DataBreachToday.com RSS Syndication: GDPR: Data Breach Notification 101

Brian Honan of BH Consulting on When to Notify - or Not
Since the EU's new GDPR privacy law came into effect in May 2018, one challenge for organizations that suffer a breach is knowing whether or not they must report it to authorities, says Brian Honan, president and CEO of BH Consulting in Dublin.

DataBreachToday.com RSS Syndication

Sponsor’s Content | The Dawn of the Intelligent Enterprise: Artificial Intelligence and Machine Learning Power the New Workforce

sloanreview.mit.edu - AI-powered systems are increasingly joining humans in the workforce. The following perspectives from an industry executive and a scholar explore how these systems will change the enterprise and requi…


Tweeted by @imNatSmithson https://twitter.com/imNatSmithson/status/1109178184606629888

Devin Nunes Faces an Uphill Battle in His Lawsuit Against Twitter

Devin Nunes, R-Calif., escalated the feud between conservatives and Twitter earlier this week with a lawsuit accusing the company of defamation and negligence -- two different allegations, one of which poses a more serious question for the social media platform and technology companies in general. Nunes is claiming that Twitter negligently violated its terms of service when it allowed people onto its online "premises" to say false or disparaging things about him. He is seeking $250 million in damages due to "pain, insult, embarrassment, humiliation, emotional distress and mental suffering, and injury to [Nunes'] personal and professional reputations" brought on by what Twitter users said about him. From a report: Defamation is an interesting legal matter to discuss, at least in theory, but suing for defamation is seldom profitable in reality. Negligence may not sound as exciting as defamation, but this theory of liability quietly drives most successful civil litigation. Relatively easy to prove, it generally requires that the defendant show conduct that came up short of what can be expected, and that this shortcoming caused the plaintiff's damages. [...] The primary reason that technology companies are not sued into oblivion is the existence of the Communications Decency Act, or CDA, and in particular Section 230, which states that providers of an interactive computer service shall not be treated as the publisher or speaker of any information provided by another information content provider. Ordinarily, a lawsuit like this is properly filed against the Twitter user or account (like "Devin Nunes' Mom") and not Twitter itself. Section 230 and the CDA have become the targets of growing backlash against the idea that technology companies should not be held responsible for what is published on their platforms. Technology companies have voluntarily taken steps to moderate some content, such as extremism, conspiracy theories and fake news, but most personal insults and parodies are still allowed to flourish. Section 230, however, isn't necessarily bulletproof. At least one federal court has stressed that the statute does not "create a lawless no-man's-land on the internet." That provides some basis for Nunes' claim that Twitter has been negligent in keeping its platform from being used to spread damaging statements about him. But a negligence claim against Twitter may still be precluded by the CDA. The test is whether the cause of action requires the court to treat Twitter as the publisher or speaker of content provided by another. In the meantime, one of the Twitter parody accounts that is mocking Nunes -- Devin Nunes' Cow (@DevinCow) -- has gained a lot of attention, with its followers count jumping from about 1200 followers last week to more than 615,000 followers -- and in doing so, surpassed the number of followers Devin Nunes has (about 399k).

Read more of this story at Slashdot.

CVE-2019-4035

IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X-Force ID: 156001.

CVE-2019-9648

An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.

Fake CDC Emails Warning Of Flu Pandemic Push Ransomware

A new malspam campaign is being conducted that is pretending to be from the Centers for Disease Control and Prevention (CDC) about a new Flu pandemic. Attached to the emails are a malicious attachment that when opened will install the GandCrab v5.2 Ransomware on the target’s computer. 

First discovered by MyOnlineSecurity, these emails are being sent from email addresses that are impersonating the “Centers for Disease Control and Prevention” and have a subject line of “Flu pandemic warning”. These emails state that there is a flu pandemic and that recipients should read the attach document to help prevent its spreading.

Roy Rashti, Cyber-security Expert at Bitdam:

“These kinds of attacker always attempt to reach as many end-user inboxes as possible as some of the targeted end-users will not actually receive the malicious attachment, and out of those that do, not all of them will open it. To overcome this and bypass the variety of security solutions that are familiar with macro-attacks currently in the market, attackers try to be as creative as possible.” 

“In order to protect from this kind of attack, cyber education and awareness is essential. People need to treat any email they receive with suspicion. However, the creativity and sophistication of social engineering methods used by attackers means that they are usually one step ahead of their targets, so a security solution that is able to detect a wide variety of attacks must be used to prevent them from appearing in the inbox in the first place.” 

 

The ISBuzz Post: This Post Fake CDC Emails Warning Of Flu Pandemic Push Ransomware appeared first on Information Security Buzz.

Researchers Built an ‘Online Lie Detector.’ Honestly, That Could Be a Problem

A group of researchers claims to have built a prototype for an "online polygraph" that uses machine learning to detect deception from text alone. But as a few machine learning academics point out, what these researchers have actually demonstrated is the inherent danger of overblown machine learning claims. From a report: When Wired showed the study to a few academics and machine learning experts, they responded with deep skepticism. Not only does the study not necessarily serve as the basis of any kind of reliable truth-telling algorithm, it makes potentially dangerous claims: A text-based "online polygraph" that's faulty, they warn, could have far worse social and ethical implications if adopted than leaving those determinations up to human judgment. "It's an eye-catching result. But when we're dealing with humans, we have to be extra careful, especially when the implications of whether someone's lying could lead to conviction, censorship, the loss of a job," says Jevin West, a professor at the Information School at the University of Washington and a noted critic of machine learning hype. "When people think the technology has these abilities, the implications are bigger than a study."

Read more of this story at Slashdot.

Threat Roundup for March 15 to March 22


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Ransomware.Gandcrab-6900355-0
    Ransomware
    GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
     
  • Win.Trojan.Remcos-6898089-0
    Trojan
    Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office Documents with macros, sent as attachments on malicious emails.
     
  • Win.Malware.Autoit-6897734-0
    Malware
    Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.
     
  • Win.Ransomware.Cerber-6896901-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Malware.Zbot-6896522-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Malware.Ursnif-6896385-0
    Malware
    Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
     
  • Win.Packed.Kovter-6895460-0
    Packed
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Win.Malware.Upatre-6894504-0
    Malware
    Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware.
     
  • Doc.Downloader.Emotet-6894115-0
    Downloader
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Trojan.NetWire-6893426-1
    Trojan
    NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
     

Threats

Win.Ransomware.Gandcrab-6900355-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value Name: xbnykvblxlz
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 66[.]171[.]248[.]178
Domain Names contacted by malware. Does not indicate maliciousness
  • carder[.]bit
  • ransomware[.]bit
  • ns2[.]wowservers[.]ru
Files and or directories created
  • %AppData%\Microsoft\jfwwxp.exe
File Hashes
  • 19b5f589a31dd4b6fd6fcda9e529f04adee6628740cfb4354b7fde94ca4c8fe8
  • 2870e29273fac8161c571505e2081afe0aa8c9e198150923f9efcb15a0379e66
  • 31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc
  • 3e9ae9bb1061f2335cbca35ddfe71f7b93d8ff14a79c362b7a5e22a3c19f5af0
  • 3f18aeab0f40e3f957807fdb6142cafcfd4faeac39b0f31df9e869cca981cb70
  • 5a6f4af9f4c0230111b39ff7cf127db182738ed735fa72183f935f272491b53d
  • 635cd9d2065acf51745629ff92e41c8b331d25376868cfde5ec3dfab91cd0026
  • 961b6caacf88d67139309a5dbec806301a1e7fc8eec7db166d9d0d0120346cad
  • a8d145d01780227cecb322d69d173248c122c5c5b5ffe74c28e1ef89958b4dd7
  • c4e78e775a53a51eefc2b5dd4ce161bd1794119a02481e03b9917aba5279d9c0
  • cfb324eb0b95048aa3248b4475902e575da996b63ff86cf78211424ec8c1c561
  • e43d30708069f2ec0b0237144b23e2d337521174530caefd04728fcc0cbbfd6e
  • fcefe7d20db180411dd0f1ae2749e622738d9b8e6cca09a01b870551823ccbd3

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella




Win.Trojan.Remcos-6898089-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: exepath
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: licence
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: Wordpads
Mutexes
  • Remcos_Mutex_Inj
  • iyfizfifk-HKLTVU
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]98[.]147
  • 103[.]200[.]5[.]128
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\install.vbs
  • %TEMP%\pyrogenetic.exe
  • %TEMP%\pyrogenetic.vbs
  • %ProgramFiles%\Wordpads\Wordpads.exe
File Hashes
  • 0a1d151c7170baace5e771feb217ee3a685f8af2ddf5c51571d321b2253fa48a
  • 2b6ea3f861899440039f30018f2593a3202b27e3a7f7adec5d5a3703dce3ed59
  • 2c125850f874973b605b04f2ca76d4ae3476bd495890a55f1be3d74de4ca5015
  • 2ea12c4cf9c0c9a3926e0f77333a5e74faf1f4956ab4a599bfd1be6410a4a348
  • 34ce4dbec1155384abd4eab34fa0bc7ca1ead6ae2c4be9a54299e051100245fa
  • 55f209afba93e7a881ad14761b1349349548843a388af32e084a58fe51bc1d34
  • 616ece9b51f1fead02cbc893af7f76240a84a39a9096b4d6cdb066b6ad8a7f4d
  • 786fd0f58b0731ae1326c434ff77bb3f40405dc0fd9f2814d8b41265325920de
  • b76d7be62eb4b198c540220e8b697e01fa80e42465ba314992002175b6593bae
  • bdeea19cc4255537c110faa58fb74721e6503d8815cc62b0fe14a77eba0c4bef
  • c4d675f3f5941b6488fc4c3ecf540c106ef21aa8b8be858cd9ed750888947032
  • c5d8569dbe75f1725774befcd82f1f0cabd8baf07759d60f9b2691870954408f
  • d414046e1fa2ab58f5cb5ea84db538bec4ccff435a7d7c2aab826ebfd584a518
  • dcedf388c083bb55821749ed00e80c96e2aef01fe0e1a26bfdba8b9b8b3d1556
  • e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a
  • e8649923e071a79f7810eddb32257d5782e39428da217cd5aa34af4c821cb0f6
  • fa73eb7829ef969e79d43f647136bdcac25a9b3739961b0653e7bab640966f12

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Autoit-6897734-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • altspace
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • charlesprofile[.]website
Files and or directories created
  • %UserProfile%\archiveint\adalsql.exe
  • %System32%\Tasks\Gfxv4_0
File Hashes
  • 0df27d70990f8b8ec8b3df25cf1eb9666bf92526095da227080a0372c60aa588
  • 287d43060fcca28466206776b5a147e83d3fd7de4230f1cd909953daa12d0156
  • 43e9ecb0c189695bbb533ec47746edf76778aa1a8b0266f5ac267f79f5cef03d
  • 4634ecfa0699f7408c84fc3c2cdb42601d372777237eec1fe0a58868ef693c1a
  • 5721c80fb52b4db900819b1738db0ad82c502eb7d79e152edb9f2e371f3c9664
  • 6635eb7fc5c7c454b6c5c19018820e249318c34305420cf27392c171df491635
  • 6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e
  • 7642637e654417d9add1a62ac596cb8d1d84f793749e9e4cc92a117e33d56133
  • 87d5cafaf2e1bb5f56caa5aebd24fbf9941db0e079ba854fb9aaf3bce4c819b2
  • 93cfe8d255a490ac9f173ceb7618a019a25b9246b87e0493acaa20dda799950c
  • d8c4ea9786f6ddc62da7b3555b3efb138ca0c4a0348be83ecec060618db2c276
  • e4503c499e82fa0bce07fd10fdcf132d4a0933d309973b94823366d97a05c4e6
  • e48da123e2e08dd9f62abb56e630b8edfe4ea7977149bda53522bebacfb10d00
  • f51011fa1fbfdf0be75a9300931d33b850b601a01d1a4bfab33c346e3fdde5f2
  • f5bbc3ec89ae91eb6a25cbdb66c4a95b1756298815a50a9e0ce2f27ba57a878f
  • f95c285f6632fecd805fab3e79d018ab4e34e2c230adac317a94ca55b15fd35b

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Ransomware.Cerber-6896901-0


Indicators of Compromise


Registry Keys
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value Name: SCRNSAVE.EXE
Mutexes
  • shell.{381828AA-8B28-3374-1B67-35680555C5EF}
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • cerberhhyed5frqa[.]vmfu48[.]win
Files and or directories created
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.html
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.txt
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.url
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.vbs
  • %AppData%\Microsoft\Internet Explorer\apXmmhm1Ka.cerber (copy)
  • %AllUsersProfile%\Microsoft\Dr Watson\tMYvM36CEP.cerber (copy)
File Hashes
  • 001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1
  • 01906006204a9a84fd0dd7d061aacbb093d09a8192c65cc55e3be6edd164c908
  • 02f66c7648b064b49da5218664d1f5abbe954c6a02f46db9dac77358a0d9b92f
  • 0830faf3346becd79a49df77f0d181c66bed86d1771622f0b8315e288ba29e77
  • 0affee8e0b6dce3ec8c453b6a7ac92648bea9006a63c77b7efd36537adabf5b4
  • 0d899afe8df44ba83ee7b02f621100ed721dd0bd9411d6d0a6e3935baa65cc0f
  • 0df1130e9f23b007643dd0ed3375528cb08d0496b195401078fbd27d2fa5de10
  • 0f3c4c70da6c8a58c0f6844eabc40773e0622f8a1e3f13370538112634ae0079
  • 127d0879d93ff4fb65ff40d723480e62e0144483f4be7da0a739ceae9c446d3f
  • 133a9faa5bd0bd157660e67bf208cdea7cde346836df7ed3f0619edf9e652313
  • 1ab65651d3c70301f55f31fa294e215b1c72e9aa7f87d894e493b5e25d2d35d2
  • 1ad4afdcb9a62b69473149a0e70c38822be0f566b6759922f730c074bffcd09c
  • 1cd3e3a997e017a9ad7883dbee9ba8c71f416e56e1113c96d13290dd998ad8da
  • 1df2e8bb31a42361b916a71aa2e816dcc7279b93a80b2613d5dd8681f007cec1
  • 20e0fc147c170e25c8ba1dbb4e6d0dcafa6771659ba101b67e5b2176d41fb81e
  • 2232654770e8440f3d4629753cc78bcc97b054c5df003ac3908da5b20d058659
  • 2b5295639ab89940a16a9b7dc80f7eefbe065fd0bcbdb7d1c783cebd93dd9db8
  • 2dae95760c360eadeba55f370e3e78e9761f436539ffc3cc1e8e91395722ab4b
  • 2e87382ab956e8db123f80f8ecffeb61c4461b5c77d6deed2952c68b9a96f3d8
  • 2ffc4d2116734e50078268c07b7b972d9d127e9d83513d331d13788c7c941990
  • 31235847a5b061a60d79ad9f634455bfc95ce68667ec4df1fc479d147c794649
  • 320281163724c2d356f3ba9e7ccab33fa06b584f841dcbed783cb65432f1498c
  • 3374ca6683d9bb5434fa192eebe615ba6a609cbd8063c47eca42c47bb480e886
  • 3444fa109868538f1b25a0b4e1e8b1b8545ae88e0dc4a71161e64a868826d301
  • 369dc38935f947829cfa4c85e8262a594ef9bd1ece3479c980d90e62ebfeea68

Coverage


Screenshots of Detection

AMP




Umbrella



Malware



Win.Malware.Zbot-6896522-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: AppInit_DLLs
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\PROGRA~3\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
  • %SystemDrive%\PROGRA~3\Mozilla\lygbwac.dll
File Hashes
  • 00ffecb86e72d9357a6bbd15b6354fc9213033f748d9b51b597fcc365a9e1f7d
  • 010d598fc0465864690982eec5f30ef48c713916ef4e45a8d8d49420342df428
  • 018edfb60377a0c076e1297bb407cd42b16ffb2c08d4d2aa32b860b061ca5ed3
  • 01bce31e9de13c804a18643616bc34f64bd1c5b25bf8a10f422e2ad19fb7730c
  • 02701dff6c0a0f71b66c9cf69bd895129e810a1a13bcb18be9a8388ff7821b89
  • 02b10171ce53f9592cb441792f91f1d2a7ea1af92e8a814e3bbc42b647afff2c
  • 02c63a651be113f6b1816a357a97af54141e2bd6d9ce4aa2827a629031b8eaf7
  • 02e7cf905bba1542c36e54c120d57c583f6bf33fc15a4fea4e8a41187801b041
  • 0491fc85d831a1f252b61ad87941db7174c53c1b849bc3fa67604251bdbc7fe0
  • 060b3e97fe90a1c725a41fb0ffd3a01ff7b34c74f1460b68dcf05b668dd5521c
  • 06b7d5b411bc5c2b50aa6a257b0799dfa4e098a249602c39a3a43160539087e3
  • 06dea51ea8ec0bbe9578024339ef207c8cac340ca608b519c22999e109514b47
  • 082549d3ad41312e5014c2ada5b99d6dfabc29f09b19ef4d1d9a7ec1297e8356
  • 08807c13e43fd5d202c97c68e25c6178445a65cb0c8f957ff3dc17a293b11020
  • 08d6916f9a64fc2e725d578d1c11c1f77894edc35373d7d308e039bc85e889a7
  • 0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e
  • 0a5e7372e854b6ab82834abfaef00be3a1713ae3c921f3d693112482b8d91dff
  • 0aa62de7c50e0d0498ff66687e0ed5ce905f7fe5014b765586ca64c283c2b595
  • 0bca5fd01e55d40ca9d324e0011f56de76cab17d399f6655019f85cbe16ae060
  • 0c3fea106ea5b2d0f943580279e0ddc729e210716ba82344a619ab901438511e
  • 0d08edbe5a8d68b1a6c29fd0956514036a94638e6443db85c37c8e532d15a2c4
  • 0d9c6fe9e4172a80ad9c912eebeecf2baa094012552267ad70d49d6f583add8f
  • 0e9189428c742936b52149e2579844257ab381570b9c13d440fb3304b7cfd935
  • 0ee3a3afec6551c3cdc20836f7d3ae8ac1b20cd7dfa6a14e379ca975d9b342b5
  • 0f18e6faa5e6bc9e81e5cb5c51a7cbd03589eedae7565d1b270fdb803c78c437

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Ursnif-6896385-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 91[.]134[.]203[.]113
Domain Names contacted by malware. Does not indicate maliciousness
  • kkariannekatrina[.]company
  • f61leeii[.]com
  • qmitchelkp[.]com
Files and or directories created
  • %LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
  • %LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP
  • %LocalAppData%\Temp\~DFD0DDA0AA1947567A.TMP
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA0E5.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBF00.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD9FC.tmp
File Hashes
  • 002c189b365fecdd1a985d49bb4fb006c15efc47b1000defbdd6f4af1c11a19a
  • 02a860f30efb515b8c290d7eec3aaacc31e13db934b950c12c46c2b418f44c6f
  • 0698973ada3bb251a5d7d24af6532bfe757f26e21c5ccb4683ea90fa22000d31
  • 0bf3ad196d5c033b96508b82a4627371b410a4171a112fe87749ffa35148e700
  • 4e8a9df93d31b02390be3f76e8092bb8dd1296da7b583f0ef7d1e0a4b621f5c9
  • 50e11389b6a65a77dd2806b0101c00c3ecab05c885904d8ed93fd7d5a22caa29
  • 65365868838db8f45660946e8cf4e48420fef2f191087adff2c8525e1e9b92ab
  • 68ac70dcad46e80bb89338cc239d9c7942a4d7baeb39c783cf7f3f41338afee6
  • 72ea94949e5a93a9470f528c2e19fee632f1c35e6592e7466d230fcd4425adca
  • 8b07ef958d6f3f94cb45580d4aaa99202870f35e6c309d94894c5601c861cfff
  • 8ee22466de53f493c666b1f805bfad58f4b9d33b657e266dd65724efb96002e7
  • 9124364a4c9db508a438403d4742db5ba39542753f2a67e4b1f77854962ca1d2
  • ae0f77690e47a8662efaa1507002e3924c2d0986e6c1cd39d3d775e53ad982d2
  • af421716811ae86cf1b9cb4c1615ae152515f3dcbe3bef603737d663839bf520
  • b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b
  • b90a9ca23c1b2667d8a8a8e14bd3ccec4f928734e91dc28af26e69dafb991668
  • f5bad2d671dc5b30fdbc93304e2d9b194033cc307099eae1d58cee17a2cb717a

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Packed.Kovter-6895460-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: b97dea2a
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value Name: 99297e9b
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: cafa44a6
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: b612d32f
Mutexes
  • C59C87A31F74FB56
  • 1315B41013857E19
IP Addresses contacted by malware. Does not indicate maliciousness
  • 97[.]12[.]118[.]34
  • 95[.]173[.]120[.]56
  • 90[.]243[.]251[.]205
  • 96[.]18[.]11[.]140
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\recol\PqIpWoU.asARM
  • %LocalAppData%\Temp\ay35fayo.2m3.ps1
  • %LocalAppData%\Temp\uipfcjr2.khy.psm1
File Hashes
  • 352bc4694ee225e59f50875fbfbe2502a0223daa22b94eafed6e997e71588433
  • ae9789ced159c8fe284e49c8352a66070b8a52bc256847be11ad0890da6b1a99
  • b93e29b1ed93143a85a7d6cff2cd87b5c12e8923bea9f50923dbae429c950f2f
  • dbebf2bbd28c1bf5b327a09fef96cba4078ce033b52488ce936dd53e92302437
  • dffa4d8bbde6b5efbc79a4a05df2e4528f5dc991783e81844685bdf1c175b716
  • e1161786aaf5ce7cf3938e1a105a150f3e7e6c4ab44e1b6dc26004b07dbcc6cc
  • e4d4dfa171983e794cf68492fcfd6bb7312b953d22ae03df64213a5dd6496ee3
  • e79f05d135d2c8524a190bd7d22d20674a21c149cc379299011390b932e056af
  • f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20
  • fa6adb0b0a129ada90e2dcef5dcd34c2cae28496689630e7f0415882f12e608a

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Upatre-6894504-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: 0521341d
  • <HKLM>\SOFTWARE\WOW6432NODE\6C5692EEDA48CF842254
    • Value Name: 4DE9F1CC8F5AEB40A9
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 139[.]59[.]81[.]114
Domain Names contacted by malware. Does not indicate maliciousness
  • ncaappraisers[.]com
Files and or directories created
  • %LocalAppData%\Temp\opera_autoupdater.exe
  • %LocalAppData%\Temp\wadly.exe
File Hashes
  • 15e6ce12614b3b296ddd76343b5703d87beb736b162128aedca6499e40ccdfed
  • 1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5
  • 24ebabc590cff41db4261eea662c91d3e3d48bc7da2be03009fddac26861117b
  • 3ea2036f27be61f73ef313f78a094c767164becbcbbfc9c4c7a33f3160d9f2bf
  • 498d367976283785672c2c695e29ad7b20a2b0157dc1dc13acef67426da96e58
  • 4c9b775952a0b574d258a982b0fe3bfca25f450b7e4ddc76a20981432135afa3
  • 5d9721eff25abcb7d7a4af4af2d0dd568b181375186ef20a024cb9408a1b3975
  • 68c841e9b1e4d2b2cb65177913d0a7152decd5ecc15f9d424897f2b277ef75c8
  • 7f26231615eab934cf6cf7d54c9ded34b04fc068fd9ee274b4037843ca22c69d
  • 80e7912b1921cfb610b2b43d5ca74c3aa5c6c3edce4aac9bb554b58dc9ddd6e9
  • 81c52a86cae959eac3382cb9b72a8afb47db16746b9e9c3b9254dc0353174530
  • 886515171b4b044976140bcfe2036796c80320072f54ad60078203d7523aad1c
  • 8a53bf2d3220ef740147699a1a801cc58e4b48052b9c5569f3659ba1a26e3a6f
  • 8b241d4a533f3f6ac4819a22e7c1dd7f18556e1f6f835584973902e63ababb66
  • 945055c780e4f5855616bab1b2b94807ae603c6b2c8cedfb0dd5f32a4c07a784
  • a3438650289b8b3025f6d08414af69cafc016080868a0a30d48239716eea2420
  • a95e1d9364069d02e6f844461cd9e7525f1c3f7a07960486403fee266f0fe8c1
  • abb26593cd2fa77ee16fb0640465ec21592cda8d370c13a2fb74836e065b8f69
  • c036fcf79a071d900b32100d015fc16bff5d82044139b6098eebc98009d2b056
  • ca0bbd8f09581c6c0920c782a06d66e5cad25ce672f22e4ca0dde4ea98b905a6
  • e45189ab53b35195f4676bc9081a605dc28cc79e26047763ccf2661d82120221
  • ed75f96c614623b6c1aaa793cd8239c86049635d75406339ec778e7ba23eb317
  • f9ccc2fe7e013cc9ee47eecc3dde93f6bae4aadc00a421254ed6fe35370b6984
  • fcc0294acfcd7e2231d83841cb31e88363f75efab063c79c4a193f2c0cc26460

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Doc.Downloader.Emotet-6894115-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 181[.]197[.]2[.]252
  • 94[.]73[.]147[.]237
Domain Names contacted by malware. Does not indicate maliciousness
  • emseenerji[.]com
Files and or directories created
  • %UserProfile%\208.exe
  • %WinDir%\SysWOW64\SCwdrA.exe
  • %LocalAppData%\Temp\CVR478.tmp
  • %LocalAppData%\Temp\iidzocqo.viy.psm1
  • %LocalAppData%\Temp\oflithzz.nz2.ps1
File Hashes
  • 2ed65e9a1e796862f97eeebdf46152caf4f7f4204b801287bafe5b11e948ee1b
  • 4c9295e6906108f3dc926a9591a148e4e2636a893d4d2505b35a0d030635462a
  • 563991d43d484069890ca97745c1d7267c918afc260d31a52ec5bfc899a30c94
  • 848b0b2455cb049ec8dfa798592de326b67abe036ae7a637c8aa3ab9e91f5cb7
  • a06d630f62bc13cb49c794bf934a4a3dbe8cf63f352304e71c056199a065958f
  • a42af575f713389ca1b0cd0156dceb753c1728cfe7c0e7a6036c53aef2d2d3fc
  • b9f83bd5eebbdabf1cc5ff8587ca2f12a91f4905538e65587b35bd8bf1132e9c
  • bf0ee1f25309aea8e27968f5d927fe8d05a66437cb86102d367305e61ec9f5d6
  • c60eb3d68445ab0471aceef71bf75182d9d2f92e3ef3ab4fb148d8852dd2c5d0
  • c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c
  • d818fd24d2ee5426ca535b7c966021cafbe7bcbb68b9d6ce420b9006859f2df0
  • f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0
  • f832543e87f24eaa23f85c8976b79d7e49d1b4899f5358ba54a71b7c5f803e2d

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware




Win.Trojan.NetWire-6893426-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • AlIgmljN
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]99[.]194
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AppData%\Install\Host.exe
  • %UserProfile%\nltest\print.exe
File Hashes
  • 1388ba005085c7a25e2680d0f7ee1d81c49924f3b555b4b6dbec68dddbf9b0e3
  • 189525aa17b231ea223cd3c09443662341f908afc3973d88753ef78570b408ba
  • 1cc74120569cff7c550b730223d0aed91a334c66f4dc2aa751e723e7c2ac2a14
  • 1d9c379630d8d65bed03e26b9564651f0c16ae675ddcbf56ba607a107de27221
  • 24f0f08e4774c2f4d1411ea8b57fcae3b37266830601f6ec30899126d93881f6
  • 26917f6538fa6e8796c3c18c5f018370f6491adc63f4f466365d0c0186e9dd41
  • 286a254ceeb034dc7417e5b9fab7141472a1db6500900f951775b07cd07f22c6
  • 44cf94db97f1af9478f75e1df1afe36931fd741e1717601cc2e3d1d228c8b6c7
  • 47571de1a9a22ae99d0cc5ac1d788a238dc1bdd416d32db63ffde7041bc98d1a
  • 4eea828a9f2ff26440954da153a19d9667592a2c47206b7b5e161751794e3307
  • 50b2adbbbba3fb086169174cd9c64a4f536c455231ae3dc93fb1ed6a71e48cad
  • 530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9
  • 609676ce7da214d0340436956d1c4733a019811a6ffed5a74e5fa680ccfcdb0b
  • 624b38be3943d4580a7bfe3d22a82dc451e9d5b4e8367886dda182e477e926d3
  • 62b5df538e8e6a1737a0125202ca3a0d99610c08a839bb181cd6abaa9e768ceb
  • 633c5f260bd8794b962c85de11f8eed31bb1bd14b5a11b9de564d6a06796ee7e
  • 7220e58e3625c5d26b7be8450b1d8db9e10cdc4cca9173f372f2e7935fae18c3
  • 7e366ff68193007a80f04d0cf6b33841dfc1a46b815992f241a51120cabab9ba
  • 82a165f62e5c7727289e037c1dc4061aeb894403227a27b7366104ecd5cd08a9
  • 8602358388e40b49cecbbc9e04e9863e95c7b24be53c053098b65553e252d74a
  • 8f1ec1fa3db18ab4d7f716d55f67efb65e126742e7a0b3e276822d516bf53182
  • 9b4f90c1ec5a35213b196fb4e0444f86a5ab394d0111a696ab197fbb5006cdb9
  • a0aeb2aa7b2b833ff153bb372a6e3feadf04cf45035e49168331f26d9c887ec1
  • a2327077fa20fc6c10e72031cb249a874531b376ad335bf5367f6a13566db109
  • a513a5d7c1fcabdd53896d054eac221dcba70f4636b8d3c2f306f121ada943bf

Coverage


Screenshots of Detection

AMP



ThreatGrid



How Threat Intelligence Helps Determine File Reputation

Should you open that attachment? Determining whether a file is safe to open, or whether it comes from a reputable source, is getting to be tricky business these days. Without quick context from threat intelligence, determining file reputation is becoming increasingly complicated.

Many of the biggest cyberattacks in the last few years, like CCleaner and NotPetya, have used stolen digital certificates that give the appearance of legitimacy. Some use code taken from other malware, making the detection of a new or unique attack more difficult. Others use techniques like DLL sideloading to trick systems into running malicious software through benign applications. All this leaves behind a messy and inconsistent data set, which makes future detection and prevention difficult.

We’ll take a look at some of the usual ways to determine whether a file is legitimate — techniques like static and dynamic analysis — and see how these methods can be augmented by real-time threat intelligence.

Determining File Reputation Through Static and Dynamic Analysis

Malware analysis services can be broadly broken down into two categories of analysis: static and dynamic. Both serve important functions and supplement each other — for example, combining the two methods can help rapidly deduce what files in your system could be worth testing further.

Static Analysis

In short, static analysis is performed when a file is examined without actually being run. It can be done automatically or manually, the archetypal example of automatic static analysis being the use of a compiler to find lexical, syntactic, or semantic mistakes in code. Manual static analysis is just another way to refer to code reviews by other programmers. Code review can be a time-consuming and inexact process, though — it’s not an ideal way to regularly examine thousands or millions of lines of code.

In the context of threat hunting, an automated tool performing static analysis of a program will look over the code to find malicious functions.

Static analysis software might compare code against millions of known bad or good samples, while others will flag known bad functions or API calls. Some will produce reports in various formats, including indicators like unique strings, certificates, malware family tags, and even code similarities to other malware. All of these are indicators that allow security practitioners to perform further analysis. These indicators can and should be enriched by relevant threat intelligence — we’ll look at one way to get quick access to that threat intelligence a little later.

Because static analysis is essentially an analysis of text, it occurs without the program being executed, making it much safer to do than dynamic analysis.

Dynamic Analysis

Dynamic analysis, on the other hand, occurs when the program is tested while it is being run, evaluating how it actually behaves and interacts with other software, which makes it more comprehensive than static analysis in some ways. Dynamic analysis can be done in a real or virtual environment — the latter can be especially useful for testing the functionality of malware while reducing the risk to your own systems.

Dynamic code analysis has many advantages over static analysis. It more accurately shows how a program will actually function in a runtime environment, helping identify vulnerabilities that may not have turned up in static analysis. It also helps reduce false positives or negatives.

But dynamic analysis tools only check for certain types of known maliciousness, and using only automated dynamic tools, may miss newer TTPs or present a narrow view of the threat landscape. Dynamic analysis of malware done without taking the proper precautions also increases risk simply by actually running what could be dangerous malware.

Manual Review

Although automated forms of both static and dynamic analysis are practically essential today, there’s still a need for analysts to do some of the work by hand. For example, it’s always good to periodically check that the algorithms underlying any form of automated analysis are actually finding what they need to find and not returning too many false positives or negatives.

For truly malicious files, you need rapid context and enrichment on the indicators to aid response and accelerate remediation. But researching threats takes a lot of time — between threat feeds, blogs, and the multitude of other intelligence sources like US-CERT, security researchers need to parse a lot of information to be confident in their decisions.

On average, a person can only read 50 to 75 words of technical material a minute. And that’s after sorting through all the potential sources of information to find something actually useful. This manual review process can be made quicker and more reliable with the aid of threat intelligence.

Augment Analysis With Real-Time Threat Intelligence

The Recorded Future Browser Extension is one solution that provides instant access to threat intelligence by layering right on top of browser-based security applications. For researchers who are examining malware, for example, they can immediately look up specific indicators of compromise while reviewing a report produced by static analysis, or at any other point of their research. That way, they can instantly identify and organize the pertinent information around hashes, IPs, domains, and vulnerabilities.

This is the kind of context that will help further reduce false positives or false negatives when using file reputation services. But most importantly, threat intelligence used this way is not only another layer of information without context that adds to the burden of a security analyst or researcher, but it actually saves analysts time by increasing the proportion of relevant information they see.

Threat intelligence that you can access right in your browser is not just useful for determining file reputation and examining malware. To see other use cases, download a copy of our e-book, “5 Ways to Supercharge Your Security With Threat Intelligence.”

The post How Threat Intelligence Helps Determine File Reputation appeared first on Recorded Future.

     

Bank Payment Scams Claim 84,000 Victims

The BBC has today reported that scams in which criminals trick bank customers into paying them money out of their bank accounts jumped by 45% in the second half of last year. Over the whole of last year, more than 84,000 bank customers fell victim, some losing tens of thousands of pounds. Banks say scam merchants are shifting their attention from trying to penetrate banking systems to conning members of the public directly. Business are being targeted as well, with a similar sharp rise to £209m in suspicious transfers unwittingly authorised by staff members. 

Lisa Baergen, Director at NuData Security:

“The magnitude of these losses can’t help but have a dampening effect on the UK economy. It’s also bad news for customers, who often bear the brunt of many direct costs (especially in account takeover and identity theft). Fraud is becoming a tempting promise of high reward and low prosecution rates. Emboldened cybercriminals are becoming more technology savvy and are increasingly posing as banks or suppliers and then duping customers into revealing their personal details. These scams have also proved effective in targeting commercial organisations, as senior executives have been tricked into revealing sensitive information which enables access to a company network. The increasing volume of attacks globally has also been attributed to more data available on the black market and more financial institutions and merchants vulnerable to attacks. 

To detect out-of-character and potentially fraudulent transactions before they can create a financial nightmare for consumers – and for companies – many institutions are adopting new authentication methods that hackers can’t deceive. Multi-layered solutions based on passive biometrics and interactional signals are leading the way to provide more safety for consumers and less fraud in the marketplace. These solutions identify machines from humans, and legitimate users from fraudsters by looking at their inherent behaviour – instead of relying on the static data presented. This process lets organisations fast-track the known and low-risk users for an optimal experience, saving the friction and traditional authentication methods for the highest risk users. These layers validate the user through information that hackers can’t replicate, securing the good user’s transaction at every step.” 

The ISBuzz Post: This Post Bank Payment Scams Claim 84,000 Victims appeared first on Information Security Buzz.

Advocate General Finds Cookie Consent Must Be Active and Separate

On March 21, 2019, Advocate General Maciej Szpunar (“Advocate General”) of the Court of Justice of the European Union (“CJEU”) issued an Opinion in the Case C-673/17 of Planet49 GmbH v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (i.e., the Federation of German Consumer Organizations, the “Bundesverband”), which is currently pending before the CJEU. In the Opinion, the Advocate General provided his views on how to obtain valid consent to the use of cookies in the case.

Background

Planet49 organized a lottery, and provided a would-be Internet participant with two pre-ticked check boxes, one of which granted consent to the use of cookies. According to the Bundesverband, this consent did not satisfy the requirements set forth under the German Civil Code, the German Law Against Unfair Competition and the German Telemedia Act, which transposes the EU Directive on Privacy and Electronic Communications (“the ePrivacy Directive”). The Bundesverband initiated proceedings against Planet49 in 2014.

In 2017, the German Federal Court of Justice asked the CJEU the following questions: (1) whether a pre-ticked check box that the user must deselect to refuse the use of cookies was a valid consent within the meaning of the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the “GDPR”); and (2) what information does the service provider have to give with respect to the use of cookies, and must that information include the duration of the cookies and whether third parties are given access to the cookies.

The Opinion

On the first question (regarding the validity of the consent to the use of cookies), the Advocate General stated that to be valid, consent must be manifested by a clear affirmative act. Pre-ticked check boxes are insufficient to establish that consent has been freely given. In addition, the Advocate General stressed that to be valid, consent must be separate. In this context, this means that participating in the lottery and consenting to the use of cookies cannot form part of the same act (i.e., the actions must be presented separately). Accordingly, bundled consent would not be valid.

The second question asked what information service providers must give regarding cookies. According to the Advocate General, clear and comprehensive information implies that the user is able to easily determine the consequences of any consent he might give. Information that is clearly comprehensible is not subject to ambiguity or interpretation. Further, information must be sufficiently detailed so as to enable the user to comprehend how the cookies function. Accordingly, the Advocate General declared that such information should include the duration of the cookies, whether third parties are given access to cookies, and, if so, the identity of such third parties. These pieces of information are, according to the Advocate General, indispensable in ensuring that informed, and hence valid, consent is granted.

Next Steps

The CJEU’s Grand Chamber will issue a final judgment in the case. While the Advocate General’s Opinion is not binding on the CJEU, it is highly influential.

Intel Says It Will Stop Developing Compute Cards

Intel will not develop new Compute Cards, the company said this week. From a report: Compute Cards were Intel's vision of modular computing that would allow customers to continually update point of sale systems, all-in-one desktops, laptops and other devices. Pull out one card, replace it with another, and you have a new CPU, plus RAM and storage. "We continue to believe modular computing is a market where there are many opportunities for innovation," an Intel spokesperson told Tom's Hardware. "However, as we look at the best way to address this opportunity, we've made the decision that we will not develop new Compute Card products moving forward. We will continue to sell and support the current Compute Card products through 2019 to ensure our customers receive the support they need with their current solutions, and we are thankful for their partnership on this change."

Read more of this story at Slashdot.

LockerGoga Ransomware – Another Threat To Businesses

Recently, Lockergoga ransomware made it to the news after repeated attacks on different organizations. The ransomware first became known after

LockerGoga Ransomware – Another Threat To Businesses on Latest Hacking News.

Medtronic defibrillators vulnerable to life threatening cyber attacks

By Waqas

Defibrillators are electronic devices manufactured to save the lives of people with life-threatening heart conditions such as Hypertrophic Cardiomyopathy (HCM). But now, according to the Department of Homeland Security (DHS), Medtronic defibrillators are vulnerable to cyber attacks allowing hackers to remotely control the device within “short-range access.” In total, 20 Medtronic products are vulnerable affecting over […]

This is a post from HackRead.com Read the original post: Medtronic defibrillators vulnerable to life threatening cyber attacks

Crypto Price Analysis: 5 Altcoins That Show Bullish Continuation

Over the last few months, a good number of altcoins on Binance have managed to post serious gains. These coins popped with a vengeance after being clobbered […]

The post Crypto Price Analysis: 5 Altcoins That Show Bullish Continuation appeared first on Hacked: Hacking Finance.

TypeScript’s Quiet, Steady Rise Among Programming Languages

Microsoft's programming language TypeScript has become one of the most popular languages among developers, at least according to a report published by the analyst firm RedMonk this week. Wired: TypeScript jumped from number 16 to number 12, just behind Apple's programming language Swift in RedMonk's semiannual rankings, which were last published in August. Microsoft unveiled TypeScript in 2012, and while it hasn't grown as quickly as Swift -- which has grown faster than any other language, ever since RedMonk started compiling the rankings in 2011 -- TypeScript's own ascendance is impressive, given the sheer number of available programming languages. More and more applications these days use TypeScript. Google's programming framework Angular, the second most popular tool of its type according to data released last year by the startup NPM, is written in TypeScript. So is Vue, an increasingly popular framework finding a home both among smaller companies and tech giants like Alibaba. But RedMonk doesn't look at how many jobs are available for people skilled in a particular language, nor how many companies actually use the language. Instead, the firm tries to spot trends in developer interest by looking at how many projects on GitHub use certain languages, and how many questions are asked about those languages on the programmer Q&A site Stack Overflow. The idea is to get a sense of where the software development profession is heading.

Read more of this story at Slashdot.

LookingGlass Speaks With DevOps’ Alan Shimel

LookingGlass Digital Anarchist

LookingGlass’ Senior Director of Threat Analysis and Intelligence, Olga Polishchuk, and DevOps.com’s Editor-in-Chief, Alan Shimel discuss all things LookingGlass, threat intelligence, and insights from LookingGlass research team. Olga shares how she got into the cybersecurity field and the elements of a well-rounded threat intelligence team, as well as what she and her team see as the biggest current threat- the human element and the lack of cyber hygiene.

The post LookingGlass Speaks With DevOps’ Alan Shimel appeared first on LookingGlass Cyber Solutions Inc..

Playbook Fridays: New ThreatConnect App for Splunk 3.1

Splunk Users Can Now Launch Playbooks Directly from Splunk With ThreatConnect App Updates

Earlier this week, the latest ThreatConnect App for Splunk (v3.1) was released to Splunkbase. This release for Splunk is all about taking action and enabling our customers to fully leverage the power of the ThreatConnect Platform while working directly inside Splunk or Splunk Enterprise Security. This is a big release for us, and one in which Splunk users will see a lot of benefit.

Launch Playbooks Directly from Splunk
The ThreatConnect App for Splunk has always provided Splunk users the ability to leverage customizable threat intelligence integrated into Splunk from their ThreatConnect accounts. Now, as seen in Figure 1 below, you can launch ThreatConnect Playbooks directly from the Splunk interface.

Figure 1: Launch a ThreatConnect Playbook directly from the Splunk interface

 

Manage Downloading and Configuration of Playbook Workflow Actions
Directly from the ThreatConnect App Dashboard, you’ll now see a Playbooks option in the navigation (Figure 2). This is where you can manage the downloading and configuration of Playbooks from ThreatConnect, and the configuration of Playbook Workflow Actions all without worrying about logging into a separate Platform or interface.

Figure 2: ThreatConnect Dashboard view from within Splunk

 

Make Faster Decisions with Automation and Orchestration
What’s this mean? Well, now Playbook Actions can be leveraged right from the Event Triage Dashboard, as part of Enterprise Security Adaptive Response, and as a part of Workflow Actions on Events. Integrate threat intelligence into response efforts while tying your technologies together to orchestrate decision making based on Events happening in Splunk.

For more information, reach out to sales@threatconnect.com for a demo. If you’re a current customer, please reach out to your designated Customer Success team for details.

The post Playbook Fridays: New ThreatConnect App for Splunk 3.1 appeared first on ThreatConnect | Intelligence-Driven Security Operations.

The State of Security: Tripwire Patch Madness: The Challenge

Welcome to Tripwire Patch Madness! Comprised of 26 vulnerabilities divided into two conferences and four divisions, the goal of this tournament is to declare which named vulnerability is king of Patch Madness! The original list of named vulnerabilities was taken from Hanno Böck’s named vulnerabilities repo. Any entries that did not have published CVSSv2 scores […]… Read More

The post Tripwire Patch Madness: The Challenge appeared first on The State of Security.



The State of Security

Tripwire Patch Madness: The Challenge

Welcome to Tripwire Patch Madness! Comprised of 26 vulnerabilities divided into two conferences and four divisions, the goal of this tournament is to declare which named vulnerability is king of Patch Madness! The original list of named vulnerabilities was taken from Hanno Böck’s named vulnerabilities repo. Any entries that did not have published CVSSv2 scores […]… Read More

The post Tripwire Patch Madness: The Challenge appeared first on The State of Security.

A Eulogy For Every Product Google Has Ruthlessly Killed (145 and Counting)

An anonymous reader shares a report: Tez. Trendalyzer. Panoramio. Timeful. Bump! SlickLogin. BufferBox. The names sound like a mix of mid-2000s blogs and startups you'd see onstage at TechCrunch Disrupt!. In fact, they are just some of the many, many products that Google has acquired or created -- then killed. While Google is notorious for eliminating underperforming products -- because even though these products often don't cost much for ongoing operations, they can pose a serious legal liability for the company -- it's rare to hear them spoken of after they've been shuttered. In fact, Killed By Google is the first website to memorialize them all in one place. Created by front-end developer Cody Ogden, the site features a tombstone and epitaph for each product the company has killed since it originated.

Read more of this story at Slashdot.

AV-Test and AV-Comparatives give Sophos Mobile Security 100%

AV-Comparatives recently tested 250 Android security apps available on the Google Play Store against 2,000 of the most common Android threats from 2018. The test was designed to simulate real-world conditions and help Android users identify genuine, effective antivirus apps in a space where there’s no shortage of buggy, dubious or ineffective options. We were […]

Ubuntu Security Notice USN-3916-1

Ubuntu Security Notice 3916-1 - It was discovered that libsolv incorrectly handled certain malformed input. If a user or automated system were tricked into opening a specially crafted file, applications that rely on libsolv could be made to crash, resulting in a denial of service.

Packet Storm: Ubuntu Security Notice USN-3916-1

Ubuntu Security Notice 3916-1 - It was discovered that libsolv incorrectly handled certain malformed input. If a user or automated system were tricked into opening a specially crafted file, applications that rely on libsolv could be made to crash, resulting in a denial of service.

Packet Storm

As ‘Subscription Fatigue’ Sets In, the OTT Reckoning May Be Upon Us

An anonymous reader writes: Deciding which streaming outlet you want to subscribe to can be just as hard as finding a show itself. With options from big players like Netflix, HBO Now, Hulu, Showtime, Amazon and YouTube Premium -- and looming new platforms from the likes of Disney, Apple, AT&T and NBCUniversal -- consumers are already starting to grow frustrated with the crowded streaming marketplace as "subscription fatigue" sets in, according to Deloitte's 13th edition of its Digital Media Trends survey. Viewers are taking advantage of these options: the average video consumer subscribes to three video streaming services, said Deloitte. But they're growing frustrated over just how many options they have. Nearly half of those surveyed, at 47 percent, said they are frustrated by the growing number of subscriptions and services to watch their shows. And this audience grows attached to the content: 57 percent of consumers said it frustrates them when shows and movies disappear from their streaming libraries.

Read more of this story at Slashdot.

Webroot Blog: Cyber News Rundown: Hacker Exposes 26 Million Personal Records

Reading Time: ~2 min.

Gnosticplayers Adds 26 Million More Records for Sale

After the first 3 major data dumps, which totaled over 600 million records, the hacker known as Gnosticplayers has released his latest cache of data, which contains at least 26 million personal user records. These data caches hold customer information for 32 companies overall and have been obtained over just the past couple months, making the data that much more lucrative. The hacker claims these breaches are done simply out of frustration that security is still not being taken seriously by many major companies from across the globe, which may explain why the price tag for each dump is so low.

Hackers Set Off Tornado Sirens in Texas Towns

At least 30 tornado warning sirens in two Texas towns were triggered in the early morning hours by an unknown hacker. While officials quickly shut down the sirens, they did so just 24 hours prior to a major storm during which they might have needed to use these critical emergency systems. This attack is very similar to one that affected the entire Dallas area in 2017, when hackers successfully compromised a radio system that set off over 100 tornado sirens across the city.

Marketing Firm Exposes 230 Million Records

Another misconfigured Amazon database, this time belonging to Exactis, carries the blame for a data breach that could affect at least 230 million individuals, with more data on 110 million individual records tied to businesses. While it is still unclear exactly how long the database was accessible, the company and an external security auditor maintain that the data was not accessed maliciously during its time online, though the independent researcher who first discovered the database reports that the data may have been spotted for sale on the dark web.

Ransomware Cripples Major Aluminum Manufacturer

Norsk Hydro, a major Aluminum producer, suffered a ransomware attack that successfully shut down a large portion of the company’s operations. The attack forced the company to switch to manual operations at all of its facilities around the world, and temporarily take down their website while they worked to restore their systems from backups. Fortunately, the company retains backups for their major operations, so normal production should resume within the week.

Gearbest Leaks 1.5 Million Customer Records

Following the trend of unprotected databases, researchers recently found yet another one, this time belonging to Gearbest (a Chinese e-commerce site). This database contained unencrypted personal records for over 1.5 million customers around the globe, including payment data, ID and passport info, and even data that could compromise Gearbest itself, as URLs for an internal software platform were also exposed. The company has since claimed that the number of exposed records is much smaller than originally posted. However, they also maintain that they use strong encryption on all stored data, despite this latest evidence to the contrary. 

The post Cyber News Rundown: Hacker Exposes 26 Million Personal Records appeared first on Webroot Blog.



Webroot Blog

Interview Thierry Delville – cyber intelligence PwC: une vision unifiée des risques numériques en entreprise

placedelit.com - Il y a cinq mois, Thierry Delville a rejoint le pôle «Cyber Intelligence» de PwC France en tant qu’associé. Cet expert issu de la police et de la sécurité qui a collaboré avec le ministère de l’Intér…


Tweeted by @Placedelit https://twitter.com/Placedelit/status/1109119113148936192

Nitrokey Fido U2F

The Nitrokey Fido U2F security key delivers two-factor authentication for the most popular sites on the web, and does so with impressive open-source bona fides. It's bulkier and less capable than our top choices, however.

House Democratic Leadership Warns It Will Cut Off Any Firms That Challenge Incumbents

The Democratic Congressional Campaign Committee warned political strategists and vendors Thursday night that if they support candidates mounting primary challenges against incumbent House Democrats, the party will cut them off from business.

The news was officially announced Friday morning, paired with a statement on the committee’s commitment to diversity in consulting — “which, obviously, is just to give themselves cover,” a Democratic political consultant who learned of it Thursday told The Intercept. The consultant asked for anonymity given their relationship with the DCCC, and the party organization’s professed strategy of blacklisting firms that don’t fall in line.

To apply to become a preferred vendor in the 2020 cycle, firms must agree to a set of standards that includes agreeing not to work with anyone challenging an incumbent.

“I understand the above statement that the DCCC will not conduct business with, nor recommend to any of its targeted campaigns, any consultant that works with an opponent of a sitting Member of the House Democratic Caucus,” the form reads.

It’s no secret that the DCCC and national party leaders often interfere on behalf of preferred candidates. Or that they otherwise jump into the game too late, if they don’t completely write off newcomers who don’t meet their standards. The DCCC is known for prioritizing candidates and direct them to its own consultants, most of whom are alumni of the DCCC, which is known in Washington as a “consultant factory.” The latest move only reaffirms that reputation and sends a warning shot to grassroots and progressive consultants.

Groups working to diversify Congress say the committee has been slow to adequately address lack of representation — i.e., recruiting more women and people of color. Collective PAC, which works to elect black Democrats, sent a letter to the DCCC last year asking why the group didn’t include any black candidates in its “Red to Blue” program, which targets seats that have a promising chance to flip. They added several candidates after that, including current Reps. Lauren Underwood of Illinois and Colin Allred of Texas.

D-trip claims its top priority is protecting the majority, and that in order to do so, they must keep internal discord at a minimum. But as progressive candidates, organizers, and members build grassroots campaigns and prove they can hold their own, the D-trip’s old playbook is having the opposite effect.

The strategy isn’t new. Though it did bring a few more hiccups in 2018 than expected, which makes the rollout all the more puzzling. “There was never an enforcement that I’ve ever seen,” the strategist told The Intercept. “This is the first time that they are ever making it open policy.”

After their coordinated attack on Laura Moser in Texas’s 7th District, she raised $86,000, got an endorsement from Our Revolution, and made it to a runoff. She eventually lost to current Rep. Lizzie Fletcher. But the episode gave fodder to progressive groups like the Working Families Party, Justice Democrats, and Collective PAC, which had formed for precisely that occasion — the party’s increasing inability to make space for new voices, many of them progressive. D-trip proved their point, and Our Revolution and WFP stepped in instead.

And in Nebraska’s 2nd District, the DCCC backed former Rep. Brad Ashford over Kara Eastman, who ended up winning the primary and losing the general election. Ashford was a former Republican who flip-flopped on access to abortion throughout his time in the state legislature and later as a Democrat in the U.S. House, and opposed single-payer health care. Eastman was a staunchly pro-choice progressive who supported Medicare for All. She was one of only two insurgents to beat DCCC-backed candidates last cycle. In the Democratic primary for Kentucky’s 6th District, Amy McGrath beat Jim Gray and later lost to Republican Rep. Andy Barr. Senate Minority Leader Chuck Schumer is now recruiting her to run against Majority Leader Mitch McConnell in 2020.

Strategists and congressional staffers with knowledge of the change say it will disproportionately impact vendors and candidates who are women and people of color, as the consultants who work with incumbents are the ones who’ve come up through the party at a time when its commitment to diversity was even dimmer than it is today.

The committee is telling firms they can’t oppose sitting members, the strategist said. “I’d rather keep the majority too, which is why to me this is kind of stupid to have a blanket rule. Because, if it’s a safe incumbent seat, why does it matter?”

The DCCC’s move also creates a new niche business, paradoxically, opening the door for consultants who don’t want to be under the thumb of the party. “From here on out, let’s refer to the DCCC for what it is, the White Male Centrist Campaign Protection Committee,” said Sean McElwee of Data for Progress. “My email is seanadrianmc@gmail.com. Any challenger looking for firms to work with them can feel free to reach out. There are plenty.”

Rebecca Katz, a longtime Democratic consultant, also said she’d be happy to work with the challengers. “The people who can’t understand the party is stronger because we have Alexandria Ocasio-Cortez and Ayanna Pressley in Congress should not be in the business of choosing who can run for Congress,” she said.

Alex Rojas, the head of Justice Democrats, the bane of the DCCC, is backing a primary challenge to incumbent Henry Cuellar in Texas, while looking for other candidates across the country. “Make no mistake — they are sending a signal that they are more afraid of Ayanna Pressley and Alexandria Ocasio-Cortez winning primary challenges than Henry Cuellar who votes with Trump nearly 70 percent of the time,” she said.

For both parties, campaigns are a big business, and it has created an ecosystem that feeds those within it and starves those outside of it. “The Democratic and Republican parties are commercial enterprises and they’re very much interested in their own survival,” Rep. Stephen Lynch, D-Mass., previously told The Intercept. “The money race is probably more important to them than the issues race in some cases.”

The main beneficiaries are the consultants in the good graces of party leadership. “It’s a commercial enterprise,” said Lynch.

The post House Democratic Leadership Warns It Will Cut Off Any Firms That Challenge Incumbents appeared first on The Intercept.

| PYMNTS.com

pymnts.com - The Internet of Things (IoT) has firmly taken hold, with new applications — focusing on the support of consumer, business and industrial use cases — now being developed and rolled out regularly. The …


Tweeted by @karenmpd https://twitter.com/karenmpd/status/1109115271900471298

Police Federation Breach

It has been reported that the Police Federation of England and Wales (PFEW) has confirmed that it has been dealing with a ransomware attack on its computer systems. The PFEW was able to respond quickly to an alert from its cyber-security n Saturday 9th March, with cyber experts rapidly reacting to isolate the malware to stop it from spreading to PFEW branches. 

Expert Comments Below:  

Anjola Adeniyi, Technical Leader at Securonix: 

“The attack on the Police Federation shows that anyone can become a victim of a ransomware attack. Based on available information, thePolice Federation has isolated the malware, which is a good step in preventing it spreading deeper into the network. To prevent these types of attacks, organisations should teach practise good cyber hygiene, and enable their organisation to avert social engineering attacks.” 

/

Tim Erlin, VP of Product Management & Strategy at Tripwire:

“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.” 

 

 

The ISBuzz Post: This Post Police Federation Breach appeared first on Information Security Buzz.

Call for Speakers Open for Florida Cyber Conference 2019

Cyber Florida announces that the Call for Speakers for Florida Cyber Conference 2019 (FLCyberCon) is now open and invites experts, thought-leaders, and cyber specialists from all sectors to submit proposals for breakout sessions, panel discussions, demonstrations, case studies, interactive sessions and other unique learning opportunities for conference goers. 

AT&amp;T’s 5G E Falls Short of T-Mobile and Verizon 4G Speeds: OpenSignal

AT&T's "5G Evolution" cellular service isn't just controversial and arguably misleading, it's also slower than the 4G speeds offered by rivals T-Mobile and Verizon, according to a new report today from OpenSignal. From a report: Over a one-month period spanning January 28 through February 26, OpenSignal compared the average performance of "5G E capable" phones and "all others" on AT&T's network with similarly equipped devices on T-Mobile's, Verizon's, and Sprint's networks -- a fair test in that all four of the major U.S. carriers have deployed pre-5G, late-stage 4G technologies across the country. Only Sprint's network fell behind AT&T's performance, though that's no surprise, as the fourth-place carrier's network has lagged behind its rivals in performance for years.

Read more of this story at Slashdot.

We already know there was collusion

motherjones.com - As rumors swirl that Special Counsel Robert Mueller is wrapping up his Trump-Russia investigation, Americans across the political spectrum are anxiously awaiting whatever report he may file with the …


Tweeted by @Paul1Singh https://twitter.com/Paul1Singh/status/1109111705236320257

UK ICO Fines Vote Leave £40,000 for Unsolicited Texts

The UK’s Information Commissioner’s Office (“ICO”) has fined Vote Leave Limited (the UK’s official Brexit campaign) £40,000 for sending almost 200,000 unsolicited texts promoting the aims of the campaign. In an unrelated action, the ICO has carried out searches of a business believed to have been responsible for initiating nuisance telephone calls. The ICO has highlighted nuisance calls, spam texts and unsolicited direct marketing as areas of “significant public concern,” and is increasingly imposing sanctions on businesses that infringe the Privacy and Electronic Communications Regulations 2003 (“PEC Regulations”), which prohibit these practices. In its view, the monetary penalty imposed on Vote Leave should act as a “deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices.”

During January 2019, the ICO reportedly investigated 83 cases relating to unsolicited calls and texts. During the same month, more than 4,000 complaints were made by consumers about unsolicited live calls, and more than 5,000 of January’s complaints related to unsolicited automated calls.

The PEC Regulations, which incorporate the EU’s ePrivacy Directive into domestic law in the UK, require organizations, when making live calls, to state the identity of the caller and allow its number to be displayed to the receiver of the call. Callers must also ensure that the number they are calling has not been registered with the Telephone Preference Service (“TPS”) or Corporate TPS, indicating that individuals and businesses have opted out of receiving live marketing calls.

When conducting automated calls, the requirements are stricter: organizations must obtain specific consent prior to making such calls. With regard to texts, which fall within the definition of “electronic mail,” organizations must similarly obtain opt-in consent unless the “soft opt-in” rules apply.

On March 12, 2019, the ICO announced that following a year of investigation, it had searched two addresses of a business believed to have been making nuisance calls. The searches were carried out using the ICO’s power to enter and inspect under Regulation 31(1) of the PEC Regulations. The business in question was searched under suspicion of making both live and automated nuisance calls relating to road traffic accidents and personal injury claims, as well as insurance for household goods. Almost 600 complaints were made to the ICO in relation to these calls, in which the business failed to identify itself or offer an opt-out in relation to future calls.

Subsequently, on March 19, the ICO announced the fine it had imposed on Vote Leave, stating that the campaign was unable to provide evidence that those individuals who received its text messages had provided their consent. Political campaigns are required to comply with the law in the same way as any other business. Vote Leave stated that the individual recipients of its texts had initially made approaches to the campaign, but that evidence of any consent was deleted following the conclusion of the campaign.

The ePrivacy Directive is under review, with a draft ePrivacy Regulation currently being considered by the European Council before trilogue negotiations take place. It is not expected to be approved before the European Parliament elections in May 2019.

McAfee Web Security offers a more flexible approach to Data Privacy

Post GDPR, there is still a lot of complexity in data privacy and data residency requirements. Depending on where they are located, what industry they are in, and how diverse their customer base is, companies are requiring a high degree of flexibility in the tools they use for web security. While most web security products in the market today simply document their data handling practices as a part of GDPR compliance, McAfee strives to give customers more flexibility to implement the level of data privacy appropriate for their business.  Most of our McAfee Web Protection customers use our technologies to manage employee web traffic, which requires careful handling when it comes to processing Personal Data.

Our latest update to the McAfee Web Gateway Cloud Service introduced two key features for customers to implement their data privacy policies:

  • Concealment of Personal Data in internal reporting: We enable you to conceal or pseudonymize certain fields in our access logs. You can still report on the data but Personal Data is obfuscated. As an example, you can report on how much your Top Web Users surfed the Internet, but administrators cannot identify who that top user is.

 

 

 

 

 

 

 

  • Full control of data residency: Especially in heavily regulated industries, many of our customers have asked for the ability to control where their log data goes so that they have control over data residency. We give you that control. For example, you can currently select between the EU and US as data storage points for users connecting in each geographical region. Additional finer control can be achieved by configuring client proxy settings, or through Hybrid policy. And, in conjunction with Content Security Reporter 2.6, customers can centrally report on all the data, while providing access control on the generated reports.

 

 

 

 

 

 

As a globally dispersed organization, there are of course still limits to what we can offer – our support and engineering teams, for instance, might need to access data for troubleshooting purposes from other geographies.  Telemetry and other data required to operate the service would still be global.  But to the extent that we can, with the access logs that contain PII, customers want more control.

McAfee Web Gateway Cloud Service is built for the enterprise, and many organizations will gain a higher level of performance than they currently experience on premises. As your security team continues to manage highly sophisticated malware and targeted attacks that evade traditional defences, McAfee Web Gateway Cloud Service allows you to go beyond basic protection, with behaviour emulation that prevents zero-day malware in milliseconds as traffic is processed.

The post McAfee Web Security offers a more flexible approach to Data Privacy appeared first on McAfee Blogs.

McAfee Blogs: McAfee Web Security offers a more flexible approach to Data Privacy

Post GDPR, there is still a lot of complexity in data privacy and data residency requirements. Depending on where they are located, what industry they are in, and how diverse their customer base is, companies are requiring a high degree of flexibility in the tools they use for web security. While most web security products in the market today simply document their data handling practices as a part of GDPR compliance, McAfee strives to give customers more flexibility to implement the level of data privacy appropriate for their business.  Most of our McAfee Web Protection customers use our technologies to manage employee web traffic, which requires careful handling when it comes to processing Personal Data.

Our latest update to the McAfee Web Gateway Cloud Service introduced two key features for customers to implement their data privacy policies:

  • Concealment of Personal Data in internal reporting: We enable you to conceal or pseudonymize certain fields in our access logs. You can still report on the data but Personal Data is obfuscated. As an example, you can report on how much your Top Web Users surfed the Internet, but administrators cannot identify who that top user is.

 

 

 

 

 

 

 

  • Full control of data residency: Especially in heavily regulated industries, many of our customers have asked for the ability to control where their log data goes so that they have control over data residency. We give you that control. For example, you can currently select between the EU and US as data storage points for users connecting in each geographical region. Additional finer control can be achieved by configuring client proxy settings, or through Hybrid policy. And, in conjunction with Content Security Reporter 2.6, customers can centrally report on all the data, while providing access control on the generated reports.

 

 

 

 

 

 

As a globally dispersed organization, there are of course still limits to what we can offer – our support and engineering teams, for instance, might need to access data for troubleshooting purposes from other geographies.  Telemetry and other data required to operate the service would still be global.  But to the extent that we can, with the access logs that contain PII, customers want more control.

McAfee Web Gateway Cloud Service is built for the enterprise, and many organizations will gain a higher level of performance than they currently experience on premises. As your security team continues to manage highly sophisticated malware and targeted attacks that evade traditional defences, McAfee Web Gateway Cloud Service allows you to go beyond basic protection, with behaviour emulation that prevents zero-day malware in milliseconds as traffic is processed.

The post McAfee Web Security offers a more flexible approach to Data Privacy appeared first on McAfee Blogs.



McAfee Blogs

Crypto Weekly Review: Rise of the Small-Cap Cryptocurrencies; Clientless Bakkt Raises $740 Million

Bitcoin’s gravitational pull on other cryptocurrencies is gradually weakening. This week, another contingency of small-cap cryptocurrencies rocketed higher thanks to a combination of fundamental news and improving […]

The post Crypto Weekly Review: Rise of the Small-Cap Cryptocurrencies; Clientless Bakkt Raises $740 Million appeared first on Hacked: Hacking Finance.

Researchers go hunting for Netflix’s Bandersnatch

A new research paper from the Indian Institute of Technology Madras explains how popular Netflix interactive show Bandersnatch could fall victim to a side-channel attack.

In 2016, Netflix began adding TLS (Transport Layer Security) to their video content to ensure strangers couldn’t eavesdrop on viewer habits. Essentially, now the videos on Netflix are hidden away behind HTTPS—encrypted and compressed.

Previously, Netflix had run into some optimisation issues when trialling the new security boost, but they got there in the end—which is great for subscribers. However, this new research illustrates that even with such measures in place, snoopers can still make accurate observations about their targets.

What is Bandersnatch?

Bandersnatch is a 2018 film on Netflix that is part of the science fiction series Black Mirror, an anthology about the ways technology can have unforeseen consequences. Bandersnatch gives viewers a choose-your-own-adventure-style experience, allowing for various options to perform task X or Y. Not all of them are important, but you’ll never quite be sure what will steer you to one of 10 endings.

Charlie Brooker, the brains behind Bandersnatch and Black Mirror, was entirely aware of the new, incredibly popular wave of full motion video (FMV) games on platforms such as Steam [1], [2], [3]. Familiarity with Scott Adams text adventures and the choose your own adventure books of the ’70s and ’80s would also be a given.

No surprise, then, that Bandersnatch—essentially an interactive FMV game as a movie—became a smash hit. Also notable, continuing the video game link: It was built using Twine, a common method for piecing together interactive fiction in gaming circles.

What’s the problem?

Researchers figured out a way to determine which options were selected in any given play-through across multiple network environments. Browsers, networks, operating systems, connection type, and more were changed for 100 people during testing.

Bandersnatch offers two choices at multiple places throughout the story. There’s a 10-second window to make that choice. If nothing is selected, it defaults to one of the options and continues on.

Under the hood, Bandersnatch is divided into multiple pieces, like a flowchart. Larger, overarching slices of script go about their business, while within those slices are smaller fragments where storyline can potentially branch out.

This is where we take a quick commercial break and introduce ourselves to JSON.

Who is JSON?

He won’t be joining us. However, JavaScript Object Notation will.

Put simply, JSON is an easily-readable method of sending data between servers and web applications. In fact, it more closely resembles a notepad file than a pile of obscure code.

In Bandersnatch, there are a set of answers considered to be the default flow of the story. That data is prefetched, allowing users who choose the default or do nothing to stream continuously.

When a viewer reaches the point in the story where they must make a choice, a JSON file is triggered from the browser to let the Netflix server know. Do nothing in the 10-second window? Under the hood, the prefetched data continues to stream, and viewers continue their journey with the default storyline.

If the viewer chooses the other, non-default option, however, then the prefetched data is abandoned and a second, different type of JSON file is sent out requesting the alternate story path.

What we have here is a tale of two JSONs.

Although the traffic between the Netflix browser and its servers is encrypted, researchers in this latest study were able to decipher which choices its participants made 96 percent of the time by determining the number and type of JSON files sent.

Should we be worried?

This may not be a particularly big problem for Netflix viewers, yet. However, if threat actors could intercept and follow user choices using a similar side channel, they could build reasonable behavioral profiles of their victims.

For instance, viewers of Bandersnatch are asked questions like “Frosties or sugar-puffs?”, “Visit therapist or follow Colin?”, and “Throw tea over computer or shout at dad?”. The choices made could potentially reveal benign information, such as food and music preferences, or more sensitive intel, such as a penchant for violence or political leanings.

Just as we can’t second guess everyone’s threat model (even for Netflix viewers), we also shouldn’t dismiss this. There are plenty of dangerous ways monitoring along these lines could be abused, whether the data is SSL or not. Additionally, this is something most of us going about our business probably haven’t accounted for, much less know what to do about it.

What we do know is that it’s important that content providers—such as gaming studios or streaming services—affected by this research account for it, and look at ways of obfuscating data still further.

Afterall, a world where your supposedly private choices are actually parseable feels very much like a Black Mirror episode waiting to happen.

The post Researchers go hunting for Netflix’s Bandersnatch appeared first on Malwarebytes Labs.

SolarWinds MSP Blog: 6 Ways IT Teams Can Help Reduce Rework and Unproductive Labor

Two of the biggest drains on a company’s IT resources are rework and unproductive labor. While you might be tempted to lump them both together under “unproductive labor,” “rework” really needs to be separate. Unproductive labor may not be related to competence. Rework means your technician did something wrong and then they (or someone else) had to go do the work again. This is very often related to training, competence, and experience. You absolutely have to minimize this.

Read More

SolarWinds MSP Blog

SecurityWeek RSS Feed: D.C. Attorney General Introduces New Data Security Bill

Karl A. Racine, the attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.

read more



SecurityWeek RSS Feed

Security Affairs: Cisco addresses High-Severity flaws in IP Phone 8800 and 7800 series

Cisco released security updates to address vulnerabilities in its IP Phone 7800 and 8800 series that could be exploited by remote, unauthenticated attackers.

Cisco released security patches to address vulnerabilities in its IP Phone 7800 and 8800 series that could be exploited by remote, unauthenticated attackers.

Cisco IP Phone 8800 series are business desk phones that supports HD video, while Cisco IP Phone 7800 series are designed for desktops and conference rooms in businesses. 

All the flaws affect the Cisco 8800 series, while just one DoS issue (CVE-2019-1716) impacts Cisco IP Phone 7800 series.

Cisco-IP-Phones-8800-Series-Product-Single-Image

The flaws result from improper validation of user-supplied input during the authentication process.

“A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.” reads the security advisory published by Cisco.

“The vulnerability exists because the software improperly validates user-supplied input during user authentication. An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user.”

The Cisco IP Phone 8800 series is also affected by a file upload denial of service issue (CVE-2019-1766) that resides in the web-based management interface. The vulnerability could be exploited by a remote attacker to cause high disk utilization, resulting in a denial of service.

“The vulnerability exists because the affected software does not restrict the maximum size of certain files that can be written to disk. An attacker who has valid administrator credentials for an affected system could exploit this vulnerability by sending a crafted, remote connection request to an affected system.” reads the security advisory published by Cisco. “A successful exploit could allow the attacker to write a file that consumes most of the available disk space on the system, causing application functions to operate abnormally and leading to a DoS condition. “

Cisco also addressed an authorization bypass vulnerability, tracked CVE-2019-1763, in the authorization management interface of its 8800 IP phones.

“A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition.” reads the advisory published by Cisco.

“The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to critical services and cause a DoS condition.”

The most severe vulnerabilities in Cisco 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

The two issues rated with the highest severity score, 8.1 out of 10.

The CSRF flaw, tracked as CVE-2019-1764 affects the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series, it could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack.

“The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link.” reads the advisory. “A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. “

The path traversal flaw tracked as CVE-2019-1765 results from a combination of insufficient input validation and file-level permissions.

“The vulnerability is due to insufficient input validation and file-level permissions. An attacker could exploit this vulnerability by uploading invalid files to an affected device. A successful exploit could allow the attacker to write files in arbitrary locations on the filesystem. ” states Cisco.

It gives an authenticated adversary write access to the filesystem of Cisco’s 8800 series IP phones and permits writing files of the attacker’s choice to arbitrary locations on affected products.

There are no workarounds for any of the vulnerabilities addressed by Cisco. The good news is that Cisco is not aware of any attack exploiting the issues in the wild.

Pierluigi Paganini

(SecurityAffairs – Cisco, IP Phone 8800)

The post Cisco addresses High-Severity flaws in IP Phone 8800 and 7800 series appeared first on Security Affairs.



Security Affairs

Cisco addresses High-Severity flaws in IP Phone 8800 and 7800 series

Cisco released security updates to address vulnerabilities in its IP Phone 7800 and 8800 series that could be exploited by remote, unauthenticated attackers.

Cisco released security patches to address vulnerabilities in its IP Phone 7800 and 8800 series that could be exploited by remote, unauthenticated attackers.

Cisco IP Phone 8800 series are business desk phones that supports HD video, while Cisco IP Phone 7800 series are designed for desktops and conference rooms in businesses. 

All the flaws affect the Cisco 8800 series, while just one DoS issue (CVE-2019-1716) impacts Cisco IP Phone 7800 series.

Cisco-IP-Phones-8800-Series-Product-Single-Image

The flaws result from improper validation of user-supplied input during the authentication process.

“A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.” reads the security advisory published by Cisco.

“The vulnerability exists because the software improperly validates user-supplied input during user authentication. An attacker could exploit this vulnerability by connecting to an affected device using HTTP and supplying malicious user credentials. A successful exploit could allow the attacker to trigger a reload of an affected device, resulting in a DoS condition, or to execute arbitrary code with the privileges of the app user.”

The Cisco IP Phone 8800 series is also affected by a file upload denial of service issue (CVE-2019-1766) that resides in the web-based management interface. The vulnerability could be exploited by a remote attacker to cause high disk utilization, resulting in a denial of service.

“The vulnerability exists because the affected software does not restrict the maximum size of certain files that can be written to disk. An attacker who has valid administrator credentials for an affected system could exploit this vulnerability by sending a crafted, remote connection request to an affected system.” reads the security advisory published by Cisco. “A successful exploit could allow the attacker to write a file that consumes most of the available disk space on the system, causing application functions to operate abnormally and leading to a DoS condition. “

Cisco also addressed an authorization bypass vulnerability, tracked CVE-2019-1763, in the authorization management interface of its 8800 IP phones.

“A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition.” reads the advisory published by Cisco.

“The vulnerability exists because the software fails to sanitize URLs before it handles requests. An attacker could exploit this vulnerability by submitting a crafted URL. A successful exploit could allow the attacker to gain unauthorized access to critical services and cause a DoS condition.”

The most severe vulnerabilities in Cisco 8800 Series IP Phones could allow unauthenticated, remote attackers to conduct a cross-site request forgery attack or write arbitrary files to the filesystem.

The two issues rated with the highest severity score, 8.1 out of 10.

The CSRF flaw, tracked as CVE-2019-1764 affects the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series, it could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack.

“The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the interface to follow a crafted link.” reads the advisory. “A successful exploit could allow the attacker to perform arbitrary actions on a targeted device via a web browser and with the privileges of the user. “

The path traversal flaw tracked as CVE-2019-1765 results from a combination of insufficient input validation and file-level permissions.

“The vulnerability is due to insufficient input validation and file-level permissions. An attacker could exploit this vulnerability by uploading invalid files to an affected device. A successful exploit could allow the attacker to write files in arbitrary locations on the filesystem. ” states Cisco.

It gives an authenticated adversary write access to the filesystem of Cisco’s 8800 series IP phones and permits writing files of the attacker’s choice to arbitrary locations on affected products.

There are no workarounds for any of the vulnerabilities addressed by Cisco. The good news is that Cisco is not aware of any attack exploiting the issues in the wild.

Pierluigi Paganini

(SecurityAffairs – Cisco, IP Phone 8800)

The post Cisco addresses High-Severity flaws in IP Phone 8800 and 7800 series appeared first on Security Affairs.

Security Of Enterprise Wireless Networks

Providing enterprise network security is becoming an increasingly complex undertaking, as the number of threats emanating from the Internet continues to grow. Hackers continue to find new ways to attack systems and steal data. Dealing with these threats is highly complex. While numerous reviews like this may indicate that virtual private networks can protect you against all threats, getting on top of enterprise network security is much more difficult.

Multiple Systems

Dealing with enterprise network security means securing multiple related and connected systems, mainframes, and devices. And it doesn’t only apply to private companies – enterprise security is also applicable to organizations such as educational establishments and government departments. As networks run by these organizations grow in size and complexity, so security concerns multiply.

Virtually all enterprise systems today operate wireless networks, and this immediately compromises their security, as the wireless access point is always vulnerable to being infiltrated. Hackers have a variety of techniques available to them, such as packet sniffing, creating rogue access points, stealing passwords and other network access information, spear phishing, and so-called man-in-the-middle attacks. Each of these has the potential to compromise sensitive information, or even bring down the entire network.

Security Protocols

However, there are a variety of techniques available to help secure enterprise networks. Network security protocols are constantly evolving in order to deal with attacks, although staying one step ahead of the hackers is far from easy. This is why the contribution of white hat hackers to the security community is so valuable.

Wi-Fi Protected Access 2 (WPA2) incorporates the Advanced Encryption Standard (AES), with the majority of enterprise security providers delivering this at 256-bit encryption level. This standard of encryption makes it practically impossible to crack the protection; even for advanced supercomputers.

Wi-Fi Alliance and WPA3

However, in June 2018, the Wi-Fi Alliance – a non-profit organization that promotes Wi-Fi technology and which is involved in the establishment of standards – certified WPA3. This will eventually replace WPA2, although this is a slow and steady process, much as the switch from 3G to 4G and then 5G takes a considerable period of time.

However, although encryption is extremely valuable, it is just the start of securing an enterprise network. Second, on the list of priorities should be the deployment of a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system (WIPS). These are network devices that continually monitor traffic and activity on Wi-Fi networks, and help recognize and eliminate unauthorized access.

Regular Patching

IT professionals responsible for network security should also ensure that all software and hardware is patched on a regular basis. Updating software, in particular, is absolutely critical, as vulnerabilities appear in even the best-known programs with alarming regularity. You simply must be running the most up-to-date and fully patched programs, otherwise, you run the risk of completely compromising all other security measures taken. All it takes is for hackers to exploit one known vulnerability, and you can be rapidly up a creek without a paddle.

Security Standards

As the authorities attempt to assist businesses in protecting their data, so a range of security standards have been established. One of these is the Federal Information Processing Standards (FIPS) 140-2 compliance for encryption, which can be considered particularly important for enterprise networks, which require particularly robust encryption. You should ensure that your network is fully compliant with this standard. And if you’re unsure how this is to be achieved then don’t shy away from contacting the authorities, as they will be more than happy to assist you.

Training Employees

The next port of call for all enterprise security should be dealing with everyday members of staff. This is where things can go horribly wrong. There are other things you can implements which we’ll get on to in a minute, but first of all, make sure staff are on the same page as you. Emphasize to employees that security is all important, and don’t neglect training them in network security principles. Again, your network is only as secure as the weakest password, and the laxest worker, so make sure everyone is trained up and diligent.

Multi-Factor Authentication

And while you’re at it, ensure that you initiate multi-factor authentication across your network. This just makes it so much harder to crack your enterprise system. Strong passwords combined with multiple layers of security and authentication will simply make your network way more secure.

Secure Protocols

Another layer of security that you can consider is a bit of a mouthful…namely, Extensible Authentication Protocol-Transport Layer Security! This is another authentication framework that makes it harder for attackers to gain access to your network, and it also helps enhance authentication transaction and communication.

There are other protocols that can be used as well, but one final process that we’d like to mention is the implementation of a guest Wi-Fi network. This can be kept separate from the main network, providing a vital failsafe mechanism for network security. By employing routers with multiple Service Set Identifiers you can isolate your valuable enterprise network access points, and ensure that your key data is kept under lock and key.

Keep Renewing

Finally, we should mention the importance of continually renewing your approach. This is one area where you can’t stand still, as hackers and network attackers are continually crafting new approaches to circumventing security. You must keep up-to-date with all of the latest security and encryption technology, and ensure that it is implemented across your network.

By following these tips, you will safeguard your enterprise network, and maintain a high level of security for your business at all times.

David Balaban
david-balabanDavid Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

David Balaban Web Site

The ISBuzz Post: This Post Security Of Enterprise Wireless Networks appeared first on Information Security Buzz.

Vulnerability Assessments Versus Penetration Tests: A Common Misconception

X-Force Red is an autonomous team of veteran hackers within IBM Security that is hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain. Our team recently unveiled new statistics collected from its penetration testing engagements. One statistic that stood out, although not surprisingly, was that out of 1,176 phishing emails sent to employees within five organizations from October 2017 to November 2018, 198 people clicked on the malicious link inside the email and 196 people submitted valid credentials.

While those numbers do not appear significantly high, they still show that criminals had 196 unique opportunities to move around inside a target organization and access sensitive data. And considering one set of valid credentials is all it might take for a criminal to launch an attack, 196 of them is a gold mine.

These security mistakes are the types of vulnerabilities that can be identified by penetration testers. On the other hand, vulnerability assessments, which typically require an automated scanning tool, are designed to identify known system vulnerabilities. However, despite those differences, some vendors, cybersecurity professionals, marketing teams and others often use the terms “penetration testing” and “vulnerability assessment” interchangeably, mixing two completely different security engagements.

It’s a misconception that should be corrected so that security professionals understand exactly what they are buying and receiving and how that investment will help solve the challenge at hand. If they are unwittingly misled into buying the wrong solution for their environment, a critical unknown vulnerability exposing a high-value asset could be missed.

A Q&A With X-Force Red Penetration Testing Consultant Seth Glasgow

Seth Glasgow, an X-Force Red penetration testing consultant, has participated in many conversations with clients and security professionals where he has had to clarify the difference between vulnerability assessments and penetration testing. I chatted with Seth about the misconception, including how it came to be and what the difference is between penetration testing and vulnerability assessments.

Question: Seth, thank you for chatting with me about this topic. Can you provide more details about how some in the industry use penetration testing and vulnerability assessments interchangeably?

Glasgow: Sure, Abby. Some vendors, security professionals and others in the industry believe penetration testing is a substitute for vulnerability scanning, or vice versa. Basically, they say they don’t need both; they need one or the other. Sometimes, the two names alone cause confusion. Some may say “vulnerability testing” or “penetration scanning.” Others may say they offer penetration testing, but it’s really just an automated scan that can find known vulnerabilities. It does not involve actual manual testing.

To cover all your bases, it’s best to use a combination of manual penetration testing and vulnerability assessments. I like to compare it to clubs in a golf bag. Not every club is needed for every shot, but to play the whole game, you need all of them.

I like that analogy. How do you think this mixing of the two terms came to be? Was it marketing-related where marketers used the same language to describe the different solutions?

Glasgow: There are a few reasons, none of which began with marketing. One is related to compliance. Some mandates lump penetration testing and vulnerability assessments into one requirement, which muddies the water. At a technical level, the conversations are like a game of telephone. Information is repeated in the wrong context, and before you know it, a vendor is offering to sell a low-cost “penetration test,” but it’s really an automated scan. Also, in the past, the two terms could have been used interchangeably based on the threat and vulnerability landscape at the time. Whereas today, the two are very different and solve different problems.

Can you provide an example of how the evolution of the industry has caused significant differentiation between the two?

Glasgow: Sure, I have a couple examples. In the past, before the cloud became popular, most companies worked with physical servers. A vulnerability assessment, which involved scanning servers before they went into production, was often all that was needed to find critical vulnerabilities and make sure they were patched. After all, the servers were managed locally, making it somewhat easier to control the security around them (such as who can access them). Today, an increasing number of companies are migrating to the cloud, which has a large variety of other security implications. At a minimum, this means more server configurations need to be set up, and there can be less control and visibility into who’s accessing which data from which network. In this new security environment, penetration testing is essential in identifying configuration and access control vulnerabilities and can link those vulnerabilities together to show how an attacker could leverage them to compromise a cloud environment.

Another example is with the Payment Card Industry Data Security Standard (PCI DSS). Companies could comply with older versions of the standard by just doing a vulnerability assessment and possibly a light penetration test. However, in the PCI DSS version 3.2, the requirements specify companies implement a penetration testing methodology (see requirement 11.3) and say companies must “validate segmentation,” which can only be done by performing a manual penetration test.

So, what is the difference between the two? Can you break it down for us?

Glasgow: Whereas vulnerability scanning is 10 miles wide and one mile deep, penetration testing is 10 miles deep and one mile wide. Vulnerability assessments involve automated scanning, which cast a wide net across the entire network. Scanning evaluates every in-scope system to identify known vulnerabilities. Vulnerability assessments review systems for patching and security configuration items that represent security risk. They also include confirmation that the vulnerabilities are real and not false positives; however, they do not include exploitation of the vulnerability. Frequent assessments are important because they enable companies to understand what their attack surface looks like on a regular basis. The vulnerability landscape is constantly evolving as new discoveries are made and patches are released. I could scan a system today and have a clean bill of health, but I could scan that same system next month and find critical vulnerabilities.

Penetration testing is a manual exercise that focuses on identifying and exploiting vulnerabilities within the in-scope networks and applications. It can assess all facets of the security of a company, including networks, applications, hardware, devices and human interactions. The facets to test are decided prior to the engagement. Testing involves hackers actively exploiting vulnerabilities, emulating how a criminal would leverage and link vulnerabilities together to move laterally and/or deeper into the network to access the crown jewels. As testers, we are less concerned about vulnerabilities we cannot exploit, or those that don’t lead to anywhere valuable.

For example, let’s say you have a webpage that hosts an online brochure and has minimal user engagement. A vulnerability assessment will treat that page the same as if it were a webpage with a high level of user engagement. A penetration test would not focus on that page because the testers know it wouldn’t lead them to a highly valuable place. They may be able to use information from the brochure to move elsewhere within the network; however, they would focus on other components that would give them the most access.

Think of it this way: A vulnerability assessment identifies if the office doors in a building are unlocked. A penetration test identifies what criminals would do once they are inside the office.

Chart demonstrating characteristisc of vulnerability assessments vs. penetration testing

Figure 1: Top differentiators between vulnerability assessments and penetration testing (source: X-Force Red)

I have one final question: If I am a cybersecurity leader looking for penetration testing services, which red flags should I look for that may indicate a vendor is actually offering a vulnerability assessment but says it’s a penetration test?

Glasgow: Be wary of the timeline. A good penetration test doesn’t adhere to a strict timeline, but it should take at least a week’s worth of work. And that’s on the low end. If a vendor is saying they can perform a test with a much quicker turnaround, that’s a sign they are probably going to use an automated scanning tool and quickly send you a report of all the findings. Also, ask about the deliverable. What kind of information will be in the findings report? If it’s a spreadsheet with scan results, that’s a sign it’s a vulnerability assessment. A penetration testing report typically includes the findings, a detailed narrative of what the testers did and remediation recommendations.

The report should also include the types of testing performed to help ensure security professionals know where remediation emphasis should be placed to make a network more difficult for hackers to gain access, maintain access and exfiltrate data.

Download the free white paper, “Penetration Testing: Protect Critical Assets Using an Attacker’s Mindset,”

The post Vulnerability Assessments Versus Penetration Tests: A Common Misconception appeared first on Security Intelligence.

Trump’s counter-intelligence strategy

neweurope.eu - For more than two years, US President Donald J. Trump has heaped praise on the world’s authoritarians, disrespected America’s democratic allies, and pursued an ego-driven effort to solve the Gordian …


Tweeted by @New_Europe https://twitter.com/New_Europe/status/1109098668110417920

Security Flaws & Fixes – W/E – 3/22/19

Cisco Pushes Out Security Fixes for Product Suites (03/20/2019)
Cisco released multiple advisories to address flaws across its product lines. Four of the alerts pertain to security issues in the IP Phone 8800 Series, including authentication bypass, remote code execution, and denial-of-service.

Drupal Core Updates Alleviate XSS Vulnerability (03/21/2019)
A cross-site scripting vulnerability in Drupal Core has been identified. Updates are available to mitigate risks.

Eight Out of Top 10 Vulnerabilities in 2018 Belonged to Microsoft (03/20/2019)
Recorded Future reported that in assessing the top 10 vulnerabilities in 2018, Microsoft products were the most exploited with eight vulnerabilities. Adobe had the second most exploited vulnerability and while an Android bug took ninth place. Although the number of exploit kits (EKs) dropped by 50% in 2018, Recorded Future found that the ThreadKit EK contained four of the top 10 vulnerabilities.

Gemalto Releases Advisory for Sentinel UltraPro (03/19/2019)
Gemalto's Sentinel UltraPro is vulnerable to the execution of unauthorized code or commands. Customers who have integrated Sentinel UltraPro Client Library ux32w.dll version (v1.3.0- v1.3.2) are advised to upgrade to the latest Sentinel UltraPro Client Library ux32w.dll version (v1.3.3).

Hackers Can Track Users Via Google Photos Vulnerability (03/21/2019)
A cross-site search bug in the Web version of Google Photos enabled malicious Web sites to expose information regarding photo history, including user location. The issue, uncovered by Imperva, affected the metadata 
gathered by the Google Photos search engine. Google has patched this bug.

Microsoft Fixes Data Leak Bug in Azure Linux Agent (03/19/2019)
An information disclosure vulnerability exists in the way Microsoft Azure Linux Agent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden. Microsoft released a fix that prevents how the swap information is accessed.

Mozilla Releases Firefox 66 and Updates to Firefox ESR (03/20/2019)
Mozilla fixed bugs with version 66 of Firefox and in Firefox ESR with an update to version 60.6. Both releases remedy multiple vulnerabilities.

Multiple Intel Products Receive Security Updates (03/19/2019)
Intel released multiple advisories to address vulnerabilities in its products. Users should apply updates for Accelerated Storage Manager, USB 3.0 Creator Utility, Software Guard Extensions SDK, and Matrix Storage Manager to mitigate risks.

Multiple Vulnerabilities Patched in CUJO Smart Firewall (03/20/2019)
Cisco's Talos researchers discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems. CUJO AI has released firmware updates to mitigate the vulnerabilities.

Path Traversal Bug Affects Pepperl+Fuchs' WirelessHART Gateways (03/19/2019)
Pepperl+Fuchs has warned that its WirelessHART Gateways have a critical vulnerability within the firmware. An attacker may exploit this vulnerability to gain access to files and access restricted directories that are stored on the device by manipulating file parameters that reference these. Incoming HTTP requests using fcgi-bin/wgsetcgi and a filename parameter allow a directory/path traversal. A publicly available exploit already exists for this vulnerability. The vendor pushed out a firmware update to mitigate risks.

Privilege Escalation Bug Found in Windows Kernel (03/19/2019)
Google Project Zero researcher James Forshaw found a novel bug class he discovered in the Windows kernel and some of its drivers. He found that the kernel mode drivers shipped with Windows don't perform all the appropriate checks when handling certain requests, which could result in the escalation of user privileges. Forshaw submitted his findings to Microsoft, which in turn, said it will address these issues in future versions of Windows. Current supported Windows versions do not contain the combination of initiator and receiver that could result in privilege escalation.

Researchers Find Exploitable Bugs in NSA's Ghidra Security Tool (03/20/2019)
A researcher has identified security vulnerabilities in Ghidra, the free, open-source software reverse-engineering tool that was released by the National Security Agency (NSA) for use by security professionals. The researcher, known as "sghctoma," warned that project open/restore is susceptible to XML External Entity (XXE) Expansion attacks. This can be exploited in various ways to open/restore a project prepared by an attacker. Analysts at Tencent Security have also determined that chaining the original XXE vulnerability with an abuse of Ghidra's Java features and weaknesses in the NTLM protocol in Windows can lead to a remote code execution.

Unpatched Triconex Tristation Emulator Bug Could Cause DoS Condition (03/20/2019)
Applied Risk security researcher Tom Westenberg warned of a vulnerability in Triconex Tristation Emulator's Triconex System Access Application (TSAA) communication stack which causes a denial-of-service. Triconex is a Schneider Electric brand and the vendor stated that a patch will be released in June. 

Update Boots LAquis SCADA Vulnerability (03/19/2019)
LAquis SCADA, an industrial automation software from LCDS, contains an out-of-bounds vulnerability that could result in a remote code execution. LCDS recommends users update to Version 4.3.1.71. The ICS-CERT issued an advisory with further information.

Updated Firmware Halts Security Bugs in Weather MicroServer (03/20/2019)
Columbia Weather Systems' Weather MicroServer is vulnerable to various security bugs that could result in such issues as cross-site scripting and code injection, among others. The vendor issued Version: MS_2.7.9973 to address all vulnerabilities. An ICS-CERT alert details the vulnerabilities.

VMWare Advises on Workstation Pro/Player and Horizon Vulnerabilities (03/19/2019)
VMware has issued advisories for Workstation Pro/Player to address a privilege escalation bug and Horizon due to an information disclosure vulnerability.

Vulnerability Detected in AVEVA's InduSoft Web Studio and InTouch Edge HMI (03/20/2019) 
AVEVA recommends that users of InduSoft Web Studio and InTouch Edge HMI upgrade to the latest versions due to an uncontrolled search path element vulnerability. Successful exploitation of this vulnerability could allow execution of unauthorized code or commands. The ICS-CERT posted an advisory with further details.ow execution of unauthorized code or commands. The ICS-CERT posted an advisory with further details.

Malware Watch – W/E – 3/22/19

Cardinal RAT Returns to Take Aim at Israeli Financial Tech Companies (03/20/2019)
Cardinal RAT, a malware that appeared to go dormant for two years, has reemerged with new updates to help keep it hidden from detection. Palo Alto Networks has observed Cardinal RAT exploiting the financial technology sector primarily in Israel. While researching these attacks, the security investigators discovered a possible relationship between Cardinal RAT and another malware family. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.

FIN7 Returns with Astra PHP Panel and New Malware in Tow (03/20/2019)
Flashpoint has uncovered a new administrative panel and previously unseen malware samples in use by the FIN7 cybercriminal gang. The panel, called "Astra" and written in PHP, functions as a script-management system, pushing attack scripts down to compromised computers. Analysts discovered references to the FIN7 front company Combi Security in the Astra panel's backend PHP code, connecting the group to these campaigns. It is alleged that FIN7 has portrayed Combi Security as a legitimate business in order to recruit other hackers to its operation. A previously unseen malware called SQLRat drops files and executes SQL scripts on the host system.

New Mirai Variant Targets Business Devices and Encompasses 27 Different Exploits (03/19/2019)
Palo Alto Networks has discovered a new variant of the Mirai Internet of Things botnet. This variant has been seen targeting embedded devices like routers, network storage devices, NVRs, and IP cameras and using numerous exploits against them. The researchers noted this latest variant targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs, both devices which are intended for use by businesses. Mirai also is comprised of new exploits and new credentials to brute-force devices. The malicious payload was found to be hosted on a compromised site in Colombia -an electronic security, integration, and monitoring alarm business. The newest Mirai sample contains a total of 27 exploits.

New Monero Mining Campaign Uses Legitimate Tools to Spread (03/20/2019)
A new variant of the Monero mining malware is using legitimate IT administration tools, Windows system tools, and previously disclosed Windows vulnerabilities in order to infect an entire network of PCs. The malware used in the attack consists of two types of Trojans identified as Trojan.Win32.Fsysna and a variant of a Monero cryptominer. It is not known how the initial infection begins but Check Point Software researchers say that because the malware uses the Mimikatz open-source utility, it appears to spread through unpatched network systems.

Process Hollowing Enables Attacker to Drop NETWIRE Malware as Payload (03/19/2019)
FireEye observed a phishing campaign where an attacker used VBScript, PowerShell, and the .NET framework to perform a code injection attack using a process hollowing technique. The attacker abused the functionality of loading .NET assembly directly into the memory of PowerShell to execute malicious code without creating any PE files on the disk. This particular attacker targeted multiple individuals and successfully executed its payload without having to write the executable dropper or the payload to the disk. The final payload was the NETWIRE Trojan.

Update Immediately to Avoid Exploits Targeting Patched WinRAR Bug (03/19/2019)
The patched code execution bug in the WinRAR compression tool is being exploited in the wild, the researchers at McAfee have warned. One of the exploits piggybacks on a bootlegged copy of Ariana Grande's hit album "Thank U, Next" with a file name of "Ariana_Grande-thank_u,_next(2019)_[320].rar." When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder. User Account Control does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run. The vulnerability was patched on February 26, but criminals are abusing systems that have not yet been updated.

CyberCrime – W/E – 3/22/19

Attackers Abuse Legacy Protocols, Credential Dumps to Breach Cloud Accounts (03/19/2019)
In a six-month study of major cloud service tenants, Proofpoint researchers observed massive attacks leveraging legacy protocols and credential dumps to increase the speed and effectiveness of brute-force account compromises at scale. The researchers said that attacks conducted on Office 365 and G Suite cloud accounts using IMAP are difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable. Proofpoint analyzed over 100,000 unauthorized logins across millions of monitored cloud user accounts and found that 72% of tenants were targeted at least once by threat actors; 40% of tenants had at least one compromised account in their environment; over 2% of active user accounts were targeted by malicious actors; and 15 out of every 10,000 active user-accounts were successfully breached by attackers.

Lithuanian Thief Pleads Guilty in BEC Scheme that Netted $100 Million (03/21/2019)
A Lithuanian man pled guilty to wire fraud arising out of his orchestration of a fraudulent business email compromise scheme that induced two US-based Internet companies to wire more than $100 million USD to bank accounts he controlled, the Justice Department (DOJ) announced. Evaldas Rimasauskas set up a company in Latvia that had the same name as an Asian-based computer hardware manufacturer. He then sent phishing emails to employees of the victim companies, which regularly conducted multimillion dollar transactions with the legitimate hardware manufacturer but directed payments to be sent to his fake company's bank accounts in Latvia and Cyprus. Rimasauskas faces up to 30 years in prison.

Norsk Hydro Victimized by Ransomware Attack (03/20/2019)
An extensive cyber attack hit Norwegian metals and energy company Norsk Hydro on March 19 and affected many of the organization's business areas. According to SecurityWeek, Norway's national computer emergency response team NorCERT warned other companies about the attack and said that a new ransomware called LockerGoga was to blame. MalwareHunterTeam noted that a LockerGoga sample had been uploaded to VirusTotal from Norway on March 19, so it is suspected that this is the variant used in the Hydro attack. In a statement, Hydro said, "Following detection of the problem, Hydro isolated all plants and operations and switched to manual operations and procedures. The main priority continues to be to ensure safe operations and limit operational and financial impact."

Scammers Capitalize on New Zealand Tragedy with Schemes, Threats (03/19/2019)
In the wake of the New Zealand mosque shootings, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to be alert to possible malicious cyber activity seeking to capitalize on this tragic event. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources.

This Week in Security News: Radio Frequency Technology and Telecom Crimes

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how radio frequency technology is putting industrial organizations at risk. Also, understand the threat landscape of telecommunications and how to prepare for future threats.

Read on:

How Radio Frequency Technology is Putting the Industrial Sector at Risk

Leaders of industrial organizations must understand that the devices and systems employees leverage to control processes could open their business up to specific vulnerabilities. 

Microsoft warns Windows 7 users of looming end to security updates

Microsoft has rolled out a patch that will warn Windows 7 users that security updates will come to an end on January 14, 2020. At that time, the software giant will no longer roll out fixes for security flaws and vulnerabilities.

Attackers Targeting Cloud Infrastructure for Their Cryptocurrency-Mining Operations

With the rise of cryptocurrency-mining malware over the past couple of years, cybercriminals are constantly trying different kinds of monetization schemes. 

Email Scammers Stole More Than $150K from Defense Contractors and a University, FBI Says

Cybercriminals defrauded two defense contractors and a university out of more than $150,000 through email scams last year, the FBI has warned companies.

Global Telecom Crime Undermining Internet Security: Cyber-Telecom Crime Report

As the field of telecommunication continues to evolve, so should its security. Understanding its current threat landscape can help reduce the impact of crimes and prepare us for future threats. 

Half of Organizations Lack the Security Talent Needed to Remain Secure

According to the latest Trend Micro figures, organizations worldwide are faced with an ‘ongoing and often detrimental’ shortage of cybersecurity talent.

New Mirai Botnet Variant Targets IoT TV, Presentation Systems

Trend Micro researchers found a new Mirai variant in the wild targeting smart signage TV and wireless presentation systems commonly used by businesses. 

Aluminum Maker Hydro Battles to Contain Ransomware Attack

Norsk Hydro, one of the world’s largest aluminum producers, battled to contain a cyber-attack that halted parts of its production.

What You Need to Know About the LockerGoga Ransomware

The systems of Norwegian aluminum manufacturing company Norsk Hydro were reportedly struck last Tuesday, March 19, by LockerGoga ransomware. 

Round 4: Hacker Returns and Puts 26 Million User Records for Sale on the Dark Web

A hacker who previously put more than 840 million user records up for sale has returned with a fourth round of hacked data from six companies, totaling 26.42 million user records. 

Trump’s Cybersecurity Budget Emphasizes DOD While Spreading Cuts Elsewhere

Federal cybersecurity spending would increase by about 5 percent overall in fiscal 2020 under President Donald Trump’s proposed budget, with the Department of Defense getting a big boost and many civilian agencies seeing small cuts or relatively flat funding.

Are you surprised with the growth and evolution of telecom technology? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Radio Frequency Technology and Telecom Crimes appeared first on .

Most Bitcoin Trading Faked by Unregulated Exchanges, Study Finds

Up to 95% of all reported trading in bitcoin is artificially created by unregulated exchanges, according to a new study [PDF], raising fresh doubts about the nascent market following a steep decline in prices over the past year. From a report: Fraudulent trading volume has dogged cryptocurrency trading for years, but the extent of the market manipulation has been difficult to determine. Bitwise Asset Management said its analysis of trading activity at 81 exchanges over four days in March indicates that the actual market for bitcoin is far smaller than previously thought. The San Francisco-based company submitted its research to the U.S. Securities and Exchange Commission with an application to launch a bitcoin-based exchange-traded fund. The study, made public Thursday, is an attempt to alleviate the agency's longstanding concerns that a bitcoin ETF would leave investors exposed to fraud and market manipulation. Bitwise's fund, if approved, would be based upon the 5% of trading it considers legitimate, said Matthew Hougan, Bitwise's head of global research. That volume comes from 10 regulated exchanges that can verify that their trading data and customers are real. This slice of the market, he said, is well regulated, transparent and efficient. "I hope everyone sees there is a real market for bitcoin," he said.

Read more of this story at Slashdot.

Debian Security Advisory 4413-1

Debian Linux Security Advisory 4413-1 - A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation.

Packet Storm: Debian Security Advisory 4413-1

Debian Linux Security Advisory 4413-1 - A heap-based buffer overflow was discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of this flaw for local root privilege escalation.

Packet Storm

Cyber Security Week in Review (March 22)


Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. For more news delivered to your inbox every week, sign up for our Threat Source newsletter here.

Top headlines this week


  • Norwegian aluminum company Norsk Hydro was hit with a “severe” ransomware attack. The malware affected production operations in the U.S. and Europe. The company says they do not know the origin of the attack and are still working to contain the effects. 
  • Cisco disclosed several vulnerabilities in some of its IP phones. The bugs could allow an attacker to carry out a cross-site request forgery attack or write arbitrary files to the filesystem. Cisco’s IP Phone 8800 series, a desk phone for businesses that includes HD video features, and the 7800 series, which are mainly used in conference rooms at businesses. Snort rules 49509 - 49511 protects users from these vulnerabilities. 
  • A new variant of the Mirai botnet is in the wild targeting televisions hosting signage and presentation systems. The malware uses 27 different exploits to infect systems, 11 that are completely new to Mirai. Snort rules 49512 - 49520 protects users from this new variant. 

From Talos


  • The new LockerGoga malware straddles the line between a wiper and ransomware. Earlier versions of LockerGoga leverage an encryption process to remove the victim's ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted.
  • The latest episode of the Beers with Talos podcast covers point-of-sale malware. Additionally, the guys recap the RSA Conference from earlier this month and talk OpSec fails. 
  • We recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account or by uploading and executing unsigned kernels on affected systems. Snort rules 47234, 47663, 47809, 47811, 47842, 48261 and 48262 provide coverage for these bugs.
  • Our researchers discovered a new way to unmask IPv6 addresses using UPnP. This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned. We performed comparative scans of discovered hosts on both IPv4 and IPv6 and presented the results and analysis.

The rest of the news


  • A health care vendor in Singapore mistakenly exposed the personal information of 800,000 blood donors. The vendor reportedly used an unsecured database on an internet-facing server without properly protecting it from authorized access. All affected donors have been notified by Singapore’s government. 
    • Talos Take: "The data leak in Singapore is the latest in a string of these. Last summer (June/July) it was 1.5 million records, earlier this year it was 14,000 HIV patients and now this 800,000 blood donor info that you have," Nigel Houghton, director of Talos operations.
  • Google patched a bug in its Photos app that could have allowed an attacker to track users. The vulnerability opened mobile devices to browser-based timing attacks that could produce information about when, where and with whom a user had taken a photo. 
  • The European Union hit Google with another fine, this time worth roughly $1.7 billion. A recent report from the European Commission found that Google “shielded itself from competitive pressure” by blocking rivals from placing advertisements on third-party websites by adding certain clauses in AdSense contracts.
  • Windows is ending support for Windows 7. The company says it will cease support for the operating system on Jan. 14, 2020. Users are being notified of the change via a recent update. 
  • U.S. officials at the recent RSA Conference warned that China is the greatest cyber threat to America, not Russia. Rob Joyce, a cybersecurity adviser at the National Security Agency, compared Russia to a hurricane that can move quickly, while China is closer to the long-term problems that can come with climate change.