to the start of the investigation (if there are indications of unfair business practices)
  5. A company specializing in security breaches may use CertDB for researching the problematic certificates to weaken the possibility of the hacker attacks ultimately.
  6. The commercial SSL-selling firm may increase its sales by "warning" the companies suffering from the affected subdomains and domains.
  7. The company could register the domain hinting the upcoming start of the initial coin offerings. This promising piece of evidence can help with the competitive analysis or business analytics among others. Besides, it gives the data owner an ability to gather funds for the potential investment.
  8. The registration of a new unknown domain in Palo Alto may hints at a new start-up; switching from the "Wildcard" certificate to "Let's Encrypt" tells us about the organization's budget constraints.
  9. Based on the number of SSL certificates issued to domains of a particular country, as well as number of certificates per capita, one can gauge the maturity of IT infrastructure in different countries.

We are just at the beginning of our journey and would really appreciate any help or assistance – constructive feedback, advice, mentions, coverage options and connections.

Do you have any active market competition, and what is your USP (unique selling point) if there are other players?

CertDB's key selling points:
— it's completely free; we're developing this projects as volunteers for educational & research proposes so they will be free forever;
— its the most complete certs base in internet;
— its the most accurate and updated every day scanning the whole internet;
— CertDB has the best UI because we care not only about data but about user experience too.

We analyze the web 24/7 to offer you the most complete and up-to-date information about SSL certificates on the internet.

CertDB provides free access to its powerful API. You can use API for practical research or educational purposes, or for implementation of other programs and services.
Our service provides search capabilities by multiple criteria, quality filtering. We also aggregate data by various criteria, which makes it possible to see the picture on a larger scale.
We pay great attention to UX / UI, page load speed and other details, our projects are user-oriented. Our developers constantly investigate behavioral factors and feedback from users in order to make projects better.

In our previous discussion, you mentioned about search/ filter capacity with CERTDB which that makes you different than let's say CRT.SH. How about CENSYS ( - how do you stack against them?

Our work on certificates, at first glance, is very similar to We proceeded from the same problems of developers and experts, therefore our search mechanisms have a number of coincidences. At the same time, it should be noted that we largely sought to make the project so that they could be used by non-professionals and also receive valuable information. We understand that this is a complex and lengthy process, but we are deeply committed to making and showing the market a product not for geeks, but for a wide audience.

You mentioned about scanning, and having sensors. How do you categorize or short-list the websites? And, if someone wants to list their website for active monitoring, do you have a SUBMISSION form?

In fact, our team does not only deal with digital certificates, of course. At the moment, we are exploring the web part of the entire IPv4 range by a variety of different techniques. A significant part of the data for the starting point of the research was taken from public sources, some were discovered by ourselves, some are obtained from partners. The SUBMISSION form seems to us inexpedient due to the fact that there are hardly any domains that we do not know about.

I checked my website in your database, and it shows my old certificate; how often do you plan to scan websites and do you have a priority criterion for scanning?

In the near future we are preparing an infrastructure for regular and systemic scanning of all known points on the Internet, according to our plans, in no more than a month we will be able to update the information for each point that has given any signs of life for the last 6 months at least every two weeks, in reality, according to our expectations, much more often.

From a security point of view have you gone through any security testing or assessment in the past, or planned to do so?

The main part of the SPYSE team works in IT security. Project ideas were originally born out of our daily needs. We did and do testing for many companies (under NDA), we have quite a lot of knowledge. However, we distance our current services from our work, we target them for a much wider audience, for educational purposes, to give interested people more opportunities to study the Internet, and researchers to explore and analyze it for free.

If we talk about the security of our projects, then we try to make it right, although we have not focused on security issues separately - we have nothing to steal.

Do you plan to keep the service free, or launch any subscription based, or pricing model for better search, filters etc. in the future?

We plan to keep our services entirely free. We want to believe that our current affairs are useful to people. This motivates us the most. We really want to spread the message about our free services and make them accessible to regular users. Hope that readers of this article can support us in that.

// Keep it up guys, and we are excited for your new projects.

Cover Image Credit: Jonathan Velasquez

Important new report sheds light on the US government’s border stops of journalists

Reuters/Patrick T. Fallon

Sometimes, journalists’ stories take them across borders. But when journalists are targeted for interrogation about their work or are pressured into to handing over their devices, they must go to extra lengths to protect their sources and reporting. A new report by the Committee to Protect Journalists (CPJ) sheds light on officials’ unacceptable targeting of reporters at the border.

CPJ identified 37 journalists who found secondary screenings by Customs and Border Patrol (CBP) to be invasive. Out of that group, 30 said they were questioned about their reporting, and 20 of them said their electronic devices were searched by border officers without a warrant. Between 2006 and June 2018, the 37 journalists were collectively stopped for screenings more than 110 times.

In several instances, United States border agents have demanded passwords to unlock journalists’ devices, which often contain sensitive information about stories and sources, as condition for entry into the United States. Some journalists, like photojournalist David Devgen, have opted to surrender their passwords rather than have their devices confiscated. Journalist Ali Lafti unlocked his phone for CBP, believing he did not have a choice, and cultural reporter Anne Elizabeth Moore complied when asked to leave her phone on and unlocked on the dashboard of her car by border agents.

Others, like Canadian journalist Ed Ou, refuse to provide the passwords to their devices, and are denied entry into the country altogether. That journalists are forced to choose between their privacy and protecting the integrity of their reporting and their ability to report out a story is outrageous, and not a real choice at all.

In many of the cases included in CPJ’s report, journalists did not feel that they fully understood their rights, and whether they could refuse to surrender their devices or passwords. Ed Ou said that he was not prepared for what happened in the United States, which he had thought protected press freedom and freedom of expression.

CBP has broad authority to conduct searches at the border, including without a warrant.

“Courts have so far upheld the so-called “border exception” to the Fourth Amendment’s requirement that authorities obtain a warrant to search people and their belongings,” CPJ’s report reads. “But legal challenges are being mounted over whether physical objects—such as laptops and phones—and the digital information contained on these devices should be treated the same way.”

Senators have proposed two bills that would move to reign in CBP’s sweeping powers relating to device searches of U.S. citizens and permanent residents. The Protecting Data at the Border Act would require CBP to obtain a warrant for searches of Americans’ devices, and the Leahy-Daines Bill would prohibit border officers from conducting searches without first meeting a standard of reasonable suspicion.

Legislation that would protect the rights of American journalists at the border is critical, and these bills should be adopted (preferably the stronger Protecting Data at the Border Act). But oftentimes, it’s non-American journalists that are the most vulnerable at the border, who may have less legal support, and are perhaps less likely to know their rights in the United States. No journalist, American or not, should face threats to their reporting at the border, and the civil liberties and privacy of journalists who are not citizens or permanent residents are no less important.

The 37 cases explored by CPJ is a small set of the millions of people and likely thousands of journalists who leave and enter the United States every year. So while it’s impossible to make any sort of conclusion about trends, in general, border stops have increased under the Trump administration.

U.S. Customs and Border Patrol reported in April
last year that searches increased from 8,500 in fiscal year 2015 to about 19,000 in fiscal year 2016, with another 15,000 conducted in just the first half of 2017. CPJ’s report has shed light on CBP’s dangerous treatment of journalists going about doing their jobs in the context of CBP’s increasingly disturbing privacy violations.

Secondary screenings that target journalists traveling for work are deeply concerning and threaten to undermine press freedom. As federal agencies ramp up warrantless searches of devices at the border, the protection of journalists’ digital lives and the work of civil liberties groups has never been more important.

US intelligence chief says ‘no evidence’ of Chinese spy chips

Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."

Via: The Verge

Source: Cyberscoop

Apple CEO calls on Bloomberg to retract China surveillance report

Earlier this month, Bloomberg reported that San Jose-based server company Super Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed News.

Source: BuzzFeed News

Facebook’s confusion about its Portal camera is concerning

Facebook couldn't have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook's own executives don't seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.

Mystery around Trend Micro apps still lingers one month later

It’s been a little over a month since several Trend Micro apps were kicked out of the Mac App Store by Apple over allegations of stealing user data, but several crucial questions remain unanswered.

To recap, security researchers discovered that seven Trend Micro apps were collecting users’ browser data without notifying users (the vendor claims the data collection was included in its EULAs, but it later conceded the apps had no secondary, informed consent process). Following the removal of those apps, Trend Micro’s story of what took place changed several times – the first statement indicated everything was fine and that the apps were working as designed, while subsequent updates blamed the fiasco on common code libraries that were mistakenly used in certain apps and conceded that the user notification and permission processes needed an overhaul.

Trend Micro last week issued its latest statement on the situation, which included an answer to a vital question about what had happened with these Mac apps: “The data was never shared with any third party, monetized for ad revenue, or otherwise used for any purpose other than the security of customers.”

While that was an important disclosure, there were still questions Trend Micro had yet to answer. I sent some of those questions to Trend Micro; a company spokesperson replied with a statement addressing some of the points but sidestepping others.

  • What happened with “Open Any File: RAR Support”? Initially, researchers identified several apps that were collecting browser histories, and Trend Micro disclosed that five of those apps — Dr. Antivirus, Dr. Battery, Dr. Cleaner, Dr. Cleaner Pro, Dr. Unarchiver and Duplicate Finder – were the company’s property. But two days later, Trend Micro named a sixth app, Open Any Files. Why did it take two days for the company to disclose this? How did Trend Micro not know the Open Any Files app belonged to them? Trend Micro didn’t directly address these questions.
  • Why wasn’t Open Any Files listed as a Trend Micro app? This is one of the stranger parts of the Trend Micro apps controversy. According to a cached Mac App Store page for Open Any Files, there’s no mention of Trend Micro at all. Instead, the app is attributed to a developer named “Hao Wu,” and the description lists Wu as the copyright holder as well. Here is Trend Micro’s answer: “Open Any Files was created by a former Trend Micro developer as a short term pilot project to provide consumers with a number of helpful utilities,” the spokesperson wrote. “As there were no long term plans in place for the support of this application at the time of registration and copyright, full corporate branding was not applied. As you will know, we have decided to stop development and distribution of this particular app.” The spokesperson also said Open Any Files, was released in late 2017 with the browser data collection module enabled, but “starting with the version released in April 2018 (which was publicly available when this issue was reported in September) that functionality had already been removed.”
  • What was Open Any Files’ purpose? The only indications that Open Any Files belonged to Trend Micro are, according to MalwareBytes’ Thomas Reed, that the app was uploading users’ browser data to a Trend Micro domain, and it promoted another Trend Micro app in Dr. Antivirus. “Promoted” might be too soft a word; according to Reed’s assessment, Open Any Files was similar to other “scam applications” that warn users who attempt to open a file with the app that the file in question can’t be opened because it is infected and that users should scan the file with the promoted antivirus app. I asked Trend Micro if the company disputed Reed’s characterization of the app; the spokesperson did not address this question.
  • Who is Hao Wu? It appears from Trend Micro’s statement that Wu is a former developer at the company, but the company isn’t saying anything beyond that. Information from Apple’s Mac and iOS app stores is limited as well. It appears the developer behind Open Any Files is the same Hao Wu that is listed as the owner developer of other apps such as Weird Calc, iWiFiTest, Mr. Cleaner and Thinnest Calculator, but the developer’s app store profile appears to have been removed.
  • Is Trend Micro sure how much data its apps collected? On multiple occasions, the vendor explicitly stated data collection included only a small snapshot of users’ browser data – 24 hours prior to the installation of the apps. But Reed’s analysis of several of Trend Micro’s apps, including Open Any File and Dr. Antivirus, found they were collecting complete browsing and search histories from users. “It could be argued that it is useful for antivirus software to collect certain limited browsing history leading up to a malware/webpage detection and blocking,” Reed wrote in his analysis. “But it is very hard to argue to exfiltrate the entire browsing history of all installed browsers regardless of whether the user has encountered malware or not.” In addition, Reed discovered Dr. Antivirus was also uploading a list with “detailed information about every application found on the system,” which the company had yet to explain in its official statements and FAQ on the matter. Trend Micro responded to these questions. “We must reiterate our earlier statement that the apps in question performed a one-time upload of a snapshot of browser history covering the 24 hours prior to installation for security purposes,” the spokesperson wrote. “In addition, Dr. Antivirus included an app reputation feature that checked for malicious apps and fed anonymized app information into our large app reputation data base to protect users from potentially dangerous apps.”

It’s still unclear why Trend Micro would allow one of its developers to push out an app like Open Any Files if the company – by its own admission – never had any long term support plans for it. It’s also unclear why Trend Micro would remove the data collection feature for this specific app (and not others) but never properly brand Open Any Files.

To its credit, Trend Micro hasn’t ignored the situation or tried to erase its earlier denials of wrongdoing. But given the situation, the company owes more transparency about this episode and what oversight and controls it has around its app development process. The application ecosystem is full of threats, with countless apps performing a bevy of unscrupulous activity or downright malicious attacks against users. We’ve come to expect that kind of activity from get-rich-quick scam artists, cybercriminals and APTs. We don’t, however, expect it to come from one of the world’s largest and most successful security vendors.

The post Mystery around Trend Micro apps still lingers one month later appeared first on Security Bytes.

Improve Security by Thinking Beyond the Security Realm

It used to be that dairy farmers relied on whatever was growing in the area to feed their cattle. They filled the trough with vegetation grown right on the farm. They probably relied heavily on whatever grasses grew naturally and perhaps added some high-value grains like barley and corn. Today, with better technology and knowledge, dairy farmers work with nutritionists to develop a personalized concentrate of carbohydrates, proteins, fats, minerals, and vitamins that gets added to the natural feed. The result is much healthier cattle and more predictable growth.

We’re going through a similar enlightenment in the security space. To get the best results, we need to fill the trough that our Machine Learning will eat from with high-value data feeds from our existing security products (whatever happens to be growing in the area) but also (and more precisely for this discussion) from beyond what we typically consider security products to be.

In this post to the Oracle Security blog, I make the case that "we shouldn’t limit our security data to what has traditionally been in-scope for security discussions" and how understanding Application Topology (and feeding that knowledge into the security trough) can help reduce risk and improve security.

Click to read the full article: Improve Security by Thinking Beyond the Security Realm

Pentagon data breach compromises up to 30,000 workers

The Pentagon still has to grapple with data security woes despite efforts to harden its sites and networks. Defense Department officials have revealed that a travel record data breach at an unnamed contractor exposed the personal info of military and civilian staffers, including credit cards. An AP source said that this didn't compromise classified material, but it affected "as many as" 30,000 workers. There's a chance that number might get larger, according to the source.

Source: AP News

Good Password Hygiene Requires Behavior Changes and Password Managers

For years I advocated the importance of good hygiene. The importance of using complex, long and unique passwords. But where this approach falls short is that it’s dependent on one...

Read More

The post Good Password Hygiene Requires Behavior Changes and Password Managers appeared first on PerezBox.

Do You Suffer From Breach Optimism Bias?

If you’ve been in the information security field for at least a year, you’ve undoubtedly heard your organization defend the lack of investment in, change to or optimization of a cybersecurity policy, mitigating control or organizational belief. This “It hasn’t happened to us so it likely won’t happen” mentality is called optimism bias, and it’s an issue in our field that predates the field itself.

Read my full article over at

Firewalls and the Need for Speed

I was looking for resources on campus network design and found these slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:

This bothered me, so I Tweeted about it.

This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:

What do you think of this architecture?

My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the original recommendation, and what problems do I have (if any) with the 2018 version?

First, let's be clear that I have always differentiated between visibility and control. A firewall is a poor visibility tool, but it is a control tool. It controls inbound or outbound activity according to its ability to perform in-line traffic inspection. This inline inspection comes at a cost, which is the major concern of those responding to my Tweet.

Notice how the presentation author thinks about firewalls. In the slides above, from the 2018 version, he says "firewalls don't protect users from getting viruses" because "clicked links while browsing" and "email attachments" are "both encrypted and firewalls won't help." Therefore, "since firewalls don't really protect users from viruses, let's focus on protecting critical server assets," because "some campuses can't develop the political backing to remove firewalls for the majority of the campus."

The author is arguing that firewalls are an inbound control mechanism, and they are ill-suited for the most prevalent threat vectors for users, in his opinion: "viruses," delivered via email attachment, or "clicked links."

Mail administrators can protect users from many malicious attachments. Desktop anti-virus can protect users from many malicious downloads delivered via "clicked links." If that is your worldview, of course firewalls are not important.

His argument for firewalls protecting servers is, implicitly, that servers may offer services that should not be exposed to the Internet. Rather than disabling those services, or limiting access via identity or local address restrictions, he says a firewall can provide that inbound control.

These arguments completely miss the point that firewalls are, in my opinion, more effective as an outbound control mechanism. For example, a firewall helps restrict adversary access to his victims when they reach outbound to establish post-exploitation command and control. This relies on the firewall identifying the attempted C2 as being malicious. To the extent intruders encrypt their C2 (and sites fail to inspect it) or use covert mechanisms (e.g., C2 over Twitter), firewalls will be less effective.

The previous argument assumes admins rely on the firewall to identify and block malicious outbound activity. Admins might alternatively identify the activity themselves, and direct the firewall to block outbound activity from designated compromised assets or to designated adversary infrastructure.

As some Twitter responders said, it's possible to do some or all of this without using a stateful firewall. I'm aware of the cool tricks one can play with routing to control traffic. Ken Meyers and I wrote about some of these approaches in 2005 in my book Extrusion Detection. See chapter 5, "Layer 3 Network Access Control."

Implementing these non-firewall-based security choices requries a high degree of diligence, which requires visibility. I did not see this emphasized in the NSRC presentation. For example:

These are fine goals, but I don't equate "manageability" with visibility or security. I don't think "problems and viruses" captures the magnitude of the threat to research networks.

The core of the reaction to my original Tweet is that I don't appreciate the need for speed in research networks. I understand that. However, I can't understand the requirement for "full bandwidth, un-filtered access to the Internet." That is a recipe for disaster.

On the other hand, if you define partner specific networks, and allow essentially site-to-site connectivity with exquisite network security monitoring methods and operations, then I do not have a problem with eliminating firewalls from the architecture. I do have a problem with unrestricted access to adversary infrastructure.

I understand that security doesn't exist to serve itself. Security exists to enable an organizational mission. Security must be a partner in network architecture design. It would be better to emphasize enhance monitoring for the networks discussed above, and think carefully about enabling speed without restrictions. The NSRC resources on the science DMZ merit consideration in this case.

Convergence is the Key to Future-Proofing Security

I published a new article today on the Oracle Security blog that looks at the benefits of convergence in the security space as the IT landscape grows more disparate and distributed.

Security professionals have too many overlapping products under management and it's challenging to get quick and complete answers across hybrid, distributed environments. It's challenging to fully automate detection and response. There is too much confusion about where to get answers, not enough talent to cover the skills requirement, and significant hesitation to put the right solutions in place because there's already been so much investment.

Here's are a couple of excerpts:
Here’s the good news: Security solutions are evolving toward cloud, toward built-in intelligence via Machine Learning, and toward unified, integrated-by-design platforms. This approach eliminates the issues of product overlap because each component is designed to leverage the others. It reduces the burden related to maintaining skills because fewer skills are needed and the system is more autonomous. And, it promotes immediate and automated response as opposed to indecision. While there may not be a single platform to replace all 50 or 100 of your disparate security products today, platforms are emerging that can address core security functions while simplifying ownership and providing open integration points to seamlessly share security intelligence across functions.
 Forward-looking security platforms will leverage hybrid cloud architecture to address hybrid cloud environments. They’re autonomous systems that operate without relying on human maintenance, patching, and monitoring. They leverage risk intelligence from across the numerous available sources. And then they rationalize that data and use Machine Learning to generate better security intelligence and feed that improved intelligence back to the decision points. And they leverage built-in integration points and orchestration functionality to automate response when appropriate.
Click to read the full article: Convergence is the Key to Future-Proofing Security

The Quest for Optimal Security – The Falcon’s View

There's no shortage of guidance available today about how to structure, build, and run a security program. Most guidance comes from a standpoint of inherent bias, whether it be to promote a product class, specific framework/standard, or to best align with specific technologies (legacy/traditional infrastructure, cloud, etc.). Given all the competing advice out there, I often find it's hard to suss out exactly what one should be doing. As someone actively on the job hunt, this reality is even more daunting because job descriptions will typically contain a smattering of biases, confirmed or contradicted through interview processes. But, I digress...

At end of day, the goal of your security program should be to chart a path to an optimal set of capabilities. What exactly constitutes "optimal" will in fact vary from org to org. We know this is true because otherwise there would already be a settled "best practice" framework to which everyone would align. That said, there are a lot of common pieces that can be leveraged in identifying the optimal program attributes for your organization.

The Basics

First and foremost, your security program must account for basic security hygiene, which creates the basis for arguing legal defensibility; which is to say, if you're not doing the basics, then your program can be construed insufficient, exposing your organization to legal liability (a growing concern). That said, what exactly constitutes "basic security hygiene"?

There are a couple different ways to look at basic security hygiene. For starters, you can look at it be technology grouping:
- Network
- Endpoint
- Data
- Applications
- etc.

However, listing out specific technologies can become cumbersome, plus it doesn't necessarily lend itself well to thinking about security architecture and strategy. A few years ago I came up with an approach that looks like this:


More recently, I learned of the OWASP Cyber Defense Matrix, which takes a similar approach to mine above, but mixing it with the NIST Cybersecurity Framework.

Overall, I like the simplicity of the CDM approach as I think it covers sufficient bases to project a legally defensible position, while also ensuring a decent starting point that will cross-map to other frameworks and standards depending on the needs of your organization (e.g., maybe you need to move to ISO 27001 or complete a SOC 1/2/3 certification).

Org Culture

One of the oft-overlooked, and yet insanely important, aspects of designing an approach to optimal security for your organization is to understand that it must exist completely within the organization's culture. After all, the organization is comprised of people doing work, and pretty much everything you're looking to do will have some degree of impact on those people and their daily lives.


As such, when you think about everything, be it basic security hygiene, information risk management, or even behavioral infosec, you must first consider how it fits with org culture. Specifically, you need to look at the values of the organization (and its leadership), as well as the behaviors that are common, advocated, and rewarded.

If what you're asking people to do goes against the incentive model within which they're operating, then you must find a way to either better align with those incentives or find a way to change the incentives such that they encourage preferred behaviors. We'll talking more about behavioral infosec below, so for this section the key takeaway is this: organizational culture creates the incentive model(s) upon which people make decisions, which means you absolutely must optimize for that reality.

For more on my thoughts around org culture, please see my post "Quit Talking About "Security Culture" - Fix Org Culture!"

Risk Management

Much has been said about risk management over the past decade+, whether it be PCI DSS advocating for a "risk-based approach" to vulnerability management, or updates to the NIST Risk Management Framework, or various advocation by ISO 27005/31000 or proponents of a quantitative approach (such as the FAIR Institute).

The simply fact is that, once you have a reasonable base set of practices in place, almost everything else should be driven by a risk management approach. However, what this means within the context of optimal security can vary substantially, not the least being due to staffing challenges. If you are a small-to-medium-sized business, then your reality is likely one where you, at best, have a security leader of some sort (CISO, security architect, security manager, whatever) and then maybe up to a couple security engineers (doers), maybe someone for compliance, and then most likely a lot of outsourcing (MSP/MSSP/MDR, DFIR retainer, auditors, contractors, consultants, etc, etc, etc).

Risk management is not your starting point. As noted above, there are a number of security practices that we know must be done, whether that be securing endpoints, data, networks, access, or what-have-you. Where we start needing risk management is when we get beyond the basics and try to determine what else is needed. As such, the crux of optimal security is having an information risk management capability, which means your overall practice structure might look like this:


However, don't get wrapped around the axel too much on how the picture fits together. Instead, be aware that your basics come first (out of necessity), then comes some form of risk mgmt., which will include gaining a deep understanding of org culture.

Behavioral InfoSec

The other major piece of a comprehensive security program is behavioral infosec, which I have talked about previously in my posts "Introducing Behavioral InfoSec" and "Design For Behavior, Not Awareness." In these posts, and other places, I talk about the imperative to key in on organizational culture, and specifically look at behavior design as part of an overall security program. However, there are a couple key differences in this approach that set it apart from traditional security awareness programs.
1) Behavioral InfoSec acknowledges that we are seeking preferred behaviors within the context of organizational culture, which is the set of values of behaviors promoted, supported, and rewarded by the organization.
2) We move away from basic "security awareness" programs like annual CBTs toward practices that seek measurable, lasting change in behavior that provide positive security benefit.
3) We accept that all security behaviors - whether it be hardening or anti-phishing or data security (etc) - must either align with the inherent cultural structure and incentive model, or seek to change those things in order to heighten the motivation to change while simultaneously making it easier to change.

To me, shifting to a behavioral infosec mindset is imperative for achieving success with embedding and institutionalizing desired security practices into your organization. Never is this more apparent than in looking at the Fogg Behavior Model, which explains behavior thusly:

In writing, it says that behavior happens when three things come together: motivation, ability, and a trigger (prompt or cue). We can diagram behavior (as above) wherein motivate is charted on the Y-axis from low to high, ability is charted on the X-axis from "hard to do" to "easy to do," and then a prompt (or trigger) that falls either to the left or right of the "line of action," which means the prompt itself is less important than one's motivation and the ease of the action.

We consistently fail in infosec by not properly accounting for incentive models (motivation) or by asking people to do something that is, in fact, too difficult (ability; that is, you're asking for a change that is hard, maybe in terms of making it difficult to do their job, or maybe just challenging in general). In all things, when we think about information risk mgmt. and the kinds of changes we want to see in our organizations beyond basic security hygiene, it's imperative that we also under the cultural impact and how org culture will support, maybe even reward, the desired changes.

Overall, I would argue that my original pyramid diagram ends up being more useful insomuch as it encourages us to think about info risk mgmt. and behavioral infosec in parallel and in conjunction with each other.

Putting It All Together

All of these practices areas - basic security hygiene, info risk mgmt, behavioral infosec - ideally come together in a strategic approach that achieves optimal security. But, what does that really mean? What are the attributes, today, of an optimal security program? There are lessons we can learn from agile, DevOps, ITIL, Six Sigma, and various other related programs and research, ranging from Deming to Senge and everything in between. Combined, "optimal security" might look something like this:

   - Generative (thinking beyond the immediate)
   - Mindful (thinking of people and orgs in the whole)
   - Discursive (collaborative, communicative, open-minded)

   - Efficient (minimum steps to achieve desired outcome)
   - Effective (do we accomplish what we set out to do?)
   - Managed (haphazard and ad hoc are the enemy of lasting success)

   - Measured (applying qualitative or quantitative approaches to test for efficiency and effectiveness)
   - Monitored (not just point-in-time, but watched over time)
   - Reported (to align with org culture, as well as to help reform org culture over time)

   - Defined (what problem is being solved? what is the desired outcome/impact? why is this important?)
   - Mapped (possibly value stream mapping, possibly net flows or data flows, taking time to understand who and what is impacted)
   - Reduced (don't bite off too much at once, acknowledge change requires time, simplify simplify simplify)

   - Systemic understanding (the organization is a complex organism that must work together)
   - Automated where possible (don't install people where an automated process will suffice)
   - Minimized complexity (perfect is the enemy of good, and optimal security is all about "good enough," so seek the least complex solutions possible)

Obviously, much, much more can be said about the above, but that's fodder for another post (or a book, haha). Instead, I present the above as a starting point for a conversation to help move everyone away from some of our traditional, broken approaches. Now is the time to take a step back and (re-)evaluate our security programs and how best to approach them.

Insurance Occurrence Assurance?

You may have seen my friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

From the article:

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

Finding subdomains for open source intelligence and pentest

Finding subdomains for open source intelligence and pentest

Many of us are in the security consulting business, or bug bounties, or even network intelligence and have now and then come across a need to find subdomains. The requirement can be from either side of the table - a consultant assessing a client's internet presence, or a company validating its own digital footprint. In more than a decade, it has happened so many times that people are not aware of what old assets are they running, and hence can be exploited to either damage the brand image, or actual networks. These assets can also be used as the proxy or hops to gain access to thought-so-well guarded data.

Most common way to search for subdomains (that I have used) so far is old school Google search with dorks: To dig deeper, iterate it with all visible subdomains from results, i.e. -www or -www -test. It will exclude, and and so on. Later I found some more tools like, Pentest Tool Subdomain, DNS Dumster, Cloudpiercer, Netcraft etc. All these tools are either expensive or don't do the job well. Meh!

Finally, while having a conversation with the SPYSE team (the astounding squad behind CertDB project) and I got to know about their new project - FindSubDomains, a free and fantastic tool/ project to find subdomains for a given domain. Last time I covered their CertDB project in detail, and now after being impressed by FindSubDomains, it was time to review and share with you this excellent tool! It not only lists subdomains but a whole lot of intelligence behind it like,

  1. IP Addresses
  2. DNS records
  3. Countries
  4. Subnets
  5. AS Blocks
  6. Organization names etc.

Any of these parameters can be used to filter the list of subdomains, or search - I mean, it's terrific!

But how does this stack against the common known tools? Let's find out. For the sake of testing, let's take the domain and try finding the subdomains with different tools/ mediums. Let's start with old school google search,

Finding subdomains for open source intelligence and pentest

Only after 4-5 searches/iterations, it became a tedious process. And, when you try to automate it; Google merely pops up re-captcha challenge. In general, it's worth to search few targeted domains, but worthless to query wild subdomains. Not recommended for such tasks!

How about using the pentest-tools tool? First thing first, it is not a free service and would require you to buy credits. I just performed a free search, and the results were not convincing with pentest-tools,

Finding subdomains for open source intelligence and pentest

After the search, it could only find 87 subdomains of, and the details included subdomain and respective IP addresses. Netcraft and DNSDumster also had the same disappointing results - the first found 180 records with no scope to download or filter them, and the later was capped at 150 results with lousy UI/UX. To summarise none of the tools could deliver a straightforward and intelligent list of subdomains.

FindSubDomains: Is it any different; any better?

To give you a straight answer - Hell yes! Kudos to the SPYSE team, it is way better than the ones I were using before.
The same subdomain search performed via FindSubDomains resulted in 1900+ results. It is remarkable!

I mean when others failed miserably to provide even 200 results, FindSubDomains just nailed it with 1900+ results. Bravo!

Finding subdomains for open source intelligence and pentest

All of these 1900+ results are at your disposal without paying a single cent, pop-up advertisement, credits or cap etc. You not only can list these results on the UI but also download them as TXT file. Also, you can view the IP address, geographical region, IP segment and respective AS block details for each subdomain. That is some remarkable open source intelligence in a second without scripts or endless iterations!

To me, the SPYSE team 100% justify their project objective,

FindSubDomains is designed to automate subdomains discovering. This task often comes before system security specialists who study the company in the form of a black box in order to search for vulnerabilities, as well as for marketers and entrepreneurs whose goal is to competitively analyze other players on the market in the hope of quickly learning about the emergence of a new vector in the development of a competitor, as well as obtaining information about the internal infrastructure.

FindSubDomains: Search and Filter

On top of the search, their filters are amazing if you have to search specific information on a domain, subdomain or it's respective fields as discussed. They also have some pre-filtered results or trivia points,

  1. Top 100 sites and their subdomains:
  2. Sites with the highest number of subdomains:
  3. Top countries with the highest number of subdomains:
    = INDIA:
    = CHINA:
  4. Top names for subdomains (my favourite) or most common subdomains:

The last one is convenient when network surveying a client, or shocking client with their digital footprint.
Finding subdomains for open source intelligence and pentest

FindSubDomains: Dashboard and Custom Tasks

Now, when I signed-in (sign-up is easy) I was welcomed by a Dashboard which shows Total, Ongoing and Remaining tasks. I can start a new task by either using the domain or a word to search. The word search is great if I don't know the complete domain name. This task executing capability is to supplement anything you don't find on their main page, or existing database (which believe me is huge). For every task, it can list up to 50,000 subdomains for and takes around 6 minutes (you can setup alert, and the platform will notify you via email on its completion).

To execute the task of finding subdomains, it uses various techniques,

  1. Many subdomains can be defined using the site's crawling and analyzing its pages, as well as resource files;
  2. AXFR (DNS Zone Transfer) requests for some domains often reveal a lot of valuable information about them;
  3. Search and analysis of historical data often matches with the search term.
    Finding subdomains for open source intelligence and pentest

While the tool is impressive, and I can't repeat enough; I would have appreciated the capability to execute the tasks via an API, and having some programmable way to automate via command-line/ terminal. I know, I may find ways to do with curl, but API key would have made things more comfortable, and convenient.

FindSubDomains: Usage Scenarios

Here are some scenarios I can use this tool,

  1. During pentest reconnaissance phase, collecting information on the target network.
  2. As a supporting tool to gather network intelligence on firms and their respective domains.
  3. Assessing your company's network, and digital footprint. Many a times you will be surprised to find the wide unaccounted exposure.
  4. Keeping a track of external facing subdomains - UAT, SIT, STAGING etc. which ideally should either be locked down or white-listed. Imagine how insecure are these platforms which often even contain production data.

To summarize, this is yet another amazing tool after CertDB which shows the potential of SPYSE team. The FindSubDomains has made my search so easier and efficient. I would highly recommend the readers to use this tool in finding subdomains.

Cover Image Credit: Photo by Himesh Kumar Behera

Cloudflare Quad 1 DNS is privacy-centric and blazing fast

Cloudflare Quad 1 DNS is privacy-centric and blazing fast

This year I have witnessed too many DNS stories - rising from the Government censorship programs to privacy-centric secure DNS (DNS over TLS) in order to protect the customers' queries from profiling or profiting businesses. There are some DNS which are attempting to block the malicious sites (IBM Quad9 DNS and SafeDNS) while others are trying to give un-restricted access to the world (Google DNS and CISCO OpenDNS) at low or no costs.

Yesterday, I read that Cloudflare has joined the race with it's DNS service (Quad1, or, and before I dig further (#punintended) let me tell you - it's blazing fast! Initially I thought it's a classic April Fool's prank but then Quad1, or or 4/1 made sense. This is not a prank, and it works just as proposed. Now, this blog post shall summarize some speed tests, and highlight why it's best to use Cloudflare Quad1 DNS.

Quad1 DNS Speed Test

To test the query time speeds (in milliseconds or ms), I shall resolve 3 sites:, my girl friend's website and my friend's blog against 4 existing DNS services - Google DNS (, OpenDNS (, SafeDNS (, IBM Quad9 DNS ( and Cloudflare Quad1 (

Website Google DNS OpenDNS IBM Quad9 SafeDNS CloudFlare 158 187 43 238 6 365 476 233 338 3 207 231 178 336 3

Cloudflare Quad 1 DNS is privacy-centric and blazing fast

This looks so unrealistic, that I had to execute these tests again to verify, and these numbers are indeed true.

Privacy and Security with Quad1 DNS

This is the key element that has not been addressed for quite a while. The existing DNS services are slow, but as well store logs and can profile a user based on the domains they query. The existing DNS services run on UDP port 53, and are vulnerable to MITM (man in the middle) kind of attacks. Also, your ISP has visibility in this clear text traffic to sensor or monetize you, if required. In the blogpost last weekend, Matthew Prince, co-founder and CEO of Cloudflare mentioned,

The web should have been encrypted from the beginning. It's a bug it wasn't. We're doing what we can do fix it ... DNS itself is a 35-year-old protocol and it's showing its age. It was never designed with privacy or security in mind.

The Cloudflare Quad1 DNS overcomes this by supporting both DNS over TLS and HTTPS which means you can setup your internal DNS server and then route the queries to Cloudflare DNS over TLS or HTTPS. To address the story behind the Quad1 or choice, Matthew Prince quoted,

But DNS resolvers inherently can't use a catchy domain because they are what have to be queried in order to figure out the IP address of a domain. It's a chicken and egg problem. And, if we wanted the service to be of help in times of crisis like the attempted Turkish coup, we needed something easy enough to remember and spraypaint on walls.

Kudos to Cloudflare for launching this service, and committing to the privacy and security of the end-users in keeping short-lived logs. Cloudflare confirmed that they don't see a need to write customer's IP addresses to the disk, and retain the logs for more than 24 hours.

Cheers and be safe.

Measure Security Performance, Not Policy Compliance – The Falcon’s View

I started my security (post-sysadmin) career heavily focused on security policy frameworks. It took me down many roads, but everything always came back to a few simple notions, such as that policies were a means of articulating security direction, that you had to prescriptively articulate desired behaviors, and that the more detail you could put into the guidance (such as in standards, baselines, and guidelines), the better off the organization would be. Except, of course, that in the real world nobody ever took time to read the more detailed documents, Ops and Dev teams really didn't like being told how to do their jobs, and, at the end of the day, I was frequently reminded that publishing a policy document didn't translate to implementation.

Subsequently, I've spent the past 10+ years thinking about better ways to tackle policies, eventually reaching the point where I believe "less is more" and that anything written and published in a place and format that isn't "work as usual" will rarely, if ever, get implemented without a lot of downward force applied. I've seen both good and bad policy frameworks within organizations. Often they cycle around between good and bad. Someone will build a nice policy framework, it'll get implemented in a number of key places, and then it will languish from neglect and inadequate upkeep until it's irrelevant and ignored. This is not a recipe for lasting success.

Thinking about it further this week, it occurred to me that part of the problem is thinking in the old "compliance" mindset. Policies are really to blame for driving us down the checkbox-compliance path. Sure, we can easily stand back and try to dictate rules, but without the adequate authority to enforce them, and without the resources needed to continually update them, they're doomed to obsolescence. Instead, we need to move to that "security as code" mentality and find ways to directly codify requirements in ways that are naturally adapted and maintained.

End Dusty Tomes and (most) Out-of-Band Guidance

The first daunting challenge of security policy framework reform is to throw away the old, broken approach with as much gusto and finality as possible. Yes, there will always be a need for certain formally documented policies, but overall an organization Does. Not. Need. large amounts of dusty tomes providing out-of-band guidance to a non-existent audience.

Now, note a couple things here. First, there is a time and a place for providing out-of-band guidance, such as via direct training programs. However, it should be the minority of guidance, and wherever possible you should seek to codify security requirements directly into systems, applications, and environments. For a significant subset of security practices, it turns out we do not need to repeatedly consider whether or not something should be done, but can instead make the decision once and then roll it out everywhere as necessary and appropriate.

Second, we have to realize and accept that traditional policy (and related) documents only serve a formal purpose, not a practical or pragmatic purpose. Essentially, the reason you put something into writing is because a) you're required to do so (such as by regulations), or b) you're driven to do so due to ongoing infractions or the inability to directly codify requirements (for example, requirements on human behavior). What this leaves you with are requirements that can be directly implemented and that are thus easily measurable.

KPIs as Policies (et al.)

If the old ways aren't working, then it's time to take a step back and think about why that might be and what might be better going forward. I'm convinced the answer to this query lies in stretching the "security as code" notion a step further by focusing on security performance metrics for everything and everyone instead of security policies. Specifically, if you think of policies as requirements, then you should be able to recast those as metrics and key performance indicators (KPIs) that are easily measured, and in turn are easily integrated into dashboards. Moreover, going down this path takes us into a much healthier sense of quantitative reasoning, which can pay dividends for improved information risk awareness, measurement, and management.

Applied, this approach scales very nicely across the organization. Businesses already operate on a KPI model, and converting security requirements (née policies) into specific measurables at various levels of the organization means ditching the ineffective, out-of-band approach previously favored for directly specifying, measuring, and achieving desired performance objectives. Simply put, we no longer have to go out of our way to argue for people to conform to policies, but instead simply start measuring their performance and incentivize them to improve to meet performance objectives. It's then a short step to integrating security KPIs into all roles, even going so far as to establish departmental, if not whole-business, security performance objectives that are then factored into overall performance evaluations.

Examples of security policies-become-KPIs might include metrics around vulnerability and patch management, code defect reduction and remediation, and possibly even phishing-related metrics that are rolled up to the department or enterprise level. When creating security KPIs, think about the policy requirements as they're written and take time to truly understand the objectives they're trying to achieve. Convert those objectives into measurable items, and there you are on the path to KPIs as policies. For more on thoughts on security metrics, I recommend checking out the CIS Benchmarks as a starting point.

Better Reporting and the Path to Accountability

Converting policies into KPIs means that nearly everything is natively built for reporting, which in turn enables executives to have better insight into the security and information risk of the organization. Moreover, shifting the focus to specific measurables means that we get away from the out-of-band dusty tomes, instead moving toward achieving actual results. We can now look at how different teams, projects, applications, platforms, etc., are performing and make better-informed decisions about where to focus investments for improvements.

This notion also potentially sparks an interesting future for current GRC-ish products. If policies go away (mostly), then we don't really need repositories for them. Instead, GRC products can shift to being true performance monitoring dashboards, allowing those products to broaden their scope while continuing to adapt other capabilities, such as those related to the so-called "SOAR" market (Security Orchestration, Automation, and Response). If GRC products are to survive, I suspect it will be by either heading further down the information risk management path, pulling in security KPIs in lieu of traditional policies and compliance, or it will drive more toward SOAR+dashboards with a more tactical performance focus (or some combination of the two). Suffice to say, I think GRC as it was once known and defined is in its final days of usefulness.

There's one other potentially interesting tie-in here, and that's to overall data analytics, which I've noticed slowly creeping into organizations. A lot of the focus has been on using data lakes, mining, and analytics in lieu of traditional SIEM and log management, but I think there's also a potentially interesting confluence with security KPIs, too. In fact, thinking about pulling in SOAR capabilities and other monitoring and assessment capabilities and data, it's not unreasonable to think that KPIs become the tweakable dials CISOs (and up) use to balance out risk vs reward in helping provide strategic guidance for address information risk within the enterprise. At any rate, this is all very speculative and unclear right now, but something to nonetheless watch. But I have digressed...

The bottom line here is this: traditional policy frameworks have generally outlived their usefulness. We cannot afford to continue writing and publishing security requirements in a format that isn't easily accessible in a "work as usual" format. In an Agile/DevOps world, "security as code" is imperative, and that includes converting security requirements into KPIs.

Security is not a buzz-word business model, but our cumulative effort

Security is not a buzz-word business model, but our cumulative effort

This article conveys my personal opinion towards security and it's underlying revenue model; I would recommend to read it with a pinch of salt (+ tequila, while we are on it). I shall be covering either side of the coin, the heads where pentesters try to give you a heads-up on underlying issues, and tails where the businesses still think they can address security at the tail-end of their development.

A recent conversation with a friend who's in information security triggered me to address the white elephant in the room. He works in a security services firm that provides intelligence feeds and alerts to the clients. Now he shared a case where his firm didn't share the right feed at the right time even though the client was "vulnerable" because the subscription model is different. I understand business is essential, but on the contrary isn't security a collective argument? I mean tomorrow if when this client gets attacked, are you going just to turn a blind eye because it didn't pay you well? I understand the remediation always cost money (or more efforts) but holding the alert to a client on some attack you witnessed in the wild based on how much money are they paying you is hard to contend.

I don't dream about the utopian world where security is obvious but we surely can walk in that direction.

What is security to a business?

Is it a domain, a pillar or with the buzz these days, insurance? Information security and privacy while being the talk of the town are still come where the business requirements end. I understand there is a paradigm shift to the left, a movement towards the inception for your "bright idea" but still we are far from an ideal world, the utopian so to speak! I have experienced from either side of the table - the one where we put ourselves in the shoes of hackers and the contrary where we hold hands with the developers to understand their pain points & work together to build a secure ecosystem. I would say it's been very few times that business pays attention to "security" from day-zero (yeah, this tells the kind of clients I am dealing with and why are in business). Often business owners say - Develop this application, based on these requirements, discuss the revenue model, maintenance costs, and yeah! Check if we need these security add-ons or do we adhere to compliance checks as no one wants auditors knocking at the door for all the wrong reasons.

This troubles me. Why don't we understand information security as important a pillar as your whole revenue model?

Security is not a buzz-word business model, but our cumulative effort

How is security as a business?

I have many issues with how "security" is being tossed around as a buzz-word to earn dollars, but very few respect the gravity or the very objective of its existence. I mean whether it's information, financial, or life security - they all have very realistic and quantifiable effects on someone's physical well-being. Every month, I see tens (if not hundreds) of reports and advisories where quality is embarrassingly bad. When you tap to find the right reasons - either the "good" firms are costly, or someone has a comfort zone with existing firms, or worst that neither the business care nor do they pressure firms for better quality. I mean at the end, it's a just plain & straightforward business transaction or a compliance check to make auditor happy.

Have you ever asked yourself the questions,

  1. You did a pentest justifying the money paid for your quality; tomorrow that hospital gets hacked, or patients die. Would you say you didn't put your best consultants/efforts because they were expensive for the cause? You didn't walk the extra mile because the budgeted hours finished?
  2. Now, to you Mr Business, CEO - You want to cut costs on security because you would prefer a more prominent advertisement or a better car in your garage, but security expenditure is dubious to you. Next time check how much companies and business have lost after getting breached. I mean just because it's not an urgent problem, doesn't say it can't be. If it becomes a problem, chances are it's too late. These issues are like symptoms; if you see them, you already are in trouble! Security doesn't always have an immediate ROI, I understand, but don't make it an epitome of "out of sight, out of mind". That's a significant risk you are taking on your revenue, employees or customers.

Now, while I have touched both sides of the problem in this short article; I hope you got the message (fingers crossed). Please do take security seriously, and not only as your business transaction! Every time you do something that involves security on either sides, think - You invest your next big crypto-currency in an exchange/ market that gets hacked because of their lack of due-diligence? Or, your medical records became public because someone didn't perform a good pen-test. Or, you lose your savings because your bank didn't do a thorough "security" check of its infrastructure. If you think you are untouchable because of your home router security; you, my friend are living in an illusion. And, my final rant to the firms where there are good consultants but the reporting, or seriousness in delivering the message to the business is so fcuking messed up, that all their efforts go in vain. Take your deliverable seriously; it's the only window business has to peep into the issues (existing or foreseen), and plan the remediation in time.

That's all my friends. Stay safe and be responsible; security is a cumulative effort and everyone has to be vigilant because you never know where the next cyber-attack be.

How to filter and query SSL/TLS certs for intelligence

How to filter and query SSL/TLS certs for intelligence

Recently I noticed a new service/ project that is turning few heads among my peers in security community - CertDB. A one of its kind which indexes the domains SSL certs with their details, IP records, geo-location and timelines, common-name etc. They term themselves as Internet-wide search engine for digital certificates. They have a unique business statement when you get to understand the different components (search vectors) they are incorporating in this project. I know there are few transparent cert registries like Certificate Search but as per their website,

Examining the data hidden in digital certificates provides a lot of insight about business activity in a particular geography or even collaboration between 2 different companies.

I know and agree with them on these insights that they do come handy while performing reconnaissance during a security assessment (OR) validating the SSL/ TLS certificates for your client. It does reflect on the fact that maybe the certificate is about to expire, or new domains have been registered in the same certificate (example, Subject Alternate Name: DNS Name). But when I browsed through their project website, I was surprised the way they articulated their USP (unique selling point),

For example, the registration of a new unknown domain in Palo Alto hints at a new start-up; switching from the "Wildcard" certificate to "Let's Encrypt" tells us about the organization's budget constraints; issuing a certificate in an organization with domains of another organization speaks about collaboration between companies, or even at an acquisition of one company by another.

Now, I am intrigued to do a detailed article on their services, business model, filters and even an interview with their project team.

Question: Are you curious/interested, and what would you like to ask them? Do leave a comment.

Do you want to read more on certDB?
meh, I am Swiss.

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

It's been a long time since I audited someone's DNS file but recently while checking a client's DNS configuration I was surprised that the CAA records were set randomly "so to speak". I discussed with the administrator and was surprised to see that he has no clue of CAA, how it works and why is it so important to enable it correctly. That made me wonder, how many of us actually know that; and how can it be a savior if someone attempts to get SSL certificate for your domain.

What is CAA?

CAA or Certificate Authority Authorization is a record that identifies which CA (certificate authorities) are allowed to issue certificate for the domain in question. It is declared via CAA type in the DNS records which is publicly viewable, and can be verified before issuing certificate by a certificate authority.

Brief Background

While the first draft was documented by Phillip Hallem-Baker and Rob Stradling back in 2010, it accelerated the work in last 5 years due to issues with CA and hacks around. The first CA subversion was in 2001 when VeriSign issued 2 certificates to an individual claiming to represent Microsoft; these were named "Microsoft Corporation". These certificate(s) could have been used to spoof identity, and providing malicious updates etc. Further in 2011 fraudelent certificates were issued by Comodo[1] and DigiNotar[2] after being attacked by Iranian hackers (more on Comodo attack, and dutch DigiNotar attack); an evidence of their use in a MITM attack in Iran.

Further in 2012 Trustwave issued[3] a sub-root certificate that was used to sniff SSL traffic in the name of transparent traffic management. So, it's time CA are restricted or whitelisted at domain level.

What if no CAA record is configured in DNS?

Simply put the CAA record shall be configured to announce which CA (certificate authorities) are permitted to issue a certificate for your domain. Wherein, if no CAA record is provided, any CA can issue a certificate for your domain.

CAA is a good practice to restrict your CA presence, and their power(s) to legally issue certificate for your domain. It's like whitelisting them in your domain!

The process mandates a Certificate Authority[4] (yes, it mandates now!) to query DNS for your CAA record, and the certificate can only be issued for your hostname, if either no record is available, or this CA has been "whitelisted". The CAA record enables the rules for the parent domain, and the same are inherited by sub-domains. (unless otherwise stated in DNS records).

Certificates authorities interpret the lack of a CAA record to authorize unrestricted issuance, and the presence of a single blank issue tag to disallow all issuance.[5]

CAA record syntax/ format

The CAA record has the following format: <flag> <tag> <value> and has the following meaning,

Tag Name Usage
flag This is an integer flag with values 1-255 as defined in the RFC 6844[6]. It is currently used to call the critical flag.[7]
tag This is an ASCII string (issue, issuewild, iodef) which identifies the property represented by the record policy.
value The value of the property defined in the <tag>

The tags defined in the RFC have the following meaning and understanding with the CA records,

  • issue: Explicitly authorizes a "single certificate authority" to issue any type of certificate for the domain in scope.
  • issuewild: Explicitly authorizes a "single certificate authority" to issue only a wildcard certificate for the domain in scope.
  • iodef: certificate authorities will report the violations accordingly if the certificate is issued, or requested that breach the CAA policy defined in the DNS records. (options: mailto:, http:// or https://)
DNS Software Support

As per excerpt from Wikipedia[8]: CAA records are supported by BIND (since version 9.10.1B),Knot DNS (since version 2.2.0), ldns (since version 1.6.17), NSD (as of version 4.0.1), OpenDNSSEC, PowerDNS (since version 4.0.0), Simple DNS Plus (since version 6.0), tinydns and Windows Server 2016.
Many hosted DNS providers also support CAA records, including Amazon Route 53, Cloudflare, DNS Made Easy and Google Cloud DNS.

Example: (my own website DNS)

As per the policy, I have configured that ONLY "" but due to Cloudflare Universal SSL support, the following certificate authorities get configured as well,

  • 0 issue ""
  • 0 issue ""
  • 0 issue ""
  • 0 issuewild ""
  • 0 issuewild ""
  • 0 issuewild ""

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

Also, configured iodef for violation: 0 iodef ""

How's the WWW doing with CAA?

After the auditing exercise I was curious to know how are top 10,000 alexa websites doing with CAA and strangely enough I was surprised with the results: only 4% of top 10K websites have CAA DNS record.

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

[Update 27-Feb-18]: This pie chart was updated with correct numbers. Thanks to Ich Bin Niche Sie for identifying the calculation error.

Now, we have still a long way to go with new security flags and policies like "CAA DNS Record", "security.txt" file etc. and I shall be covering these topics continuously to evangelize security in all possible means without disrupting business. Remember to always work hand in hand with the business.

Stay safe, and tuned in.

  1. Comodo CA attack by Iranian hackers: ↩︎

  2. Dutch DigiNotar attack by Iranian hackers: ↩︎

  3. Trustwave Subroot Certificate: ↩︎

  4. CAA Checking Mandatory (Ballot 187 results) 2017: ↩︎

  5. Wikipedia Article: ↩︎

  6. IETF RFC 6844 on CAA record: ↩︎

  7. The confusion of critical flag: ↩︎

  8. Wikipedia Support Section: ↩︎

New World, New Rules: Securing the Future State

I published an article today on the Oracle Cloud Security blog that takes a look at how approaches to information security must adapt to address the needs of the future state (of IT). For some organizations, it's really the current state. But, I like the term future state because it's inclusive of more than just cloud or hybrid cloud. It's the universe of Information Technology the way it will be in 5-10 years. It includes the changes in user behavior, infrastructure, IT buying, regulations, business evolution, consumerization, and many other factors that are all evolving simultaneously.

As we move toward that new world, our approach to security must adapt. Humans chasing down anomalies by searching through logs is an approach that will not scale and will not suffice. I included a reference in the article to a book called Afterlife. In it, the protagonist, FBI Agent Will Brody says "If you never change tactics, you lose the moment the enemy changes theirs." It's a fitting quote. Not only must we adapt to survive, we need to deploy IT on a platform that's designed for constant change, for massive scale, for deep analytics, and for autonomous security. New World, New Rules.

Here are a few excerpts:
Our environment is transforming rapidly. The assets we're protecting today look very different than they did just a few years ago. In addition to owned data centers, our workloads are being spread across multiple cloud platforms and services. Users are more mobile than ever. And we don’t have control over the networks, devices, or applications where our data is being accessed. It’s a vastly distributed environment where there’s no single, connected, and controlled network. Line-of-Business managers purchase compute power and SaaS applications with minimal initial investment and no oversight. And end-users access company data via consumer-oriented services from their personal devices. It's grown increasingly difficult to tell where company data resides, who is using it, and ultimately where new risks are emerging. This transformation is on-going and the threats we’re facing are morphing and evolving to take advantage of the inherent lack of visibility.
Here's the good news: The technologies that have exacerbated the problem can also be used to address it. On-premises SIEM solutions based on appliance technology may not have the reach required to address today's IT landscape. But, an integrated SIEM+UEBA designed from the ground up to run as a cloud service and to address the massively distributed hybrid cloud environment can leverage technologies like machine learning and threat intelligence to provide the visibility and intelligence that is so urgently needed.
Machine Learning (ML) mitigates the complexity of understanding what's actually happening and of sifting through massive amounts of activity that may otherwise appear to humans as normal. Modern attacks leverage distributed compute power and ML-based intelligence. So, countering those attacks requires a security solution with equal amounts of intelligence and compute power. As Larry Ellison recently said, "It can't be our people versus their computers. We're going to lose that war. It's got to be our computers versus their computers."
Click to read the full article: New World, New Rules: Securing the Future State.

DevSecOps is coming! Don’t be afraid of change.

DevSecOps is coming! Don't be afraid of change.

There has been a lot of buzz about the relationship between Security and DevOps as if we are debating their happy companionship. To me they are soulmates, and DevSecOps is a workable, scalable, and quantifiable fact unlike the big button if applied wisely.

What is DevOps?

The development cycle has undergone considerable changes in last few years. Customers and clients have evolving requirements and the market demands speed, and quality. The relationship between developers and operations have grown much closer to address this change. IT infrastructure has evolved in parallel to cater to quick timelines, and release cycles. The old legacy infrastructure with multiple toll gates if drifting away, and fast, responsive API(s) are taking place to spawn and scale vast instances of software and hardware.

Developers who were slowly getting closer to the operations team have now decided to wear both the hats and skip a 'redundant' hop. This integration has helped organisations achieve quick releases with better application stability and response times. Now, the demands of the customer or end-user can be addressed & delivered directly by the DevOps team. Sometimes people confuse agile and DevOps and its natural with the everchanging landscape.

Simply put, Agile is a methodology and is about processes (scrums, sprints etc.) while DevOps is about technical integration (CI/CD, tool and IT automation)

While Agile talks about SDLC, DevOps also integrate Operations and fluidity in Agile. It focuses on being closer to the customer and not just committing working software. DevOps in its arsenal has many tools that support - release, monitoring, management, virtualisation, automation, and orchestration of different parts of delivery fast and efficient. Its the need of the hour with the constant changes in requirements, and ecosystem. It has to evolve & release ongoing updates to keep up with the pace of the customer, and market demands. It's not mono-directional water flow; Instead, it's like an omnidirectional tube of water flowing in a gravity-free ecosystem.

What is DevSecOps?

The primary objective of DevSecOps is to integrate security at early stages of development on the process side and to make sure everyone in the team is responsible for security. It evangelises security as a strong glue to hold the bond between development and operations, by the single task force. In DecSecOps, security ought to be a part of automation via tools, controls and processes.

Traditional SDLC (software development life cycle) often perceives security as a toll gate at the end, to validate the efforts on the scale of visible threats. In DevSecOps, security is everywhere, at all stages/ phases of development and operations. It is embedded right into the life cycle that has a continuous integration between the drawing pad, security tools, and release cycle.

As Gartner documents, DevSecOps can be depicted graphically as the rapid and agile iteration from development into operations, with continuous monitoring and analytics at the core.

DevSecOps is coming! Don't be afraid of change.
Photo by Redmine

Another key driving factor for DevSecOps is the fact that perimeter security is failing to adjust with increasing integration points and the blurring of the trust boundaries. It's getting less opaque and fuzzier where the perimeter is in this cyber ecosystem. It is eminent that software has to be inherently secure itself without relying on the border security controls. Rapid development and releases lead to shortening the supply chain timeline to implement custom controls like filters, policies and firewalls.

I have tried to make the terms well understandable in this series; there are many challenges faced by organizations, and their possible solutions which I shall cover in next article.
Stay tuned.

An Interview by Timecamp on Data Protection

An Interview by Timecamp on Data Protection

A few months back I was featured in an interview on Data Protection Tips with Timecamp. Only a handful of questions but they are well articultated for any organisation which is proactive & wants to address security in corporations, and their employees' & customers responsibilities.


How do you evaluate people's awareness regarding the need to protect their private data?

This is an exciting question as we have often faced challenges during data protection training on how to evaluate with certainty that a person understood the importance of data security & is not just mugging for the test.

Enterprise Security is as closely related to the systems as with the people interacting with them.

One way to perform evaluations is to include surprise checks and discussions within the teams. A team of security aware individuals are trained and then asked to carry on the tasks of such inspections. For example, if a laptop is found logged-in, and unattended for long, the team confuscates it and submits to a C-level executive (e.g. CIO or COO). As a consultant, I have also worked on an innovative solution of using such awareness questions as "the second level" check while logging into the intranet applications. And, we all are aware of phishing campaigns that management can execute on all employees and measure their receptiveness to such emails. But, it must be followed up with training on how an individual can detect such attack, and what can it can do to avoid falling prey to such scammers in the future. We must understand that while data protection is vital, all the awareness training and assessment should not cause speed bumps in a daily schedule.

These awareness checks must be regularly performed without adding much stress for the employee. More the effort, more the employee would like to either bypass or avoid it. Security teams must work with the employees and support their understanding of data protection.Data protection must function as the inception of understanding security, and not a forced argument.

Do you think that an average user pays enough attention to the issue of data protection?

Data protection is an issue which can only be dealt with a cumulative effort, and though each one of us cares about privacy, few do that collectively within an enterprise.It is critical to understand that security is a culture, not a product. It needs an ongoing commitment to providing a resilient ecosystem for the business. Social engineering is on the rise with phishing attacks, USB drops, fraudulent calls and messages. An employee must understand that their casual approach towards data protection, can bring the whole business to ground zero. And, core business must be cautious when they do data identification and classification. The business must discern the scope of their application, and specify what's the direct/ indirect risk if the data gets breached. Data breach is not only an immediate loss of information but a ripple effect leading to disclosure of the enterprise's inner sanctum.

Now, how close are we to achieving this? Unfortunately, we are far from the point where an "average user" accepts data protection as a cornerstone of success in the world where information in the asset. Businesses consider security as a tollgate which everyone wants to bypass because neither do they like riding with it, nor being assessed by it. Reliable data protection can be achieved when it's not a one-time effort, but the base to build our technology.

Until unless we use the words "security" and "obvious" in the same line, positively, it would always be a challenge which an "average user" would try to deceive than achieve.

Why is the introduction of procedures for the protection of federal information systems and organisations so important?

Policies and procedures are essential for the protection of federal or local information as they harmonise security with usability. We should understand security is a long road, and when we attempt to protect data, it often has its quirks which confuse or discourages an enterprise to evolve. I have witnessed many fortune 500 firms safeguard their assets and getting absorbed in like it's a black hole. They invest millions of dollars and still don't reach par with the scope & requirements. Therefore, it becomes essential to understand the needs of business, the data it handles, and which procedures apply in their range. Now, specifically, procedures help keep the teams aligned in how to implement a technology or a product for the enterprise. Team experts or SME, usually have a telescopic vision in their domain, but a blind eye on the broader defence in depth.Their skills tunnel their view, but a procedure helps them to attain sync with the current security posture, and the projected roadmap. Also, a procedure reduces the probability of error while aligning with a holistic approach towards security. A procedure dictates what and how to do, thereby leaving a minimal margin of misunderstanding in implementing sophisticated security measures.

Are there any automated methods to test the data susceptibility to cyber-attacks, for instance, by the use of frameworks like Metasploit? How reliable are they in comparison to manual audits?

Yes, there are automated methods to perform audits, and to some extent, they are well devised to detect low hanging fruits. In simpler terms, a computerised assessment has three key phases - Information gathering, tool execution to identify issues, report review. Security aware companies and the ones that fall under strict regulations often integrate such tools in their development and staging environments. This CI (continuous integration) keeps the code clean and checks for vulnerabilities and bugs on a regular basis. It also helps smoothen out the errors that might have come in due to using existing code, or outdated functions. On the other side, there are tools which validate the sanity of the production environment and also perform regular checks on the infrastructure and data flows.

Are these automated tools enough? No. They are not "smart" enough to replace manual audits.

They can validate configurations & issues in the software, but they can't evolve with the threat landscape. Manual inspections, on the other hand, provide a peripheral vision while verifying the ecosystem resilience. It is essential to have manual audits, and use the feedback to assess, and even further tune the tools. If you are working in a regulated and well-observed domain like finance, health or data collection - the compliance officer would always rely on manual audits for final assurance. The tools are still there to support, but remember, they are as good as they are programmed and configured to do.

How to present procedures preventing attacks in one's company, e.g., to external customers who demand an adequate level of data protection?

This is a paramount concern, and thanks for asking this. External clients need to "trust you" before they can share data, or plug you into their organisation. The best approach that has worked for me is an assurance by what you have, and how well are you prepared for the worst.> The cyber world is very fragile, and earlier we used to construct "if things go bad ... " but now we say "when things go bad ...".

This means we have accepted the fact that an attack is pertinent if we are dealing with data/ information. Someone is observing to attempt a strike at the right time especially if you are a successful firm. Now, the assurance can be achieved by demonstrating the policies you have in place for Information Security and Enterprise Risk Management. These policies must be supplemented with standards which identify the requirements, wherein the procedures as the how-to document on the implementation. Most of the cases if you have to assure the client on your defence in depth, the security policy, architecture and previous third-party assessment/ audit suffice. In rare cases, a client may ask to perform its assessment of your infrastructure which is at your discretion. I would recommend making sure that your policy handles not only security but also incidence to reflect your preparedness for the breach/ attack.

On the other hand, if your end customers want assurance, you can entirely reflect that by being proactive on your product, blog, media etc. on how dedicated you are in securing their data. For example, the kind of authentication you support tells whether your commitment to protecting the vault. Whether it's mandated or not depends on the usability and UI, but to allow support shows your commitment to addressing the security-aware customers & understanding the need for the hour.

Published at with special thanks to Ola Rybacka for this opportunity.

Don’t be a security snob. Support your business team!

Don't be a security snob. Support your business team!

There have been many a times that access controls have been discussed in the meetings related to web development. With an interconnected world of APIs it is very important to understand the authentication of these end-points. One of the best approach I always vouch for is mutual authentication on SSL certificates (or 2 way SSL). Most of the times it is viable but it fails when either of party couldn't support it (hence not mutual). So, what to do when the business can't implement your "security requirement"?

The role of security is not to hinder the business, but to support it. It has to act as a pillar, and not a tollgate. We all know, that's audit!

Are you a security snob?
The rules/ regulations made by us, auditors and regulators are to make sure the architecture, implementation and roll-out is secure, and the information is tightly controlled. It is in no manner adding to the miseries of developers at the last stage of go-live. The security requirements must be clear right from the design phase. There must be a security architect appointed to work in accordance with the industry standards, and security nitty-gritties. Sometimes the security team gets to know that few important implementations have not been considered and now the project is at final stage. What should the security do - Shall it take business to the grinding halt? Shall it take the developers back to drawing board? No and no! Don't be a snob!

Look forward, and figure out the workarounds; strong mitigations steps to find a way to lower the risk. As long as you can lower the risk to minimum by using WAF, access controls, and white-listing etc. the business can make a plan to "fix" it in the next release. Make sure business understands the risk - brand or financial, and then if the risk is too high - involve the "C" suite executives, but support the business instead of bashing them with - you didn't do this, or that. It is counter-productive and doesn't help any party.

In most cases "business" accounts for the IT security paychecks and it's your (security team) job to avoid it looking like an overhead, but an investment!
IT security is NOT generating money. So don't point fingers, but hold hands!

Now, in the case of mutual authentication - what if the 2-way SSL is not available? Is IP white-listing a possible option with API credentials? Yes, if the IP is not shared by the whole network & the traffic is over secure channel. It's a strong measure to apply and restrict the participating parties to talk 1:1 on an encrypted channel. But then, I have been asked what if there is IP spoofing? Come'on guys! IP spoofing doesn't work the way you think. It's a TCP handshake; how do you expect the handshake to succeed when the IP doesn't ACK the SYN-ACK? Rememeber, the "actual IP" is not expecting the SYN-ACK & traffic will not go to the "malicious IP". So, IP spoofing over Internet is out of picture.

As a security specialist, try to understand that there are various ways to strengthen the security without being a pain in the ass. There are ways to implement compensatory controls; making sure the traffic is encrypted, access controls are tightly restricted, and risk is lowered significantly. If you can do this, you can definitely help business go live, and give them time to manage the security expectations more constructively.

Cheers, and be safe.

Design For Behavior, Not Awareness – The Falcon’s View

October was National Cybersecurity Awareness Month. Since today is the last day, I figured now is as good a time as any to take a contrarian perspective on what undoubtedly many organizations just did over the past few weeks; namely, wasted a lot of time, money, and good will.

Most security awareness programs and practices are horrible BS. This extends out to include many practices heavily promoted by the likes of SANS, as well as the current state of "best" (aka, failing miserably) practices. We shouldn't, however, be surprised that it's all a bunch of nonsense. After all, awareness budgets are tiny, the people running these programs tend to be poorly trained and uneducated, and in general there's a ton of misunderstanding about the point of these programs (besides checking boxes).

To me, there are three kinds of security awareness and education objectives:
1) Communicating new practices
2) Addressing bad practices
3) Modifying behavior

The first two areas really have little to do with behavior change so much as they're about communication. The only place where behavior design comes into play is when the secure choice isn't the easy choice, and thus you have to build a different engagement model. Only the third objective is primarily focused on true behavior change.

Awareness as Communication

The vast majority of so-called "security awareness" practices are merely focused on communication. They tell people "do this" or "do that" or, when done particularly poorly, "you're doing X wrong idiots!" The problem is that, while communication is important and necessary, rarely are these projects approached from a behavior design perspective, which means nobody is thinking about effectiveness, let alone how to measure for effectiveness.

Take, for example, communicating updated policies. For example, maybe your organization has decided to revise its password policy yet again (woe be to you!). You can undertake a communication campaign to let people know that this new policy is going into effect on a given date, and maybe even explain why the policy is changing. But, that's about it. You're telling people something theoretically relevant to their jobs, but not much more. This task could be done just as easily be your HR or internal communication team as anyone else. What value is being added?

Moreover, the best part of this is that you're not trying to change a behavior, because your "awareness" practice doesn't have any bearing on it; technical controls do! The password policy is implemented in IAM configurations and enforced through technical controls. There's no need for cognition by personnel beyond "oh, yeah, I now have to construct my password according to new rules." It's not like you're generally giving people the chance to opt out of the new policy, and there's no real decision for them to make. As such, the entire point of your "awareness" is communicating information, but without any requirement for people to make better choices.

Awareness as Behavior Design

The real role of a security awareness and education program should be on designing for behavior change, then measuring the effectiveness of those behavior change initiatives. The most rudimentary example of this is the anti-phishing program. Unfortunately, anti-phishing programs also tend to be horrible examples because they're implemented completely wrong (e.g., failure to benchmark, failure to actually design for behavior change, failure to get desired positive results). Yes, behavior change is what we want, but we need to be judicious about what behaviors we're targeting and how we're to get there.

I've had a strong interest in security awareness throughout my career, including having built and delivered awareness training and education programs in numerous prior roles. However, it's only been the last few years that I've started to find, understand, and appreciate the underlying science and psychology that needs to be brought to bear on the topic. Most recently, I completed BJ Fogg's Boot Camp on behavior design, and that's the lens through which I now view most of these flaccid, ineffective, and frankly incompetent "awareness" programs. It's also what's led me to redefine "security awareness" as "behavioral infosec" in order to highlight the importance of applying better thinking and practices to the space.

Leveraging Fogg's models and methods, we learn that Behavior happens when three things come together: Motivation, Ability, and a Trigger (aka a prompt or cue). When designing for behavior change, we must then look at these three attributes together and figure out how to specifically address Motivation and Ability when applying/instigating a trigger. For example, if we need people to start following a better, preferred process that will help reduce risk to the organization, we must find a way to make it easy to do (Ability) or find ways to make them want to follow the new process (Motivation). Thus, when we tell them "follow this new process" (aka Trigger), they'll make the desired choice.

In this regard, technical and administrative controls should be buttressed by behavior design whenever a choice must be made. However, sadly, this isn't generally how security awareness programs view the space, and thus just focus on communication (a type of Trigger) without much regard for also addressing Motivation or Ability. In fact, many security programs experience frustration and failure because what they're asking people to do is hard, which means the average person is not able to do what's asked. Put a different way, the secure choice must be the easy choice, otherwise it's unlikely to be followed. Similarly, research has shown time and time again that telling people why a new practice is desirable will greatly increase their willingness to change (aka Motivation). Seat belt awareness programs are a great example of bringing together Motivation (particularly focused on negative outcomes from failure to comply, such as reality of death or serious injury, as well as fines and penalties), Ability (it's easy to do), and Triggers to achieved a desired behavioral outcome.

Overall, it's imperative that we start applying behavior design thinking and principles to our security programs. Every time you ask someone to do something different, you must think about it in terms of Motivation and Ability and Trigger, and then evaluate and measure effectiveness. If something isn't working, rather than devolving to a blame game, instead look at these three attributes and determine if perhaps a different approach is needed. And, btw, this may not necessarily mean making your secure choice easier so much as making the insecure choice more difficult (for example, someone recently noted on twitter that they simply added a wait() to their code to force deprecation over time)

Change Behavior, Change Org Culture

Another interesting aspect of this discussion on behavior design is this: organizational culture is the aggregate of behaviors and values. That is to say, when we can change behaviors, we are in fact changing org culture, too. The reverse, then, is also true. If we find bad aspects of org culture leading to insecure practices, we can then factor those back into the respective behaviors, and then start designing for behavior change. In some cases, we may need to break the behaviors into chains of behaviors and tackle things more slowly over time, but looking at the world through this lens can be quite enlightening. Similarly, looking at the values ensconced within org culture also let's us better understand motivations. People generally want to perform their duties, and do a reasonably decent job at it. This is generally how performance is measured, and those duties and performance measures are typically aligned against outcomes and - ultimately - values.

One excellent lesson that DevOps has taught us (there are many) is that we absolutely can change how the org functions... BUT... it does require a shift in org culture, which means changing values and behaviors. These sorts of shifts can be done either top-down or bottom-up, but the reality is that top-down is much easier in many regards, whereas bottom-up requires that greater consensus and momentum be built to achieve a breakthrough.

DevOps itself is cultural in nature and focuses heavily on changing behaviors, ranging from how dev and ops function, to how we communicate and interact, and so on. Shortened feedback loops and creating space for experimentation are both behavioral, which is why so many orgs struggle with how to make them a reality (that is, it's not simply a matter of better tools). Security absolutely should be taking notes and applying lessons learned from the DevOps movement, including investing in understanding behavior design.

To wrap this up, here are three quick take-aways:

1) Reinvent "security awareness" to be "behavioral infosec" toward shifting to a behavior design approach. Behavior design looks at Motivation, Ability, and Triggers in affecting change.

2) Understand the difference between controls (technical and administrative) and behaviors. Resorting to basic communication may be adequate if you're implementing controls that take away choices. However, if a new control requires that the "right" choice be made, you must then apply behavior design to the project, or risk failure.

3) Go cross-functional and start learning lessons from other practice areas like DevOps and even HR. Understand that everything you're promoting must eventually tie back into org culture, whether it be through changes in behavior or values. Make sure you clearly understand what you're trying to accomplish, and then make a very deliberate plan for implementing changes while addressing all appropriate objectives.

Going forward, let's try to make "cybersecurity awareness month" about something more than tired lines and vapid pejoratives. It's time to reinvent this space as "behavioral infosec" toward achieving better, measurable outcomes.

WAF and IPS. Does your environment need both?

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good!

The security products are well suited to protect from something "unknown" or something that you have "unknowingly missed". It is not a silver bullet or an excuse to keep systems/ applications unpatched.

Security shouldn't be an AND/OR case. More the merrier only if they have been configured properly and each one of the product(s) has a different role to play under the flag of defense in depth! So, while I started this article as WAF vs. IPS - it's time to understand it's WAF and IPS. The ecosystem of your production environment is evolving and so is the threat landscape - it's more complex to protect than it was 5 years ago. Attackers are running at your pace, if not faster & a step ahead. These adversary as well piggy-back existing threats to launch their exploits. Often something that starts as simple as DDOS to overwhelm your networks, concedes in an application layer attack. So, network firewall, application firewall, anti-malware, IPS, SIEM etc. all have an important task and should be omnipresent with bells and whistles!

Nevertheless, whether it's a WAF or an IPS; each has it's own purpose and though they can't replace each other, they often have gray areas under which you can rest your risks. This blog will try to address these gray areas, and the associated differences to make life easier when it comes to WAF (Web Application Firewall) or IPS (Intrusion Prevention System). The assumption is both are modern products, and the IPS have deep packet inspection capabilities. Now, let's try to understand the infrastructure, environment and scope of your golden eggs before we can take a call which is the best way to protect the data,

  1. If you are protecting only the "web applications" running on HTTP sockets, then WAF is enough. IPS will be cherry on cake.
  2. If you are protecting all sorts of traffic - SSH, FTP, HTTP etc. then WAF is of less use at it can't inspect non HTTP traffic. I would recommend having a deep packet inspection IPS.
  3. WAF must not be considered as an alternative for traditional network firewalls. It works on the application layer and hence is primarily useful on HTTP, SSL (decryption), Javascript, AJAX, ActiveX, Session management kind of traffic.
  4. A typical IPS does not decrypt SSL traffic, and therefore is insufficient in packet inspection on HTTPS session.
  5. There is wide difference in the traffic visibility and base-lining for anomalies. While WAF has an "understanding" of traffic - HTTP GET, POST, URL, SSL etc. the IPS only understands it as network traffic and therefore can do layer 3/4 checks - bandwidth, packet size, raw protocol decoding/ anomalies but not the GET/ POST or session management.
  6. IPS is useful in cases where RDP, SSH or FTP traffic has to be inspected before it reaches the box to make sure that the protocol is not tampered or wrapped with another TCP packet etc.

Both the technologies have matured and have many gray areas of working but understand that WAF knows and capture the contents of HTTP traffic to see if there is a SQL injection, XSS or cookie manipulation but the IPS have very little or no understanding of the underlying application, therefore can't do much with the traffic contents. An IPS can't raise an alarm if someone is getting confidential data out, or even sending a harmful parameter to your application - it will let it through if it's a valid HTTP packet.

Now, with the information I just shared, try to have a conversation with your management on how to provide the best layered approach in security. How to make sure the network, and application is resilient to complex attacks and threats lurking at your perimeter, or inside.

Be safe.

Quit Talking About "Security Culture" – Fix Org Culture! – The Falcon’s View

I have a pet peeve. Ok, I have several, but nonetheless, we're going to talk about one of them today. That pet peeve is security professionals wasting time and energy pushing a "security culture" agenda. This practice of talking about "security culture" has arisen over the past few years. It's largely coming from security awareness circles, though it's not always the case (looking at you anti-phishing vendors intent on selling products without the means and methodology to make them truly useful!).

I see three main problems with references to "security culture," not the least of which being that it continues the bad old practices of days gone by.

1) It's Not Analogous to Safety Culture

First and foremost, you're probably sitting there grinding your teeth saying "But safety culture initiatives work really well!" Yes, they do, but here's why: Safety culture can - and often does - achieve a zero-sum outcome. That is to say, you can reduce safety incidents to ZERO. This factoid is excellent for when you're around construction sites or going to the hospital. However, I have very bad news for you. Information (or cyber or computer) security will never be a zero-sum game. Until the entirety of computing is revolutionized, removing humans from the equation, you will never prevent all incidents. Just imagine your "security culture" sign by the entrance to your local office environment, forever emblazoned with "It Has Been 0 Days Since Our Last Incident." That's not healthy or encouraging. That sort of thing would be outright demoralizing!

Since you can't be 100% successful through preventative security practices, you must then shift mindset to a couple things: better decisions and resilience. Your focus, which most of your "security culture" programs are trying to address (or should be), is helping people make better decisions. Well, I should say, some of you - the few, the proud, the quietly isolated - have this focus. But at the end of the day/week/month/year you'll find that people - including well-trained and highly technical people - will still make mistakes or bad decisions, which means you can't bank on "solving" infosec through better decisions.

As a result, we must still architect for resiliency. We must assume something will breakdown at some point resulting in an incident. When that incident occurs, we must be able to absorb the fault, continue to operate despite degraded conditions, while recovering to "normal" as quickly, efficiently, and effectively as possible. Note, however, that this focus on resiliency doesn't really align well with the "security culture" message. It's akin to telling people "Safety is really important, but since we have no faith in your ability to be safe, here's a first aid kit." (yes, that's a bit harsh, to prove a point, which hopefully you're getting)

2) Once Again, It Creates an "Other"

One of the biggest problems with a typical "security culture" focus is that it once again creates the wrong kind of enablement culture. It says "we're from infosec and we know best - certainly better than you." Why should people work to make better decisions when they can just abdicate that responsibility to infosec? Moreover, since we're trying to optimize resiliency, people can go ahead and make mistakes, no big deal, right?

Part of this is ok, part of it is not. On the one hand, from a DevOps perspective, we want people to experiment, be creative, be innovative. In this sense, resilience and failure are a good thing. However, note that in DevOps, the responsibility for "fail fast, recover fast, learn fast" is on the person doing the experimenting!!! The DevOps movement is diametrically opposed to fostering enablement cultures where people (like developers) don't feel the pain from their bad decisions. It's imperative that people have ownership and responsibility for the things they're doing. Most "security culture" dogma I've seen and heard works against this objective.

We want enablement, but we don't want enablement culture. We want "freedom AND responsibility," "accountability AND transparency," etc, etc, etc. Pushing "security culture" keeps these initiatives separate from other organizational development initiatives, and more importantly it tends to have at best a temporary impact, rather than triggering lasting behavioral change.

3) Your Goal Is Improving the Organization

The last point here is that your goal should be to improve the organization and the overall organizational culture. It should not be focused on point-in-time blips that come and go. Additionally, your efforts must be aimed toward lasting impact and not be anchored around a cult of personality.

As a starting point, you should be working with org dev personnel within your organization, applying behavior design principles. You should be identifying what the target behavior is, then working backward in a piecemeal fashion to determine whether that behavior can be evoked and institutionalized through one step or multiple steps. It may even take years to accomplish the desired changes.

Another key reason for working with your org dev folks is because you need to ensure that anything "culture" that you're pursuing is fully aligned with other org culture initiatives. People can only assimilate so many changes at once, so it's often better to align your work with efforts that are already underway in order to build reinforcing patterns. The worst thing you can do is design for a behavior that is in conflict with other behavior and culture designs underway.

All of this is to underline the key point that "security culture" is the wrong focus, and can in some cases even detract from other org culture initiatives. You want to improve decision-making, but you have to do this one behavior at a time, and glossing over it with the "security culture" label is unhelpful.

Lastly, you need to think about your desired behavior and culture improvements in the broader context of organizational culture. Do yourself a favor and go read Laloux's Reinventing Organizations for an excellent treatise on a desirable future state (one that aligns extremely well with DevOps). As you read Laloux, think about how you can design for security behaviors in a self-managed world. That's the lens through which you should view things, and this is where you'll realize a "security culture" focus is at best distracting.

So... where should you go from here? The answer is three-fold:
1) Identify and design for desirable behaviors
2) Work to make those behaviors easy and sustainable
3) Work to shape organizational culture as a whole

Definitionally, here are a couple starters for you...

First, per Fogg, Behavior happens when three things come together: Motivation, Ability (how hard or easy it is to do the action), and a Trigger (a prompt or cue). When Motivation is high and it's easy to do, then it doesn't take much prompting to trigger an action. However, if it's difficult to take the action, or the motivation simply isn't there, you must then start looking for ways to address those factors in order to achieve the desired behavioral outcome once triggered. This is the basis of behavior design.

Second, when you think about culture, think of it as the aggregate of behaviors collectively performed by the organization, along with the values the organization holds. It may be helpful, as Laloux suggests, to think of the organization as its own person that has intrinsic motivations, values, and behaviors. Eliciting behavior change from the organization is, then, tantamount to changing the organizational culture.

If you put this all together, I think you'll agree with me that talking about "security culture" is anathema to the desired outcomes. Thinking about behavior design in the context of organizational culture shift will provide a better path to improvement, while also making it easier to explain the objectives to non-security people and to get buy-in on lasting change.

Bonus reference: You might find this article interesting as it pertains to evoking behavior change in others.

Good luck!

Confessions of an InfoSec Burnout – The Falcon’s View

Soul-crushing failure.

If asked, that is how I would describe the last 10 years of my career, since leaving AOL.

I made one mistake, one bad decision, and it's completely and thoroughly derailed my entire career. Worse, it's unclear if there's any path to recovery as failure piles on failure piles on failure.

The Ground I've Trod

To understand my current state of career decrepitude, as well as how I've seemingly become an industry pariah...

I have worked for 11 different organizations over the past 10 years. I left AOL in September 2007, right before a layoff (I should have waited for the layoff and gotten a package!). I had been there for more than 3.5 years and I was miserable. It was a misery of my own making in many ways. My team manager had moved up the ranks, leaving an opening. All my teammates encouraged me to throw my hat in the ring, but I demurred, telling myself I simply wasn't ready to manage. Oops. Instead, our new manager came through an internal process, and immediately made life un-fun. I left a couple months later.

When I left AOL, it was to take a regional leadership role in BT-INS (BT Global Services - they bought International Network Services to build-out their US tech consulting). A month into the role as security lead for the Mid-Atlantic, where I was billable on day 1, the managing director left and a re-org merged us in with a different region where there was already a security lead. 2 of 3 sales reps left and the remaining person was unable and unwilling to sell security. I sat on the bench for a long time, traveling as needed. An idle, bored Ben is a bad thing.

From BT I took a leadership role with this weird tech company in Phoenix. There was no budget and no staff, but I was promised great things. They let me start remote for a couple months before relocating. I knew it was a bad fit and not a good company before we made the move. I could feel it in my gut. But, I uprooted the family in the middle of the school year (my wife is an elementary teacher) and went to Phoenix, ignoring my gut. 6 months later they eliminated the position. The fact is that they'd hired a new General Counsel who also claimed a security background (he had a CISSP), and thus they made him the CISO. The year was 2009, the economy was in tatters after the real estate bubble had burst. We were stranded in a dead economy and had no place to go.

Thankfully, after a month of searching, someone threw me a life-line and I promptly started a consulting gig with Foreground Security. Well, that was a complete disaster and debacle. We moved back to Northern Virginia and my daughter immediately got sick and ended up in the hospital (she'd hardly had a sniffle before!). By the time she got out of the hospital I was sicker than I'd ever been before. The doctors had me on a couple different antibiotics and I could hardly get out of bed. This entire time the president of the company would call and scream at me every day. Literally, yelling at the top of his lungs over the phone. Hands-down the most unprofessional experience I'd had. The company partnership subsequently fell apart and I was kacked in the process. I remember it clearly to this day: I'm at my parents house in NW MN over the winter holidays and the phone rings. It's the company president, who starts out by telling me they'd finally had the kid they were expecting. And, they're letting me go. Yup, that's how the conversation went ("We had a baby. You're termed.").

Really, being out of Foreground was a relief given how awful it had been. Luckily they relocated us no strings attached, so I didn't owe anything. But, I once again was out of a job for the second time in 3 months. I'd had 3 employers in 2009 and ended the year unemployed.

In early 2010 I was able to land a contract gig, thinking I'd try a solo practice. It didn't work out. The client site was in Utah, but they didn't want to pay for a ton of travel, so I tried working remotely, but people refused to answer the phone or emails, meaning I couldn't do the work they wanted. The whole situation was a mess.

Finally, I connected with Peter Hesse at Gemini Security Solutions to do a contract-to-hire tryout. His firm was small, but had a nice contract with a large client that helped underpin his business. He brought me in to do a mix of consulting and biz dev, but after a year+ of trying to bring in new opportunities (and have them shot down internally for various reasons), I realized that I wasn't going to be able to make a difference there. Plus, being reminded almost daily that I was an expensive resource didn't help. I worked my butt off but in the end it was unappreciated, so I left for LockPath.

The co-founders of LockPath had found me when I was in Phoenix thanks to a paper I'd written on PCI for some random website. They came out to visit me and told me what they were up to. I kept in touch with them over the years, including through their launch of Keylight 1.0 on 10/10/10. I somewhat forced my way into a role with them, initially to build a pro svcs team, but that got scrapped almost immediately and I ended up more in a traveling role, presenting at conferences to help get the name out there, as well as doing customer training. After a year-and-a-half of doing this, they hired a full-time training coordinator who immediately threw me under the bus (it was a major wtf moment). They wanted to consolidate resources at HQ and moving to Kansas wasn't in the cards, so seeing the writing on the wall I started a job search. Things came to an end in mid-May while I was on the road for them. I remember it clearly, having dropped my then-3yo daughter with the in-laws the night before, I had just gotten into my hotel room in St. Paul, MN, ahead of Secure360 and the phone rang. I was told it was over, but he was going to think about it overnight. I asked "Am I still representing the company when I speak at the conference tomorrow?" and got no real answer, but was promised one first thing the next morning. That call never came, so I spoke to a full room the next morning and worked the booth all that day and the morning after that. I met my in-laws for lunch to pick-up my kiddo, and was sitting in the airport awaiting our flight home when the call finally came in delivering the final news. I was pretty burned-out at that time, so in many ways it was welcome news. Startup life can be crazy-intense, and I thankfully maintain a decent relationship with the co-founders today. But those days were highly stressful.

The good news was that I was already in-process with Gartner, and was able to close on the new gig a couple weeks later. Thus started what I thought would be one of my last jobs. Alas, I was wrong. As was much with my time there.

It bears noting here before I go any further an important observation: The onboarding experience is all-important. If you screw it up, then it sets a horrible tone for the entire gig, and the likelihood of success drops significantly. If onboarding is professional and goes smoothly, then people will feel valued and able to contribute. If it goes poorly, then people will feel undervalued from the get-go and they will literally start from an emotional hole. Don't do this to people! I don't care if you're a startup or a Fortune 50 large multi-national. Take care of people from Day 1 and things will go well. Fail at it and you'd might as well stop and release them asap.

Ok, anyway... back to Gartner. It was a difficult beginning. I was assigned a mentor, per their process, but he was gone 6 of the first 9 weeks I was there. I was sent to official "onboarding training" the end of August (the week before Labor Day!) despite having been there for 2 months by that time. I was not prepped at all before going to onboarding, and as it turns out I should have been. Others showed up with documents to be edited and an understanding of the process. I showed up completely stressed out, not at all ready to do the work that was expected, and generally had a very difficult time. It was also the week before Labor Day, which at the time meant it was teacher workshops, and I was on the road for it with 2 young kids at home. Thankfully, the in-laws came and helped out, but suffice to say it was just really not good all-around.

I really enjoyed the manager I worked for initially, but all that changed in February 2014 when my former mentor, with whom I did not at all get along, became the team manager. The stress levels immediately spiked as the focus quickly shifted to strong negativity. I had been struggling to get paper topics approved and was fighting against the reality that the target audience for Gartner research is not the leading edge of thinking, but the middle of the market. It took me nearly a full year to finally get my feet under me and start producing at an appropriate pace. My 1 yr mark roughly corresponded with the mid-year review, which was highly negative. By the end of the year I finally found my stride and had a ton of research in the pipeline (most of which would publish in early 2015). Unfortunately, the team manager, Captain Negative, couldn't see that and gave me one of the worst performance reviews I've ever received. It was hands-down the most insulted I'd ever been by a manager. It seemed very clear from his disrespectful actions that I wasn't wanted there, and so I launched an intensive job search. Meanwhile, I published something like 4 papers in 6 weeks while also having 4 talks picked up for that year's Security & Risk Management Conference. All I heard from my manager was negativity despite all that progress and success. I felt like shit, a total failure. There were no internal opportunities, so outward I looked, eventually landing at K12.

Oh, what a disaster that place was. K12 is hands-down the most toxic environment I've ever seen (and I've seen a lot!). Literally, all 10 people with whom I'd interviewed had lied to me - egregiously! I'd heard rumblings of changes in the executive ranks, but the hiring manager assured me there was nothing that would affect me. A new CIO - my manager's boss - started the same day I did. Yup, nothing that would affect me. Ha. Additionally, it turns out that they already had a "security manager" of sorts working in-house. He wasn't part of the interview process for my "security architect" role. They said they were doing DevOps, but it was just a side pilot that wasn't getting anywhere. Etc. Etc. Etc. Suffice to say, it was really bad. I frankly wondered how they were still in business, especially in light of the constant stream of lawsuits emanating from the states where they had "online public schools." Oy...

Suffice to say, I started looking for work on Day 1 at K12. But, there wasn't much there, and recruiters were loathe to talk to me given such a short stint. Explanations weren't accepted, and I was truly stuck. The longer I was there, the worse it looked. Finally, my old manager from AOL reached out as he was starting a CISO role at Ellucian. He rescued me and in October 2015 I started with them in a security architect role.

There's not much I can say about my experience at Ellucian. Things seemed ok at first, but after a CIO change a few months in, plus a couple other personnel issues, things got wonky, and it became clear my presence was no longer desired. When your boss starts cancelling weekly 1-on-1 meetings with you, it becomes pretty clear that he doesn't really want you there. New Context reached out in May 2016 and offered me an opportunity to do research and publishing for them, so I jumped at it and got the heck out of dodge. It turns out, this was a HUGE mistake, too...

There's even less I can say about New Context... we'll just put it at this: Despite my best efforts, I was never able to get things published due to a lack of internal approvals. After a year of banging my head against the wall, my boss and I concluded it wasn't going to happen, and they let me go a couple weeks later.

From there, I launched my own solo practice and signed what was to be a 20-wk contract with an LA-based client. They had been chasing me for several months to come help them out in a consulting (staff augmentation, really) capacity. I closed the deal with them and started on July 31st of this year. That first week was a mess with them not being ready for me on day 1, then sending me a botched laptop build on day 2, and then finally getting me online on day 3. I flew to LA to be on-site with them the following week and immediately locked horns with the other security architect. That first week on-site was horribly stressful. Things had finally started leveling off last wk, and then yesterday (Monday 8/28/17) they called and cancelled the contract. While I'm disappointed, it's also a bit of a relief. It wasn't a good fit, it was a very difficult client experience, and overall I was actively looking for new opportunities while I did what I could for them.

Shared Culpability or Mea Culpa?

After all these years, I'm tired of taking the blame and being the seemingly constant punchline to some joke I don't get. I'm tired, I'm burned-out, I'm frustrated, I'm depressed, and more than anything I just don't understand why things have gone so completely wrong over the past 10 years. How could one poor decision result in so much career chaos and heartache? It's astonishing. And appalling. And depressing.

I certainly share responsibility in all of this. I tend to be a fairly high-strung person (less so over the years) and onboarding is always highly stressful for me. Increasingly, employers want you engaged and functional on Day 1, even though that is incredibly unrealistic. Onboarding must be budgeted for a minimum of 3-6 months. If a move is involved, then even longer! Yet nobody is willing to allow that any more. I don't know if it's mythology or downward pressure or what... but the expectations are completely unreasonable.

But I do have a responsibility here, and I've certainly not been Mr. Sunshine the past few years, which means I tend to come off as extremely negative and sarcastic, which can be off-putting to people. Attitude is something I need to focus on when starting, and I need to find ways to better manage all the stress that comes with commencing a new gig.

That said, I also seem to have a knack for picking the wrong jobs. This even precedes my time at AOL, which is really a shining anchor in the middle of a turbulent career. Coming into the workforce just before the DOT-COM bubble burst, I've been through lots of layoffs and turmoil. I simply have a really bad track record of making good employment choices. I'm not even sure how to go about fixing that, short of finding people to advise me on the process.

However, lastly, it's important for companies to realize that they're also failing employees. The onboarding process is immensely important. Treating people respectfully and mindfully from Day 1 is immensely important. Setting reasonable expectations is immensely important. If you do not actively work to set your personnel up for success, then it is extremely unlikely that they'll achieve it! And even in this day and age where companies really, truly don't value personnel (except for execs and directors), it must be acknowledged that there is a significant cost in lost productivity, efficiency, and effectiveness that can be directly tied to employee turnover. This includes making sure managers are reasonably well trained and are actually well-suited to being managers. You owe it to your employees to treat them as humans, not just replaceable cogs in a machine.

Where To Go From Here?

The pull of deep depression is ever stronger. Resistance becomes evermore difficult with each successive failure. I feel like I cannot buy a break. My career is completely off-track and I decreasingly see a path to recovery. Every morning is a struggle to get up and look for work yet again. I feel like I've been doing this almost constantly for the past 10 years. I've not been settled anywhere since AOL (maybe BT).

I initially launched a solo practice, Falcon's View Consulting, to handle some contracts. And, that's still out there if I need it. However, what I really need is a full-time job. With a good, stable company. In a role with a good manager. A role that eventually has upward mobility (in order to get back on track).

Where that role is based I really do not care (my family might). Put me in a leadership role, pay me a reasonable salary, and relocate me to where you need me. At this point, I'm willing to go to bat and force the family to move, but you gotta make it easy and compelling. Putting me into financial hardship won't get it done. Putting me into a difficult position with no support won't get it done. Moving me and not being committed to keeping me onboard through the most stressful times won't get it done.

I'm quite seriously at the end of my rope. I feel like I have about one more chance left, after which it'll be bankruptcy and who knows what... I've given just about everything I can to this industry, and my reward has been getting destroyed in the process. This isn't sustainable, it isn't healthy, and it's altogether stupid.

I want to do good work. I want to find an employer that values me that I can stay with for a reasonable period of time. I've never gone into any FTE role thinking "this is just a temporary stop while I find something better." I throw my whole self into my work, which is - I think - why it is so incredibly painful when rejection and failure final happen. But I don't know another way to operate. Nor should anyone else, for that matter.

Two roads diverged in the woods / And I... I took the wrong one / And that has made all the difference

Google Begins Campaign Warning Forms Not Using HTTPS Protocol

August 2014, Google released an article sharing their thoughts on how they planned to focus on their “HTTPS everywhere” campaign (originally initiated at their Google I/O event). The premise of...

Read More

The post Google Begins Campaign Warning Forms Not Using HTTPS Protocol appeared first on PerezBox.

On Titles, Jobs, and Job Descriptions (Not All Roles Are Architects) – The Falcon’s View

Folks: Please stop calling every soup-to-nuts, everything-but-the-kitchen-sink security job a "security architect" role. It's harmful to the industry and it's doing you no favors trying to find the right resources. In fact, please stop posting these "one role does everything security under the sun" positions altogether. It's hurting your recruitment efforts, and it makes it incredibly difficult to find positions that are a good fit. Let me explain...

For starters, there are generally three classes of security people, management and pentesters aside:
- Analysts
- Engineers
- Architects

(Note that these terms tend to be loaded due to their use in other industries. In fact, in some states you might even have to come up with a different equivalent term for positions due to legal definitions (or licensing) of roles. Try to bear with me and just go with the flow, eh?)

Analysts are people who think about stuff and write about stuff and sometimes help initiate actions, but they are not the implementers of security tools or practices. An analyst may or may not be particularly technical, depending on the nature of the role. For example, there are tons of entry-level SOC analyst positions today that can provide a first taste of infosec work life. You rarely need to have a lot of technical skills, at least initially, to land one of these gigs (this varies by org). Similarly, there are GRC analyst roles that tend not to be technical at all (despite often including "technical writing," such as for policies, in the workload). On the far end of the spectrum, you may have incident response (IR) analysts who are very technical, but again note the nature of their duties: thinking about stuff, writing about stuff, and maybe initiating actions (such as the IR process or escalations therein).

Engineers are people who do most of the hands-on work. If you're looking for someone to do a bunch of implementation work, particularly around security tools and tech, then you want a security engineer, and that should be clearly stated in your job description. Engineers tend to be people who really enjoy implementation and maintenance work. They like rolling up their sleeves and getting their hands dirty. You might also see "administrator" used in this same category (though that's muddy water as sometimes a "security administrator" might be more like an analyst in being less technical, skilled in one kind of tool, like adding and removing users to Active Directory or your IAM of choice). In general, if you're listing a position that has implementation responsibilities, then you need to be calling it an engineer role (or equivalent), not an analyst and certainly not an architect.

Architects are not your implementers. And, while they are thinkers who may do a fair amount of technical writing, the key differentiators here are that 1) they tend to be way more technical than the average analyst, 2) they see a much bigger picture than the average analyst or engineer, and 3) they've often risen to this position through one or both of the other roles, but almost certainly with considerable previous hands-on implementation experience as an engineer. It's very important to understand that your architects, while likely having a background in engineering, is unlikely to want to do much hands-on implementation work. What hands-on work they are willing/interested to do is likely focused heavily on proofs of concept (POCs) and testing new ideas and technologies. Given their technical backgrounds, they'll be able to go toe-to-toe on technical topics with just about anyone in the organization, even though they may not be able to sit down and crank out a bunch of server builds in short order any more (or, maybe they can!). A good security architect provides experiential, context-relevant guidance on how to design /secure/ systems and applications, as well as providing guidance on technology purchasing decisions, technical designs, etc. Where they differ from, say, GRC/policy analysts is that when they provide a recommendation on something, they can typically back it up with more than a flaccid reference to "best practices" or some other lame appeal to authority; they can instead point to proven experiences and technical rationale.

Going all the way back to before my Gartner days, I've long told SMBs that their first step should not be hiring a security manager, but rather a security architect who reports up through the IT food chain, preferably directly to the IT manager/director or CIO (depending on size and structure of the org). The reason for this recommendation is that small IT shops already have a number of engineers/administrators and analysts, but what they oftentimes lack is someone with broad AND deep technical expertise in security who can provide all sorts of guidance and value to the organization. Part and parcel to this is that SMBs especially do not need to build out a "security team" or "security department"! (In fact, I often argue only the largest enterprises should ever go this route, and only to improve efficiency and effectiveness. Status quo and conventional wisdom be damned.) Most small IT shops just need someone to help out with decisions and evaluations to ensure that the organization is making smart security decisions. This security architect role should not be focused on implementation or administration, but instead should be serving in an almost quasi-EA (enterprise architect) role that cuts across the entire org. In many ways, a security architect in a counselor who works with teams to improve their security decisions. It's common in larger organizations for security architects to have a focus on one part of the business simply as a matter of scale and supportability.

So that's it. Nothing too crazy, right? But, I think it's important. Yes, some of you may debate and question how I've defined things, and that's fine, but the main takeaway here, hopefully, is that job descriptions need to be reset again around some standard language. In particular, orgs need to stop listing a ton of implementation work for "security architect" roles because that's misleading and really not what a security architect does. Properly titling and describing roles is very important, and will help you more readily find your ideal candidates. Calling everything a "security architect" does not do anything positive for you, and it serves to frustrate and disenfranchise your candidate pools (not to mention wasting your time on screening).

fwiw. ymmv. cheers!

Hacking the Universe with Quantum Encraption

Ladies and Gentlemen of the Quantum Physics Community:

  I want you to make a Pseudorandom Number Generator!

  And why not!  I’m just a crypto nerd working on computers, I only get a few discrete bits and a handful of mathematical operations.  You have such an enormous bag of tricks to work with!  You’ve got a continuous domain, trigonometry, complex numbers, eigenvectors…you could make a PRNG for the universe!  Can you imagine it?  Your code could be locally hidden in every electron, proton, fermion, boson in creation.

  Don’t screw it up, though.  I can’t possibly guess what chaos would (or would fail to) erupt, if multiple instances of a PRNG shared a particular seed, and emitted identical randomness in different places far, far away.  Who knows what paradoxes might form, what trouble you might find yourself entangled with, what weak interactions might expose your weak non-linearity.  Might be worth simulating all this, just to be sure.

  After all, we wouldn’t want anyone saying, “Not even God can get crypto right”.


  Cryptographically Secure Pseudorandom Number Generators are interesting.  Given a relatively small amount of data (just 128 bits is fine) they generate an effectively unlimited stream of bits completely indistinguishable from the ephemeral quantum noise of the Universe.  The output is as deterministic as the digits of pi, but no degree of scientific analysis, no amount of sample data will ever allow a model to form for what bits will come next.

  In a way, CSPRNGs represent the most practical demonstration of Godel’s First Incompleteness Theorem, which states that for a sufficiently complex system, there can be things that are true about it that can never be proven within the rules of that system.  Science is literally the art of compressing vast amounts of experimentally derived output on the nature of things, to a beautiful series of rules that explains it.  But as much as we can model things from their output with math, math can create things we can never model.  There can be a thing that is true — there are hidden variables in every CSPRNG — but we would never know.

  And so an interesting question emerges.  If a CSPRNG is indistinguishable from the quantum noise of the Universe, how would we know if the quantum noise of the universe was not itself a CSPRNG?  There’s an infinite number of ways to construct a Random Number Generator, what if Nature tried its luck and made one more?  Would we know?

  Would it be any good?

   I have no idea.  I’m just a crypto nerd.  So I thought I’d look into what my “nerds from another herd”, Quantum Physicists, had discovered.


  Like most outsiders diving into this particular realm of science, I immediately proceeded to misunderstand what Quantum Physics had to say.  I thought Bell’s Theorem ruled out anything with secret patterns:

“No physical theory of local hidden variables can ever reproduce all the predictions of quantum mechanics.”  

  I thought that was pretty strange.  Cryptography is the industrial use of chaotic systems with hidden variables.  I had read this to mean, if there were ever local hidden variables in the random data that quantum mechanics consumed, the predictions would be detectably different from experimental evidence.

  Quantum Physics is cool, it’s not that cool.  I have a giant set of toys for encrypting hidden variables in a completely opaque datastream, what, I just take my bits, put them into a Quantum Physics simulation, and see results that differ from experimental evidence?  The non-existence of a detection algorithm distinguishing encrypted datastreams from pure quantum entropy, generic across all formulations and levels of complexity, might very well be the safest conjecture in the history of mathematics.  If such a thing existed, it wouldn’t be one million rounds of AES we’d doubt, it’d be the universe.

  Besides, there’s plenty of quantum mechanical simulations on the Internet, using JavaScript’s Math.Random.  That’s not exactly a Geiger counter sitting next to a lump of Plutonium.  This math needs uniform distributions, it does not at all require unpredictable ones.

  But of course I completely misunderstood Bell.  He based his theorem on what are now called Bell Inequalities.  They describe systems that are in this very weird state known as entanglement, where two particles both have random states relative to the universe, but opposite states relative to eachother.  It’s something of a bit repeat; an attacker who knows a certain “random” value is 1 knows that another “random” value is 0.  But it’s not quite so simple.  The classical interpretation of entanglement often demonstrated in relation to the loss of a shoe (something I’m familiar with, long story).  You lose one shoe, the other one is generally identical.

  But Bell inequalities, extravagantly demonstrated for decades, demonstrate that’s just not how things work down there because the Universe likes to be weird.  Systems at that scale don’t have a ground truth, as much as a range of possible truths.  Those two particles that have been entangled, it’s not their truth that is opposite, it’s their ranges.  Normal cryptanalysis isn’t really set up to understand that — we work in binaries, 1’s and 0’s.  We certainly don’t have detectors that can be smoothly rotated from “detects 1’s” to “detects 0’s”, and if we did we would assume as they rotated there would be a linear drop in 1’s detected matching a linear increase in 0’s.

  When we actually do the work, though, we never see linear relationships.  We always see curves, cos^2 in nature, demonstrating that the classical interpretation is wrong.  There are always two probability distributions intersecting.


  Here’s the thing, and I could be wrong, but maybe I’ll inspire something right.  Bell Inequalities prove a central thesis of quantum mechanics — that reality is probabilistic — but Bell’s Theorem speaks about all of quantum mechanics.  There’s a lot of weird stuff in there!  Intersecting probability distributions is required, the explanations that have been made for them are not necessarily necessary.

  More to the point, I sort of wonder if people think it’s “local hidden variables” XOR “quantum mechanics” — if you have one, you can’t have the other.  Is that true, though?  You can certainly explain at least Bell Inequalities trivially, if the crystal that is emitting entangled particles emits equal and opposite polarizations, on average.  In other words, there’s a probability distribution for each photon’s polarization, and it’s locally probed at the location of the crystal, twice.

  I know, it would seem to violate conservation of angular momentum.  But, c’mon.  There’s lots of spare energy around.  It’s a crystal, they’re weird, they can get a tiny bit colder.  And “Nuh-uh-uh, Isaac Newton!  For every action, there is an equal and opposite probability distribution of a reaction!” is really high up on the index of Shit Quantum Physicists Say.

Perhaps more likely, of course, is that there’s enough hidden state to bias the probability distribution of a reaction, or is able to fully describe the set of allowable output behaviors for any remote unknown input.  Quantum Physics biases random variables.  It can bias them more.  What happens to any system with a dependency on random variables that suddenly aren’t?  Possibly the same thing that happens to everything else.

  Look.  No question quantum mechanics is accurate, it’s predictive of large chunks of the underlying technology the Information Age is built on.  The experiment is always right, you’re just not always sure what it’s right about.  But to explain the demonstrable truths of probability distribution intersection, Quantum Physicists have had to go to some pretty astonishing lengths.  They’ve had to bend on the absolute speed limit of the universe, because related reactions were clearly happening in multiple places in a manner that would require superluminal (non-)communication.

  I guess I just want to ask, what would happen if there’s just a terrible RNG down there — non-linear to all normal analysis, but repeat its seed in multiple particles and all hell breaks loose?  No really, what would happen?

   Because that is the common bug in all PRNGs, cryptographically secure and otherwise.  Quantum mechanics describes how the fundamental unstructured randomness of the universe is shaped and structured into probability distributions.  PRNGs do the opposite — they take structure, any structure, even fully random bits limited only by their finite number — and make them an effectively unbound stream indistinguishable from what the Universe has to offer.

  The common PRNG bug is that if the internal state is repeated, if the exact bits show up in the same places and the emission counter (like the digit of pi requested) is identical, you get repeated output.

  I’m not saying quantum entanglement demonstrates bad crypto.  I wouldn’t know.  Would you?

  Because here’s the thing.  I like quantum physics.  I also like relativity.  The two fields are both strongly supported by the evidence, but they don’t exactly agree with one another.  Relativity requires nothing to happen faster than the speed of light; Quantum Physics kind of needs its math to work instantaneously throughout the universe.  A sort of detente has been established between the two successful domains, called the No Communication theorem.  As long as only the underlying infrastructure of quantum mechanics needs to go faster than light, and no information from higher layers can be transmitted, it’s OK.

   It’s a decent hack, not dissimilar to how security policies never seem to apply to security systems.  But how could that even work?  Do particles (or waves, or whatever) have IP addresses?  Do they broadcast messages throughout the universe, and check all received messages for their identifier?  Are there routers to reduce noise?  Do they maintain some sort of line of sight at least?  At minimum, there’s some local hidden variable even in any non-local theory, because the system has to decide who to non-locally communicate with.  Why not encode a LUT (Look Up Table) or a function that generates the required probability distributions for all possible future interactions, thus saving the horrifying complexity of all particles with network connections to all other particles?

  Look, one can simulate weak random number generators in each quantum element, and please do, but I think non-locality must depend on some entirely alien substrate, simulating our universe with a speed of light but choosing only to use that capacity for its own uses.  The speed of light itself is a giant amount of complexity if instantaneous communication is available too.

  Spooky action at a distance, time travel, many worlds theories, simulators from an alien dimension…these all make for rousing episodes of Star Trek, but cryptography is a thing we actually see in the world on a regular basis.  Bad cryptography, even more so.


  I mentioned earlier, at the limit, math may model the universe, but our ability to extract that math ultimately depends on our ability to comprehend the patterns in the universe’s output.  Math is under no constraint to grant us analyzable output.

  Is the universe under any constraint to give us the amount of computation necessary to construct cryptographic functions?  That, I think, is a great question.

  At the extreme, the RSA asymmetric cipher can be interpreted symmetrically as F(p,q)==n, with p and q being large prime numbers and F being nothing more than multiply.  But that would require the universe to support math on numbers hundreds of digits long.  There’s a lot of room at the bottom but even I’m not sure there’s that much.  There’s obviously some mathematical capacity, though, or else there’d be nothing (and no one) to model.

  It actually doesn’t take that much to create a bounded function that resists (if not perfectly) even the most highly informed degree of relinearizing statistical work, cryptanalysis.  This is XTEA:

/* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */

void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9;
    for (i=0; i < num_rounds; i++) {
        v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
        sum += delta;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
    v[0]=v0; v[1]=v1;

  (One construction for PRNGs, not the best, is to simply encrypt 1,2,3… with a secret key.  The output bits are your digits, and like all PRNGs, if the counter and key repeat, so does the output.)

  The operations we see here are:

  1. The use of a constant.  There are certainly constants of the universe available at 32 bits of detail.
  2. Addition.  No problem.
  3. Bit shifts.  So that’s two things — multiplication or division by a power of two, and quantization loss of some amount of data.  I think you’ve got that, it is called quantum mechanics after all.
  4. XOR and AND.  This is tricky.  Not because you don’t have exclusion available — it’s not called Pauli’s Let’s Have A Party principle — but because these operations depend on a sequence of comparisons across power of two measurement agents, and then combining the result.  Really easy on a chip, do you have that kind of magic in your bag of tricks?  I don’t know, but I don’t think so.

  There is a fifth operation that is implicit, because this is happening in code.  All of this is happening within a bitvector 32 bits wide, or GF(2^32), or % 2**32, depending on which community you call home.  Basically, all summation will loop around.  It’s OK, given the proper key material there’s absolutely an inverse function that will loop backwards over all these transformations and restore the original state (hint, hint).

  Modular arithmetic is the math of clocks, so of course you’d expect it to exist somewhere in a world filled with things that orbit and spin.  But, in practical terms, it does have a giant discontinuity as we approach 1 and reset to 0.  I’m sure that does happen — you either do have escape velocity and fly off into the sunset, or you don’t, crash back to earth, and *ahem* substantially increase your entropy — but modular arithmetic seems to mostly express at the quantum scale trigonometrically.  Sine waves can possibly be thought of as a “smoothed” mod, that exchanges sharp edges for nice, easy curves.

  Would trig be an improvement to cryptography?  Probably not! It would probably become way easier to break!  While the universe is under no constraint to give you analyzable results, it’s also under no constraint not to.  Crypto is hard even if you’re trying to get it right; randomly throwing junk together will (for once) not actually give you random results.

  And not having XOR or AND is something notable (a problem if you’re trying to hide the grand secrets of the universe, a wonderful thing if you’re trying to expose them).  We have lots of functions made out of multiply, add, and mod.  They are beloved by developers for the speed at which they execute.  Hackers like ‘em too, they can be predicted and exploited for remote denial of service attacks.  A really simple function comes from the legendary Dan Bernstein:

unsigned djb_hash(void *key, int len)
    unsigned char *p = key;
    unsigned h = 0;
    int i;

    for (i = 0; i < len; i++)
        h = 33 * h + p[i];

    return h;

  You can see the evolution of these functions at , what should be clear is that there are many ways to compress a wide distribution into a small one, with various degrees of uniformity and predictability.

  Of course, Quantum Physicists actually know what tools they have to model the Universe at this scale, and their toolkit is vast and weird.  A very simple compression function though might be called Roulette — take the sine of a value with a large normal or Poisson distribution, and emit the result.  The output will be mostly (but not quite actually) uniform.

  Now, such a terrible RNG would be vulnerable to all sorts of “chosen plaintext” or “related key” attacks.  And while humans have learned to keep the function static and only have dynamic keys if we want consistent behavior, wouldn’t it be tragic if two RNGs shipped with identical inputs, one with a RNG configured for sine waves, the other configured for cosine?  And then the results were measured against one another?  Can you imagine the unintuitive inequalities that might form?

  Truly, it would be the original sin.


  I admit it.  I’m having fun with this (clearly).  Hopefully I’m not being too annoying.  Really, finally diving into the crazy quantum realm has been incredibly entertaining.  Have you ever heard of Young’s experiment?  It was something like 1801, and he took a pinhole of sunlight coming through a wall and split the light coming out of it with a note card.  Boom!  Interference pattern!  Proved the existence of some sort of wave nature for light, with paper, a hole, and the helpful cooperation of a nearby stellar object.  You don’t always need a particle accelerator to learn something about the Universe..

  You might wonder why I thought it’d be interesting to look at all this stuff.  I blame Nadia Heninger.  She and her friends discovered that about (actually, at least) one in two hundred private cryptographic keys were actually shared between systems on the Internet, and were thus easily computed.  Random number generation had been shown to have not much more than two nines of reliability in a critical situation.  A lot of architectures for better RNG had been rejected, because people were holding out for hardware.  Now, of course, we actually do have decent fast RNG in hardware, based on actual quantum noise.  Sometimes people are even willing to trust it.

  Remember, you can’t differentiate the universe from hidden variable math, just on output alone.

  So I was curious what the de minimus quantum RNG might look like.  Originally I wanted to exploit the fact that LEDs don’t just emit light, they generate electricity when illuminated.  That shouldn’t be too surprising, they’re literally photodiodes.  Not very good ones, but that’s kind of the charm here.  I haven’t gotten that working yet, but what has worked is:

  1. An arduino
  2. A capacitor
  3. There is no 3

  It’s a 1 Farad, 5V capacitor.  It takes entire seconds to charge up.  I basically give it power until 1.1V, and let it drain to 1.0V.  Then I measure, with my nifty 10 bit ADC, just how much voltage there is per small number of microseconds.

  Most, maybe all TRNGs, come down to measuring a slow clock with a fast clock.  Humans are pretty good at keeping rhythm at the scale of tens of milliseconds.  Measure us to the nanosecond, and that’s just not what our meat circuits can do consistently.

   How much measurement is enough?  10 bits of resolution to model the behavior of trillions of electrons doesn’t seem like much.  There’s structure in the data of course, but I only need to think I have about 128 bits before I can do what you do, and seed a CSPRNG with the quantum bits.  It’ll prevent any analysis of the output that might be, you know, correlated with temperature or power line conditions or whatnot.

  And that’s the thing with so-called True RNGs, or TRNGs.  Quantum Physics shapes the fundamental entropy of the universe, whether you like it or not, and acts as sort of a gateway filter to the data you are most confident lacks any predictable structure, and adds predictable structure.  So whenever we build a TRNG, we always overcollect, and very rarely directly expose.  The great thing about TRNGs is — who knows what junk is in there?  The terrifying thing about TRNGs is, not you either.

  In researching this post, I found the most entertaining paper:  Precise Monte Carlo Simulation of Single Photon Detectors (  It had this quote:

Using a simple but very demanding example of random number generation via detection of Poissonian photons exiting a beam splitter, we present a Monte Carlo simulation that faithfully reproduces the serial autocorrelation of random bits as a function of detection frequency over four orders of magnitude of the incident photon flux.

  See, here is where quantum nerds and crypto nerds diverge.

  Quantum nerds:  “Yeah, detectors suck sometimes, universe is fuzzy whatcha gonna do”


  Both are wrong, both are right, damn superposition.  It might be interesting to investigate further.


  You may have noticed throughout this post that I use the phrase randomness, instead of entropy.  That is because entropy is a term that cryptographers borrowed from physicists.  For us, entropy is just an abstract measure of how much we’d have to work if we threw up our hands on the whole cryptanalysis enterprise and just tried every possibility.  For experimental physicists, entropy is something of a thing, a condition, that you can remove from a system like coal on a cart powered by a laser beam.

  Maybe we should do that.  Let me explain.  There is a pattern, when we’re attacking things, that the closer you get to the metal the more degrees of freedom you have to mess with its normal operations.  One really brutal trick involves bypassing a cryptographic check, by letting it proceed as expected in hardware, and then just not providing enough electrons to the processor at the very moment it needs to report the failure.  You control the power, you control the universe.

   Experimental physicists control a lot of this particular universe.  You know what sort of cryptographic attack we very rarely get to do?  A chosen key attack.

  Maybe we should strip as much entropy from a quantum system as physically possible, and see just how random things are inside the probability distributions that erupt upon stimulation.  I don’t think we’ll see any distributional deviations from quantum mechanics, but we might see motifs (to borrow a phrase from bioinformatics) — sequences of precise results that we’ve seen before.  Course grain identity, fine grain repeats.

  Worth taking a look.  Obviously, I don’t need to tell physicists how to remove entropy from their system.  But it might be worth mentioning, if you make things whose size isn’t specified to matter, a multiple of prime integer relationships to a size that is known to be available to the system, you might see unexpected peaks as integer relationships in unknown equations expose as sharing factors with your experimental setup.  I’m not quite sure you’ll find anything, and you’ll have to introduce some slop (and compensate for things like signals propagating at different speeds as photons in free space or electronic vibrations within objects) maybe, if this isn’t already common exploratory experimental process, you’ll find something cool.

   I know, I’m using the standard hacker attack patterns where they kind of don’t belong.  Quantum Physics has been making some inroads into crypto though, and the results have been interesting.  If you think input validation is hard now, imagine if packet inspection was made illegal by the laws of the Universe.  There was actually this great presentation at CCC a few years ago that achieved 100% key recovery on common quantum cryptographic systems — check it out.

   So maybe there’s some links between our two worlds, and you’ll grant me some leeway to speculate wildly (if you’ve read this far, I’m hoping you already have).  Let’s imagine for a moment, that in the organization I’ll someday run with a small army dedicated to fixing the Internet, I’ve got a couple of punk experimentalist grad students who know their way around an optics table and still have two eyes.  What would I suggest they do?

  I see lots of experiments providing positive confirmation of quantum mechanics, which is to be expected because the math works.  But you know, I’d try something else.  A lot of the cooler results from Quantum Physics show up in the two slit experiment, where coherent light is shined through two slits and interferes as waves on its way to a detector.  It’s amazing, particularly since it shows up even when there’s only one photon, or one electron, going through the slits.  There’s nothing else to interfere with!  Very cool.

  There’s a lot of work going on in showing interference patterns in larger and larger things.  We don’t quite know why the behaviors correctly predicted by Quantum Physics don’t show up in, like, baseballs.  The line has to be somewhere, we don’t know why or where.  That’s interesting work!  I might do something else, though.

  There exists an implemented behavior:  An interference pattern.  It is fragile, it only shows up in particular conditions.  I would see what breaks that fragile behavior, that shouldn’t.  The truth about hacking is that as creative as it is, it is the easy part.  There is no human being on the planet that can assemble a can of Coca-Cola, top to bottom.  Almost any person can destroy a can though, along with most of the animal kingdom and several natural processes.

  So yes.  I’m suggesting fuzzing quantum physics.  For those who don’t know, a lot of systems will break if you just throw enough crap at the wall.  Eventually you’ll hit some gap between the model a developer had in his mind for what his software did, and what behaviors he actually shipped.

  Fuzzing can be completely random, and find lots of problems.  But one of the things we’ve discovered over the years is that understanding what signals a system is used to processing, and composing them in ways a system is not used to processing, exposes all sorts of failure conditions.  For example, I once fuzzed a particular web browser.  Those things are huge!  All sorts of weird parsers, that can be connected in almost but not quite arbitrary ways.  I would create these complex trees of random objects, would move elements from one branch to another, would delete a parent while working on a child, and all the while, I’d stress the memory manager to make sure the moment something was apparently unneeded, it would be destroyed.

  I tell you, I’d come to work the next day and it’d be like Christmas.  I wonder what broke today!  Just because it can compose harmlessly, does not at all mean it will.  Shared substrates like the universe of gunk lashing a web browser together never entirely implement their specifications perfectly.  The map is not the territory, and models are always incomplete.

  Here’s the thing.  We had full debuggers set up for our fuzzers.  We would always know exactly what caused a particular crash.  We don’t have debuggers for reality at the quantum scale, though wow, I wish we did.  Time travel debugging would be awesome.  

  I want to be cautious here, but I think this is important to say.  Without a debugger, many crashes look identical.  You would not believe the number of completely different things that can cause a web browser to give up the ghost.  Same crash experience every time, though.  Waves, even interference waves, are actually a really generic failure mode.  The same slits that will pass photons, will also pass air molecules, will also pass water molecules.  Stick enough people in a stadium and give them enough beer and you can even make waves out of people.

  They’re not the same waves, they don’t have the same properties, that’s part of the charm of Quantum Physics.  Systems at different scales do behave differently.  The macro can be identical, the micro can be way, way different.

  Interference is fairly intuitive for multi-particle systems.  Alright, photons spin through space, have constructive and destructive modes when interacting in bulk, sure.  It happens in single photon and electron systems too, though.  And as much as I dislike non-locality, the experiment is always right.  These systems behave as if they know all the paths they could take, and choose one.

  This does not necessarily need to be happening for the same reasons in single photon systems, as it is in long streams of related particles.  It might be!  But, it’s important to realize, there won’t just be waves from light, air, and water.  Those waves will have similarities, because while the mechanisms are completely different, the ratios that drive them remain identical (to the accuracy of each regime).

  Bug collisions are extremely annoying.

  I know I’m speaking a bit out of turn.  It’s OK.  I’m OK with being wrong, I just generally try to not be, you know.  Not even wrong.  What’s so impressive about superposition is that the particle behaves in a manner that belies knowledge it should not have.  No cryptographic interpretation of the results of Quantum Physics can explain that; you cannot operate on data you do not have.  Pilot wave theory is a deterministic conception of quantum physics, not incompatible at all with this cryptographic conjecture, but it too has given up on locality.  You need to have an input, to account for it in your output.

  But the knowledge of the second slit is not necessarily absent from the universe as perceived by the single photon.  Single photon systems aren’t.  It’s not like they’re flying through an infinitely dark vacuum.  There’s black body radiation everywhere, bouncing off the assembly, interfering through the slits, making a mess of things.  I know photons aren’t supposed to feel the force of others at different wavelengths, but we’re talking about the impact on just one.  Last I heard, there’s a tensor field of forces everything has to go through, maybe it’s got a shadow.  And the information required is some factor of the ratio between slits, nothing else.  It’s not nothing but it’s a single value.

  The single particle also needs to pass through the slits.  You know, there are vibratory modes.  Every laser assembly I see isolates the laser from the world.  But you can’t stop the two slits from buzzing, especially when they’re being hit by all those photons that don’t miss the assembly.  Matter is held together by electromagnetic attraction; a single photon versus a giant hunk of mass has more of an energy differential than myself and Earth.  There doesn’t need to be much signal transfer there, to create waves.  There just needs to be transfer of the slit distance.

Might be interesting to smoothly scale your photon count from single photon in the entire assembly (not just reaching the photodetector), through blindingly bright, and look for discontinuities.  Especially if you’re using weak interactions to be trajectory aware.

  In general, change things that shouldn’t matter.  There are many other things that have knowledge of the second photon path.  Reduce the signal so that there’s nothing to work on, or introduce large amounts of noise so it doesn’t matter that the data is there.  Make things hot, or cold.  Introduce asymmetric geometries, make a photon entering the left slit see a different (irrelevant) reality than the photon entering the right.  As in, there are three slits, nothing will even reach the middle slit because it’s going to be blocked by a mirror routing it to the right slit, but the vibratory mode between left and middle is different than that for middle and right.  Or at least use different shapes between the slits, so that the vibratory paths are longer than crow flies distance.  Add notch filters and optical diodes where they shouldn’t do anything.  Mirrors and retroreflectors too.  Use weird materials — ferromagnetic, maybe, or anti-ferromagnetic.  Bismuth needs its day in the sun.  Alter density, I’m sure somebody’s got some depleted uranium around, gravity’s curvature of space might not be so irrelevant.  Slits are great, they’re actually not made out of anything!  You know what might be a great thing to make two slits out of?  Three photodetectors!  Actually, cell phones have gotten chip sensors to be more sensitive than the human eye, which in the right conditions is itself a single photon detector.  I wonder just what a Sony ISX-017 (“Starvis”) can do.

You know what’s not necessarily taking nanoseconds to happen?  Magnetization!  It can occur in femtoseconds and block an electron from the right slit while the left slit is truly none the wiser.  Remember, you need to try each mechanism separately, because the failure mode of anything is an interference pattern.

   Just mess with it!  Professors, tell your undergrads, screw things up.  Don’t set anything on fire.  You might not even have to tell them that.

  And then you go set something on fire, and route your lasers through it.  Bonus points if they’re flaming hoops.  You’ve earned it.

  I’ll be perfectly honest.  If any of this works, nobody would be more surprised than me.  But who knows, maybe this will be like that time somebody suggested we just send an atomic clock into space to unambiguously detect time dilation from relativity.  A hacker can dream!  I don’t want to pretend to be telling anyone how the universe works, because how the heck would I know.  But maybe I can ask a few questions.  Perhaps, strictly speaking, this is a disproof of Bell’s Theorem that is not superdeterminism.  Technically a theory does not need to be correct to violate his particular formulation.  It might actually be the case that this… Quantum Encraption is a local hidden variable theory that explains all the results of quantum mechanics.


P.S. This approach absolutely does not predict a deterministic universe.  Laser beams eventually decohere, just not immediately.  Systems can absolutely have a mix of entropy sources, some good, some not.  It takes very, very little actual universal entropy to create completely unpredictable chaos, and that’s kind of the point.  The math still works just as predictably even with no actual randomness at all.  Only if all entropy sources were deterministic at all scales could the universe be as well.  And even then, the interaction of even extremely weak cryptosystems is itself strongly unpredictable over the scale of, I don’t know, billions of state exchanges.  MD5 is weak, a billion rounds of MD5 is not.  So there would be no way to predict or influence the state of the universe even given perfect determinism without just outright running the system.

[edit]P.P.S. “There is no outcome in quantum mechanics that cannot be handled by encraption, because if there was, you could communicate with it.”  I’m not sure that’s correct but you know what passes the no communication theory really easily?  No communication.  Also, please, feel free to mail me privately at or comment below.

Diving into the Issues: Observations from SOURCE and AtlSecCon

Last week I had the pleasure of presenting three times, at two conferences, in two different countries: SOURCE in Boston, MA and at the Atlantic Security Conference (AtlSecCon) in Halifax, NS, Canada.

The first event of my week was SOURCE Boston. This year marked the tenth anniversary of SOURCE Conference and it continues to pride itself on being one of the only venues that brings business, technology and security professionals together under one roof to focus on real-world, practical security solutions for some of todays toughest security issues. Though I was only there for the first day, I was able to catch up with friends, play some Hacker Movie Trivia with Paul Asadoorian (@securityweekly), and chat with attendees on some of the biggest challenges we face around detecting and mitigating ransomware attacks.

After my presentation, I rushed off to Logan Airport to sit in, on what I now choose to call, the “Air Canada Ghetto” – a small three gate departure area segregated from the rest of the airport and its amenities. A minor four hour delay later, I was on my way to Halifax for AtlSecCon.

Between meetings and casual conversations I was enlightened by several presentations. Raf Los (@Wh1t3Rabbit), managing director of solutions research & development at Optiv, discussing Getting Off the Back Foot – Employing Active Defence which talked about an outcome-oriented and capabilities-driven model for more effective enterprise security.

After his talk, Aunshul Rege (@prof_rege), an assistant professor with the Criminal Justice department at Temple University, gave a very interesting talk entitled Measuring Adversarial Behavior in Cyberattacks. With a background in criminology, Aunshul presented her research from observations and interviews conducted at the Industrial Control Systems Computer Emergency Response Team’s (ICS-CERT) Red/Blue cybersecurity training exercise held at Idaho National Laboratory. Specifically, she covered how adversaries might engage in research and planning, offer team support, manage conflict between group members, structure attack paths (intrusion chains), navigate disruptions to their attack paths, and how limited knowledge bases and self-induced mistakes can possibly impact adversaries.

The last presentation was Mark Nunnikhoven’s (@marknca) highlighting Is Your Security Team Set up To Fail? Mark, the VP of cloud research at Trend Micro and a personal friend, examined the current state of IT security programs and teams…delving into the structure, goals, and skills prioritized by the industry.

The second day of the conference was filled with meetings for me but I was able to sit through Michael Joyce’s talk entitled A Cocktail Recipe for Improving Canadian Cybersecurity.  Joyce described the goals and objectives of The Smart Cybersecurity Network (SERENE-RISC) – a federally funded, not-for-profit knowledge mobilization network created to improve the general public’s awareness of cybersecurity risks and to empower all to mitigate them through knowledge. He was an excellent presenter and served as a call to action for those looking to help communicate the need for cybersecurity to all Canadians.

At both conferences I presented my latest talk entitled The Not-So-Improbable Future of Ransomware which explored how thousands of years of human kidnap and ransom doctrine have served as a playbook for ransomware campaign operators to follow. It was well received by both audiences and sparked follow-up conversations and discussions throughout the week. The SOURCE version can be found here and the AtlSecCon version here.

The conversation was received some early praise on the SOURCE session in addition to written pieces by Bill Brenner (@billbrenner70) from Sophos:

And Taylor Armerding (@tarmerding2) from CSO:

At AtlSecCon I joined a panel entitled Security Modelling Fundamentals: Should Security Teams Model a SOC Around Threats or Just Build Layers? Chaired by Tom Bain (@tmbainjr1), VP of marketing at CounterTack, the session served as a potpourri of security threats and trends ranging from ransomware, to regulation, to attack mitigation. It was quite fun and a great way to end the day.

Though it was a long series of flights home to the Bay Area I thoroughly enjoyed both conferences. I would highly recommend attending and/or speaking at both next year if you are provided with the opportunity.

Next up, (ISC)² CyberSecureGov 2017 in Washington, D.C. and the Rocky Mountain Information Security Conference (RMISC) in Denver, CO. Perhaps I’ll see some of our readers there!

The post Diving into the Issues: Observations from SOURCE and AtlSecCon appeared first on LEO Cyber Security.

Layered Database Security in the age of Data Breaches

We live in a time of daily breach notifications. One recently affected organization in Germany put out a statement which said: "The incident is not attributable to security deficiencies." and "Human error can also be ruled out." They went on say that it is "virtually impossible to provide viable protection against organized, highly professional hacking attacks." It's a tough climate we find ourselves in. It  just feels too hard or impossible at times. And there's some truth to that. There are way too many potential attack vectors for comfort.

Many breaches occur in ways that make it difficult to pinpoint exactly what might have prevented it. Or, the companies involved hide details about what actually happened or how. In some cases, they lie. They might claim there was some Advanced Persistent Threat on the network when in reality, it was a simple phishing attack where credentials were simply handed over.

In one recent case, a third party vendor apparently uploaded a database file to an unsecured Amazon AWS server. A media outlet covering the story called out that it was not hacking because the data was made so easily available. Numerous checkpoints come to mind that each could have prevented or lessened the damage in this scenario. I’d like to paint a picture of the numerous layers of defense that should be in place to help prevent this type of exposure.

Layer 1: Removing Production Data
The data should have been long removed from the database.
Assuming this is a non-production database (and I sure hope it is), it should have been fully masked before it was even saved as a file. Masking data means completely removing the original sensitive data and replacing it with fake data that looks and acts real. This enables safe use of the database for app development, QA, and testing. Data can be masked as it’s exported from the production database (most secure) or in a secure staging environment after the initial export. Had this step been done, the database could safely be placed on an insecure AWS server with limited security concerns because there’s no real data. An attacker could perhaps use the DB schema or other details to better formulate an attack on the production data, so I’m not recommending posting masked databases publicly, but the risk of data loss is severely limited once the data is masked.

Layer 2: Secure Cloud Server Configuration
The researcher should never have been able to get to the file.
A security researcher poking around the web should never have been able to access this database file. Proper server configuration and access controls should prevent unauthorized access to any files (including databases). In addition to documenting proper security configuration, certain Cloud Security Access Brokers can be used to continuously monitor AWS instances to ensure that server configurations match the corporate guidelines. Any instances of configuration drift can be auto-remediated with these solutions to ensure that humans don’t accidentally misconfigure servers or miss security settings in the course of daily administration.

Layer 3: Apply Database Encryption
Even with access to the database file, the researcher should not have been able to access the data.
At-rest data encryption that is built into the database protects sensitive data against this type of scenario. Even if someone has the database file, if it were encrypted, the file would essentially be useless. An attacker would have to implement an advanced crypto attack which would take enormous resources and time to conduct and is, for all intents and purposes, impractical. Encryption is a no-brainer. Some organizations use disk-layer encryption, which is OK in the event of lost or stolen disk. However, if a database file is moved to an unencrypted volume, it is no longer protected. In-database encryption improves security because the security stays with the file regardless of where it’s moved or exported. The data remains encrypted and inaccessible without the proper encryption keys regardless of where the database file is moved.

Layer 4: Apply Database Administrative Controls
Even with administrative permissions to the database, the researcher should not have been able to access the sensitive data.
I’m not aware of similar capabilities outside of Oracle database, but Oracle Database Vault would have also prevented this breach by implementing access controls within the database. Database Vault effectively segregates roles (enforces Separation of Duties) so that even an attacker with DBA permissions and access to the database file and encryption keys cannot run queries against the sensitive application data within the database because their role does not allow it. This role-based access, enforced within the database, is an extremely effective control to avoid accidental access that may occur throughout the course of daily database administration.

Layer 5: Protect Data Within the Database
Even with full authorization to application data, highly sensitive fields should be protected within the database.
Assuming all of the other layers break down and you have full access to the unencrypted database file and credentials that are authorized to access the sensitive application data, certain highly sensitive fields should be protected via application-tier encryption. Social Security Numbers and Passwords, for example, shouldn’t be stored in plain text. By applying protection for these fields at the app layer, even fully authorized users wouldn’t have access. We all know that passwords should be hashed so that the password field is only useful to the individual user who enters their correct password. But other fields, like SSN, can be encrypted at the app layer to protect against accidental exposure (human error), intentional insider attack, or exposed credentials (perhaps via phishing attack).

Maybe the vendor didn’t follow the proper protocols instituted by the organization. Maybe they made a human error; we all make mistakes. But, that’s why a layered approach to database security is critical on any database instances where sensitive production data resides. Security protocols shouldn’t require humans to make the right decisions. They should apply security best practices by default and without option.

Assuming this was a non-production database, any sensitive data should have been fully masked/replaced before it was even made available. And, if it was a production DB, database encryption and access control protections that stay with the database during export or if the database file is moved away from an encrypted volume should have been applied. The data should have been protected before the vendor's analyst ever got his/her hands on it. Oracle Database Vault would have prevented even a DBA-type user from being able to access the sensitive user data that was exposed here. These are not new technologies; they’ve been around for many years with plentiful documentation and industry awareness.

Unfortunately, a few of the early comments I read on this particular event were declarations or warnings about how this proves that cloud is less secure than on-premises deployments. I don’t agree. Many cloud services are configured with security by default and offer far more protection than company-owned data centers. Companies should seek cloud services that enable security by default and that offer layered security controls; more security than their own data centers. It’s more than selecting the right Cloud Service Provider. You also need to choose the right service; one that matches the specific needs (including security needs) of your current project. The top CSPs offer multiple IaaS and/or PaaS options that may meet the basic project requirements. While cloud computing grew popular because it’s easy and low cost, ease-of-use and cost are not always the most important factors when choosing the right cloud service. When sensitive data is involved, security needs to be weighed heavily when making service decisions.

I'll leave you with this. Today's computing landscape is extremely complex and constantly changing. But security controls are evolving to address what has been called the extended enterprise (which includes cloud computing and user mobility among other characteristics). Don't leave security in the hands of humans. And apply security in layers to cover as many potential attack vectors as possible. Enable security by default and apply automated checks to ensure that security configuration guidelines are being followed.

Note: Some of the content above is based on my understanding of Oracle security products (encryption, masking, CASB, etc.) Specific techniques or advantages mentioned may not apply to other vendors’ similar solutions.

IQ Retail Guards Against New Age Threats with Panda Security


“Stories of cyber-attacks hit the news almost daily – data breaches, DDos attacks, email hacks and phishing attacks – reminders of the dangers of the internet” says Jeremy Matthews Regional Manager of Panda Security Africa. “Yet somehow all of these attacks still seem foreign– as though it would never happen to you, however the reality is, South African businesses are affected by these threats” continues Matthews.

IQ Retail MD, Chris Steyn knows this all too well and has seen first-hand the dramatic rise of new age threats such as Ransomware. Software company IQ Retail, provides expertise in complete financial and business administration solutions, focusing on the development of business systems for the accounting and retail management environment. Since its inception in 1986, IQ Retail has grown to become one of the premium providers of innovative business solutions.

“Few businesses realise the seriousness of these threats and the damage they can have on a business’’, says Steyn. “ The problem we have found is twofold; firstly, businesses do not have adequate security software protecting their network, and secondly, they do not have effective backups in place”, continues Steyn.

He recognises that these advanced threats stem from a situation in which hackers no longer need to be tech savvy, with access to ready-made Malware toolkits available on the dark web. New malware variants are created daily and many security vendors are unable to keep up. As a result, businesses are being attacked more often and Cybercrime has become more profitable and easier to implement than ever before.

Speaking to Panda Security about his experience working with many South African businesses Steyn says, “We have noticed two week spikes in attacks that most often occur on the weekend when there are few people in the office. This puts businesses in a tough position that often leads to payment of the ransom or worse, a loss of company data”

Taking note of the shifting dynamic, IQ Retail developed a multi-layered approach, implementing security solutions at every level of their infrastructure, as well as ensuring backups are in place and procedures are being followed. Despite their efforts, Ransomware was still able to penetrate their network.

Advanced Protection

In order to prevent further breaches, Steyn and his team did extensive research into solutions offered by various vendors. They discovered that conventional AV solutions are unable to prevent zero-day Ransomware and other advanced threats from entering the network.
Steyn turned to Panda to implement a final effort to mitigate the threat of Ransomware. “Through our research, we realised that Panda’s Adaptive Defense 360 software is the only solution that could give us comprehensive protection. AD360 allows us to proactively manage the security on our network and track possible risk situations” says Steyn.

The Solution

Steyn explains that the current environment requires new generation protection solutions such as Adaptive Defense 360 that provide an Endpoint Detection and Response (EDR) service to accurately classify all running programs on your network. This means that only legitimate programs are able to run.

Panda’s EDR technology model is based on three phases: Continuous monitoring of applications on a company’s computers and servers. Automatic analysis and correlation using machine learning on Panda’s Big Data platform in the cloud. Finally, Endpoint hardening and enforcement – blocking all suspicious or dangerous processes, with notifications to alert network administrators.

AD 360 combines EDR with full conventional Endpoint Protection (EPP) to deliver comprehensive protection.
For more information on how to protect your business from the advanced threats we see today, contact Panda Security.

The post IQ Retail Guards Against New Age Threats with Panda Security appeared first on

Evolution of Locky – A Cat & Mouse Game


In the on-going game of cat and mouse between cyber attackers and defensive internet security providers, the appearance of a new tactic from the Locky family of Ransomware comes as no surprise.

As we discussed in February this year, Locky targets victims through seemingly legitimate email attachments. Once the victim clicks on the attachment the malicious macro begins encrypting the users’ files.

Given the nature of this environment, security experts are constantly working on ways to stop Locky, coming up with solutions that will render it ineffective.

Distribution of the latest attack

In the latest development, cyber attackers have come up with new tactics to bypass security. The malware is still distributed via email attachments, but no longer uses a Trojan. These emails have varying names and subject lines to attract the victims’ attention and usually contain Zip files.

The Malware skips the downloader Trojan and gets the Locky variant in DLL format, and is then executed using Windows rundll32.exe. By using a script file as well as a DLL, instead of a Trojan and .exe, Locky is not immediately detected and blocked, and the Ransomware can begin its course.

To further ensure its success cyber attackers have given Locky an added fall-back mechanism, this means that the malware will still be able to complete its actions even in cases where it can’t reach command and control servers. The weak point in this is that the encryption key is the same for every computer.

These attacks appear to present in weekly waves and have already targeted victims in North and South America, and Europe, as well as attacks in Africa and Asia.


In order to protect yourself, security experts suggest setting up filters for script files that arrive via email, as well as ensuring your antivirus is up to date. Advanced solutions such as Panda’s Adaptive Defence allow for active classification of every running application by leveraging Endpoint Detection & Response (EDR) technologies. This means that you have a greater chance of defending your network against today’s advanced threats.

The post Evolution of Locky – A Cat & Mouse Game appeared first on

Read My Lips: Let’s Kill 0Day

0day is cool.  Killing 0day, sight unseen, at scale — that’s cooler.

If you agree with me, you might be my kind of defender, and the upcoming O’Reilly Security Conference(s) might be your kind of cons.

Don’t get me wrong.  Offense is critical.  Defense without Offense is after all just Compliance.  But Defense could use a home.  The Blue Team does not always have to be the away team.

So for quite some time, I’ve been asking Tim O’Reilly to throw a highly technical defensive security event.  Well, be careful what you wish for.  I actually keynoted his Velocity event with Zane Lackey a while back, and was struck by the openness of the environment, and the technical competence of the attendees.  This is a thing that would be good for Defense, and so I’ve taken the rare step of actually joining the Program Committee for this one,  CFP’s for NYC & Amsterdam are still open (but not for much longer!).  How would you know if this is your sort of party?

NIST’s SAMATE project has been assembling this enormous collection of minimized vulnerability cases.  They’re just trying to feed static analyzers, but if you’re filled with ideas of what else is possible with these terabytes of goodies – this is your con.

Researchers at Stanford instrumented the IDE’s of students, and watched how early failures predicted later ones.  Can we predict the future authorship of security vulnerabilities?  In what ways do languages themselves predict failures, independent of authors?  If this interests you, this is your con.

If you’re in operations, don’t feel left out.  You’re actually under attack, and you’re actively doing things to keep the lights on.  We want to know how you’re fighting off the hordes.

We live in a golden age of compilers actually trying to help us (this was not always the case).  Technologies like Address Sanitizer, Undefined Behavior Sanitizer, Stack Protection / /GS along with the Microsoft universe of Control Flow Guard and the post-Boehm-ish MemGC suggest a future of much faster bug discovery and much better runtime protections.  Think you’ve got better?  Think you can measure better?  Cool, show us.

Or show us we’re wrong.  Offensive researchers, there are better places for you to demonstrate the TLS attack of the hour, but if you haven’t noticed, a lot of defensive techniques have gotten a “free pass”, E for effort, that sort of thing.  There’s a reason we call ‘em sandboxes; they’re things kids step into and out of pretty freely.  Mitigations not living up to their hype?  Security technologies actually hosting insecurity?  Talk to a bunch of people who’d care.

We’re not going to fix the world just by blowing things up.  Come, show us your most devious hacks, let’s redefine how we’re going to defend and fix the Internet.

The Cryptographically Provable Con Man

It’s not actually surprising that somebody would claim to be the creator of Bitcoin.  Whoever “Satoshi Nakamoto” is, is worth several hundred million dollars.  What is surprising is that credible people were backing Craig Wright’s increasingly bizarre claims.  I could speculate why, or I could just ask.  So I mailed Gavin Andresen, Chief Scientist of the Bitcoin Foundation, “What the heck?”:

What is going on here?

There’s clear unambiguous cryptographic evidence of fraud and you’re lending credibility to the idea that a public key operation could should or must remain private?

He replied as follows, quoted with permission:

Yeah, what the heck?

I was as surprised by the ‘proof’ as anyone, and don’t yet know exactly what is going on.

It was a mistake to agree to publish my post before I saw his– I assumed his post would simply be a signed message anybody could easily verify.

And it was probably a mistake to even start to play the Find Satoshi game, but I DO feel grateful to Satoshi.

If I’m lending credibility to the idea that a public key operation should remain private, that is entirely accidental. OF COURSE he should just publish a signed message or (equivalently) move some btc through the key associated with an early block.

Feel free to quote or republish this email.

Good on Gavin for his entirely reasonable reaction to this genuinely strange situation.

Craig Wright seems to be doubling down on his fraud, again, and I don’t care.  The guy took an old Satoshi signature from 2009 and pretended it was fresh and new and applied to Sartre.  It’s like Wright took the final page of a signed contract and stapled it to something else, then proclaimed to the world “See?  I signed it!”.

That’s not how it works.

Say what you will about Bitcoin, it’s given us the world’s first cryptographically provable con artist.  Scammers always have more to say, but all