Security Pros Not Confident in Endpoint Defense: Survey 30.4.2018 securityweek Safety
Endpoint Protection is Barely Keeping Pace With Endpoint Attacks
The difference between anti-malware test results and real-life experience is highlighted in a new survey. While independent test results continue to suggest endpoint protection can detect and/or block close on 100% of malware, one-third of security professionals in the field believe their own endpoint protection controls will stop no more than 50% of malware infections.
Less than one-quarter of 600 security professional respondents to a new survey (PDF) conducted by Minerva Labs believe their current defenses provide a 70-100% prevention rate. The implication is clear: despite the new technology of artificial intelligence enhanced behavioral detection, defenders are not yet winning the battle against malware attacks.
This is confirmed with 75% of the professionals believing the rate of infection has been constant -- or has worsened -- over the last year. Furthermore, two-thirds of the respondents do not have confidence that their current defenses will be able to prevent 'a significant' malware attack in the future.
The most interesting response here, however, is that about 6% of respondents are 'not at all concerned' about a significant attack -- and the unanswered question is, why not? Are 6% of security professionals totally apathetic -- or do they all use a particular endpoint protection system that instills almost total confidence? If all 6% use one particular, or a small subset of, so-called next-gen machine learning endpoint detection systems, then any conclusions drawn from this response would be very different. This is the problem and danger in all broad-brush surveys -- detailed and accurate analysis of the results is impossible.
Nevertheless, it remains clear that, overall, industry's use of malware detection is not currently making any serious inroads against malware infections. In fact, 30% of the respondents have experienced a higher number of infections over the last 12 months than in previous years. Only one-in-five security professionals have seen fewer infections -- but again, the unasked and unanswered question is: what have you done differently in the last 12 months?
One of the most confusing questions in this survey is: "Of the following malware evasion techniques, which concern you the most?" The options are fileless, sandbox evasion, malicious documents, and ransomware. The first two are valid. In fact, there has been a dramatic rise in the use of fileless attacks capable of avoiding basic detection over the last year.
The inclusion of 'malicious documents' as an evasion technique is difficult to understand: do those documents contain scripts that become a fileless attack; just contain malicious links that automatically detonate; seek to invoke a watering hole attack; include steganographic images; or something else. The document itself is not an evasion technique, although what it contains might seek to evade detection. And ransomware as an evasion technique is just plain wrong.
The lack of detail in the survey shows itself repeatedly. Asked how long it takes to restore a compromised endpoint to its normal state, 17% of the respondents replied 'within minutes', while 14% replied 'within weeks'. Once again, the valuable information would be, what are the 17% doing differently to the 14% that the latter could learn from? Are those who can recover within minutes using a modern endpoint detection and response (EDR) system, not used by the other respondents -- or do they have a particularly effective back-up and recovery regime, or perhaps a virtual desktop, or one of the emerging isolation technologies?
One question and response that is unequivocally useful -- to product marketers, if not product users -- concerns how security professionals would improve their defenses if not currently happy with them. Less than 30% of the respondents indicated a willingness to entirely replace the existing controls. As many as 17% would carry on regardless, "and would not consider replacing or augmenting it".
More than 50%, however, replied, "I would prefer to add additional layers to cover the protection gap to avoid the risks and costs associated with replacing the exiting solution." Security professionals are quite simply more interested in improving than replacing their existing defenses. Minerva Labs suggests this is likely "due to their desire to avoid the risks and costs associated with replacing the existing solution. After all, the 'rip and replace' project is likely to involve a lengthy rollout, intense regression testing, and require reengineering of many IT processes."
Despite the lack of detail in this survey, the overall picture is clear: endpoint defense is barely keeping pace with endpoint attacks. "The results from our survey," said Eddy Bobritsky, co-founder & CEO of Minerva Labs, "indicate that while malware threats are still growing, endpoints remain highly vulnerable to a cyber-attack,"
He continued, "We continue to see more complex and sophisticated threats, where traditional blocking and prevention mechanisms, such as antivirus, are no longer enough to keep endpoints safe. Beyond merely relying on baseline anti-malware solutions to protect endpoints, companies should strengthen their endpoint security architecture to get ahead of adversaries, such as blocking off attempts to get around existing security tools."
Minerva Labs' own solution is an anti-evasion and deception platform that deceives malware into misfiring. It is not a replacement for existing endpoint defenses -- with which it happily coexists --- but a supplement designed to detect and neutralize malware that would get through existing anti-malware systems.
Firefox 60 supports Same-Site Cookies to prevent CSRF attacks 29.4.2018 securityaffairs Safety
This week Mozilla announced that the upcoming Firefox 60 version will implement a new Cross-Site Request Forgery (CSRF) protection by introducing support for the same-site cookie attribute. An attacker can launch a CSRF attack to perform unauthorized activities on a website on behalf of authenticated users, this is possible by tricking victims into visiting a specially crafted webpage.
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. ” reads the OWASP.
“Firefox 60 will introduce support for the same-site cookie attribute, which allows developers to gain more control over cookies. Since browsers will include cookies with every request to a website, most sites rely on this mechanism to determine whether users are logged in.” reads the announcement published by Mozilla.
These types of attacks leverage the fact that every request to a website includes cookies and many sites rely on these cookies for authentication purposes.
According to Mozilla there currently there is no way to reliably determine if a request has been initiated by the legitimate user or if it comes from a third-party script.
“Unfortunately current web architecture does not allow web applications to reliably distinguish between actions initiated by the user and those that are initiated by any of the third-party gadgets or scripts that they rely on.” continues the announcement.
“To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from. Requests triggered from a URL different than the one that appears in the URL bar will not include any of the cookies tagged with this new attribute.”
Mozilla plans to release Firefox 60 on May 9, the experts will introduce same-site attributes to prevent such kind of attacks.
The attributes can have only two values:
In ‘strict‘ mode, when a user clicks on an inbound link from external sites to the application, he will initially be treated as ‘not being logged in even if they have an active session with the site.
The ‘lax‘ mode, is implemented for applications that may be incompatible with the strict mode. In the lax mode same-site cookies will be withheld on cross-domain subrequests (e.g. images or frames) but will be sent whenever a user navigates from an external site, for example by following a link.
Mozilla Adding New CSRF Protection to Firefox 27.4.2018 securityweek Safety
Mozilla announced this week that the upcoming Firefox 60 will introduce support for the same-site cookie attribute in an effort to protect users against cross-site request forgery (CSRF) attacks.
CSRF attacks allow malicious actors to perform unauthorized activities on a website on behalf of authenticated users by getting them to visit a specially crafted webpage. These types of attacks leverage the fact that every request to a website includes cookies and many sites rely on these cookies for authentication purposes.
Mozilla has pointed out that the current web architecture does not allow websites to reliably determine if a request has been initiated legitimately by the user or if it comes from a third-party script.
“To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from,” members of the Mozilla Security Team explained in a blog post. “Requests triggered from a URL different than the one that appears in the URL bar will not include any of the cookies tagged with this new attribute.”
Firefox 60, currently scheduled for release on May 9, will attempt to protect users against CSRF attacks with same-site attributes that can have one of two values: strict or lax.
In strict mode, when users click on an inbound link from an external site, they will be treated as unauthenticated even if they have an active session as cookies will not be sent.
In lax mode, cookies will be sent when users navigate safely from an external website (e.g. by following a link), but they will not be sent on cross-domain subrequests, such as the ones made for images or frames. The lax mode is designed for applications that may be incompatible with the strict mode.
Intel Processors Now Allows Antivirus to Use Built-in GPUs for Malware Scanning 25.4.2018 thehackernews Safety Global chip-maker Intel on Tuesday announced two new technologies—Threat Detection Technology (TDT) and Security Essentials—that not only offer hardware-based built-in security features across Intel processors but also improve threat detection without compromising system performance. Intel's Threat Detection Technology (TDT) offers a new set of features that leverage hardware-level telemetry to help security products detect new classes of threats and exploits. It includes two main capabilities—Accelerated Memory Scanning and Advanced Platform Telemetry. Accelerated Memory Scanning allows antivirus programs to use Intel's integrated GPU to scan and detect memory-based malware attacks while reducing the impact on performance and power consumption. "Current scanning technologies can detect system memory-based cyber-attacks, but at the cost of CPU performance," says Rick Echevarria, Intel security division Vice President. "With Accelerated Memory Scanning, the scanning is handled by Intel's integrated graphics processor, enabling more scanning, while reducing the impact on performance and power consumption." According to Intel, early tests using the new GPU-accelerated scanning technique suggest that CPU utilization for malware threat scans "dropped from 20 percent to as little as 2 percent"—that's obviously a massive increase in efficiency.
The other TDT feature is Intel Advanced Platform Telemetry that incorporates cloud-based machine learning and endpoint data collection to better identify potential security threats, "while reducing false positives and minimizing performance impact." Intel's new Thread Detection Technology solution will be available for computers with 6th, 7th, and 8th generation Intel processors, though it's up to third-party antivirus vendors to actually utilize the feature. Microsoft and Cisco are the first ones to make use of Intel's Threat Detection Technology (TDT), with the Intel TDT coming to Windows Defender Advanced Protection Threat (ATP) this month. The second security solution launched by the chip maker is Intel Security Essentials—a built-in toolkit which includes a bunch of different hardware-based security features available across Intel Core, Xeon, and Atom processors. Intel Security Essentials has following properties that offer a chain of trust to protect against a wide range of attacks: Hardware Root of Trust—Cryptographic keys protected by hardware Small Trusted Computing Base—Protecting keys, IDs, and data using hardware trusted platform module (TPM) Defence in Depth—Hardware and software protection Compartmentalization—Hardware-enforced barriers between software components Direct Anonymous Authentication—Cryptographic schemes to offer anonymous authentication of a device for privacy (especially for IoT devices) HW Security escalation—Enabling hardware acceleration of cryptographic calculation, antivirus scanning, and key generation The announcement comes after serious security vulnerabilities—Meltdown and Spectre—badly hit Intel CPUs and chips from other companies earlier this year, and the security patches rolled out by the companies increased load for the CPU, affecting device performance.
Oath Pays $400,000 in Bug Bounties in One Day 23.4.2018 securityweek Safety
Internet media company Oath paid more than $400,000 in bounties during the H1-415 one-day HackerOne event in San Francisco, where 41 hackers from 11 countries were present.
HackerOne’s second annual live-hacking event lasted for nine hours but resulted in breaking multiple records on Saturday, April 14, 2018. The Oath security team was present on the floor to work with the hackers, assess the impact of discovered flaws, patch the vulnerabilities, and pay rewards.
Oath, a media and tech company that owns brands such as Yahoo, AOL, Verizon Digital Media Services, TechCrunch and many more, has also introduced its consolidated private bug bounty program for the first time.
In a blog post on Friday, Oath CISO Chris Nims formally announced the company’s unified bug bounty program, which brings together the programs previously divided across AOL, Yahoo, Tumblr and Verizon Digital Media Service (VDMS).
The programs have already enjoyed the participation of more than 3,000 researchers globally. Over the past four years, Oath paid over $3 million in bounties to the reporting researchers.
“Our new program will combine our existing bug bounty operations into one united program, establishing a foundation to expand our program in the future,” Nims says.
Operated on the HackerOne platform, the AOL, VDMS and Tumblr programs are private, access being available on an invite-only basis. Yahoo properties, however, will be open to the public, Oath says. The H1-415 event was meant to kick-off the new chapter in the company’s bounty program.
“Surfacing vulnerabilities and resolving them before our adversaries can exploit them is essential in helping us build brands people love and trust. Whether they had been participating in our programs for years or were looking at Oath assets for the first time, it was empowering to witness the dedication, persistence and creativity of the hacker community live and in-person,” Nims said.
According to Nims, Oath offers some of the most competitive rewards when compared to other bug bounty programs, with a vulnerability’s impact being a determining factor when deciding on a payout. During assessment, the company looks at what data the flaw could expose, the sensitivity of the data, the role it plays, network location, and the permissions of the server involved.
“It's our hope that with this unified bug bounty program, we will continue to increase the effectiveness of outside reporting and ultimately the security of Oath and its users,” Nims concluded.
Not only did the H1-415 event allow hackers to find flaws in Oath’s products, but it also allowed around 40 middle and high school students from the Bay Area to learn about cyber-security, HackerOne reveals.
The students met with the hackers and learned about how they started and what opportunities bug bounty programs provided them with.
“Thank you to our hackers that traveled from near and far to help secure such an incredible brand. Thank you to Oath for all their work and dedication to working with the community to build strong relationships and resolve bugs quickly. Finally, thank you to all the students, teachers, volunteers, staff, vendors and others that gave up their Saturdays to be part of something great,” HackerOne concluded.
AlienVault presents OTX Endpoint Threat Hunter, its innovative free endpoint scanning service 22.4.2018 securityaffairs Safety
Threat intelligence firm AlienVault announced the launch of a free endpoint scanning service, called OTX Endpoint Threat Hunter. Threat intelligence firm AlienVault announced the launch of a free endpoint scanning service, called OTX Endpoint Threat Hunter, that allows private firms and security experts to identify threats in their networks.
“OTX Endpoint Threat Hunter is a free threat-scanning service in Open Threat Exchange that allows you to detect malware and other threats on your critical endpoints using OTX threat intelligence. This means that you can now harness the world’s largest open threat intelligence community to assess your endpoints against real-world attacks on demand or as new attacks appear in the wild—all. for. free.” states the announcement published by AlienVault.
The OTX Endpoint Threat Hunter service is part of the AlienVault Open Threat Exchange (OTX) platform that currently provides more than 19 million threat indicators contributed by over 80,000 users.
This means that users can assess their infrastructure by using threat information collected by the world’s largest open threat intelligence community.
OTX Endpoint Threat Hunter is a free threat-scanning service that allows users to detect malware and other threats on endpoints using OTX threat intelligence.
The new service uses lightweight endpoint agent, the AlienVault Agent, that executes predefined queries against one or more OTX pulses, the agent can be installed on Windows, Linux and other endpoint devices.
Each pulse includes a complete set of data on a specific threat, including IoCs.
OTX Endpoint Threat Hunter is directly integrated in OTX, this means that users can start using it without the use of other security tools as explained by AlienVault.
If you haven’t already, register with the Open Threat Exchange (OTX). It’s free to join. Download and install the AlienVault Agent on the Windows or Linux devices* you want to monitor. The AlienVault Agent is immediately ready to find threats. Launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses. The AlienVault Agent executes the query, and within moments you can view the results of the query display across all your endpoints on a summary page within OTX. OTX Endpoint Threat Hunter can also be used to scan for processes running without a binary on disk, scan for crypto-mining activity and scan for installed malicious / annoying Chrome extensions.
AlienVault has described several scenarios where Endpoint Threat Hunter can be effective, including:
Identify whether your endpoints have been compromised in a major malware attack. Assess the threat posture of your critical endpoints. Query your endpoints for other suspicious activities. Users can also scan all the endpoints against multiple pulses at once, the OTX Endpoint Threat Hunter allows to scan against pulses as well as YARA rules in multiple ways:
Scan all AlienVault-contributed Pulses Scan by all AlienVault-contributed YARA Rules (Linux only) Scan by all pulses you subscribe to (all pulses updated in the last 7 days) Scan by all pulses you subscribe to (all pulses updated in the last 30 days)
Microsoft Announces New Windows Platform Security Technology 21.4.2018 securityweek Safety
Microsoft on Thursday announced Windows Defender System Guard runtime attestation, a new Windows platform security technology set to roll out to all editions of Windows.
Meant to mitigate attacks in software, the runtime attestation takes advantage of the same hardware-rooted security technologies in virtualization-based security (VBS) as Credential Guard, Microsoft says.
The new security technology can provide supplementary signals for endpoint detection and response (EDR) and antivirus vendors, and can detect artifacts of kernel tampering, rootkits, and exploits. Moreover, it can be used for preventing cheating in games, protecting sensitive transactions (banking apps, trading platforms), and providing conditional access (enabling device security-based access policies).
“Apps and services can take advantage of this attestation technology to ensure that the system is free from tampering and that critical processes are running as expected. This hardware-rooted ‘proof-of-health’ can then be used to identify compromised machines or gate access to critical cloud services. Runtime attestation serves as a platform for a wide variety of advanced security applications,” Microsoft notes.
The first phase of Windows Defender System Guard runtime attestation will arrive with the next Windows 10 update to lay the groundwork for future innovation, Microsoft says. It will allow for the building of new operating system features to detect and communicate violations of security promises in the event of a full system compromise, such as through a kernel-level exploit.
Microsoft is also working on delivering a client API for using runtime attestation. The API would deliver a runtime report containing information from Windows Defender System Guard runtime attestation on the security posture of the system, which includes runtime measurements of sensitive system properties.
“For the runtime report to have any significant meaning, it must be generated in a fashion that provides reasonable resistance against tampering,” Microsoft explains.
Because of that, the runtime report generation must be isolated from an attacker, the isolation must be attestable, and the report must be cryptographically signed in such a manner that an attacker cannot reproduce outside the isolated environment.
This is where the virtualization-based security enclaves enter into play. These make the connection between a ‘normal’ world running the NT kernel and a ‘secure’ world running a Secure Kernel. From the VBS enclave, the runtime attestation can attest to a set of security properties contained in a report.
“VBS enclaves can also expose an enclave attestation report signed by a VBS-specific signing key. If Windows Defender System Guard can obtain proof that the host system is running with VSM active, it can use this proof together with a signed session report to ensure that the particular enclave is running,” the tech giant explains.
The runtime report is signed with a private key that never leaves the enclave. A session report produced by the Windows Defender System Guard attestation service backend is also signed. Both reports can be verified by relying parties by checking the signatures against the session certificate and ensuring the certificate is validly signed, rooted in the relevant Microsoft CA.
While networking calls between the enclave and the Windows Defender System Guard attestation service are made from the NT kernel, the attestation protocol has been designed in a manner that ensures its resiliency against tampering even over untrusted transport mechanisms, Microsoft says.
A security level is assigned to each attestation service-signed session report, thus informing on what level of trust in the runtime report can be expected. The highest level of trust likely requires VBS-capable hardware and OEM configuration; dynamic root-of-trust measurements at boot; secure boot to verify hypervisor, NT, an SK images; and a secure policy ensuring hypervisor-protected code integrity (HVCI)-enforced kernel mode code integrity (KMCI), and that test-signing and kernel debugging are disabled.
“The security level exposed in the session report is an important and interesting metric in and of itself. However, Windows Defender System Guard can provide so much more – specifically in respect to runtime measurement of system security posture,” Microsoft notes.
The assertion logic will be delivered in-band in the next update to Windows, but Microsoft aims at delivering the scripts out-of-band in the future. The approach would allow the company to immediately respond to security events without delivering a component update via servicing.
“Future innovations will make achieving persistence harder, making transient malicious changes more difficult. The idea is to continually elevate defense across the entire Windows 10 security stack, thereby pushing attackers into a corner where system changes affecting security posture are detectable. One can think of runtime attestation as being more about detecting minute symptoms that can indicate an attack rather than looking for flashing signals,” Microsoft says.
FDA Reveals New Plans for Medical Device Security 21.4.2018 securityweek Safety
The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.
The FDA’s plan focuses on five key areas and medical device cybersecurity is one of them. As part of its efforts to keep up with emerging threats and vulnerabilities, the agency wants the authority to require medical device manufacturers to include updating and patching capabilities into the design of their products.
The organization also wants vendors to create a “Software Bill of Materials,” which should help medical device customers and users determine which systems may be impacted by vulnerabilities.
“The additional authorities we seek are to further strengthen medical device security by directly addressing challenges healthcare delivery organizations and providers have encountered as a result of cyber campaigns and attacks such as WannaCry,” an FDA spokesperson told SecurityWeek.
The agency would require that “new devices entering the market have a demonstrated capability of patchability and updatability built into the design architecture of the device, and that a patch management process and plan is provided by the manufacturer for premarket review,” the spokesperson said.
As for the Software Bill of Materials, the measure is inspired by one of the recommendations made recently by the Health Care Industry Cybersecurity Task Force. A bill of materials would be issued for each piece of medical technology to describe its components and the risks associated with those components, which can help users understand the impact of certain threats and vulnerabilities.
The FDA also plans on updating its premarket guidance for medical device cybersecurity to better protect against moderate risks, which it has described as ransomware and other attacks that could disrupt clinical operations and delay patient care, and major risks, such as the remote exploitation of a vulnerability that can be used in a “multi-patient, catastrophic attack.”
The agency’s plans also include requiring companies to adopt policies and procedures for coordinated disclosure of vulnerabilities.
Finally, the FDA says it’s exploring the development of a CyberMed Safety (Expert) Analysis Board (CYMSAB), which it has described as a “public-private partnership that would complement existing device vulnerability coordination and response mechanisms and serve as a resource for device makers and FDA.”
The CYMSAB’s tasks would include assessing vulnerabilities and assisting with coordinated disclosure, evaluating risks and proposed mitigations, and adjudicating disputes. One interesting role of this entity would be to send experts to investigate compromised devices at the request of a manufacturer or the FDA.
AlienVault Launches Free Endpoint Scanning Service 20.4.2018 securityweek Safety
Unified security management and threat intelligence provider AlienVault this week announced the launch of a free scanning service that allows organizations to identify threats and risks in their environments.
The new OTX Endpoint Threat Hunter service is part of the AlienVault Open Threat Exchange (OTX) platform, which allows private firms, security researchers, and government agencies to openly collaborate and share information on emerging threats, attack methods, and malicious actors.
OTX can be accessed for free by anyone and provides more than 19 million threat indicators contributed by over 80,000 users. The new Endpoint Threat Hunter service is available to any registered OTX user.
Endpoint Threat Hunter allows organizations to discover threats on critical machines and assess the risk of malware and other attacks, AlienVault said.
The service relies on AlienVault Agent, a lightweight endpoint agent that executes predefined queries against one or more OTX pulses – each pulse includes a summary of the threat, a view into the targeted software, and related IoCs. The agent can be easily installed on Windows, Linux and other endpoint devices.
AlienVault has described several scenarios where Endpoint Threat Hunter can be useful. For example, in case of a global malware attack, users can select the pulse associated with the threat and initiate a scan. Once the scan has been completed, a list of the endpoints impacted by the malware is displayed.
Users can also conduct scans for multiple pulses – for example, all pulses updated in the past week or the past month, or only pulses contributed by AlienVault researchers.
OTX Endpoint Threat Hunter can also be used to initiate scans that look for processes running only in memory (a common tactic used by malware), cryptocurrency mining activity, and malicious or annoying Chrome extensions.
FireEye Unveils New Solutions, Capabilities 20.4.2018 securityweek Safety
FireEye this week made several announcements, including the launch of new solutions and capabilities, new pricing and packaging models, and a strategic partnership with Oracle.
One of the new solutions is SmartVision Edition, an offering designed to help organizations detect malicious traffic moving within their network.
An addition to the FireEye Network Security offering, SmartVision Edition is designed to provide deep visibility into suspicious lateral traffic in order to help companies identify attempts to steal passwords, intellectual property and other sensitive data.
FireEye launches new products and capabilities
SmartVision is powered by an analytics and correlation engine, more than 120 post-breach detection rules derived from Mandiant investigations, detonation capabilities for suspicious files and objects, and a machine learning data exfiltration module.
The security firm also announced new deep learning-based capabilities for its Email Security product. The new functionality should improve detection of email-based threats, including impersonation attacks (e.g. BEC scams) and phishing.
The company says its Email Security product also helps detect anomalous behavior patterns associated with threats other than malware, it should improve the productivity of SOC analysts by grouping related emails, and retroactively detects threats missed during initial analysis to accelerate response and minimize impact.
FireEye also revealed that it has combined its Endpoint Security product with a managed detection and response (MDR) service.
Endpoint Security provides endpoint protection (EPP) technologies and endpoint detection and response (EDR) capabilities that help organizations detect threats based on their signature, behavior and data from deep investigation tools. Managed Defense (FireEye as a Service) is designed to detect stealthy attacker behavior using intelligence and insights from the company’s frontline experts.
The two have been combined into FireEye Endpoint Security and Managed Defense to provide a comprehensive solution that helps organizations stay secure, FireEye said.
All of the new solutions and capabilities integrate with the FireEye Helix security operations platform.
FireEye also announced that it has simplified pricing and packaging. Organizations can acquire different types of solutions based on a per-year subscription depending on their needs. The four types of packages available are FireEye Endpoint Security, FireEye Network Security, FireEye Email Security, and FireEye Security Suite. The Security Suite is a complete solution that combines all products.
As for the partnership with Oracle, FireEye says its Email Security solution has been integrated with Oracle Cloud.
Microsoft Launches Windows Defender Extension for Chrome 20.4.2018 securityweek Safety
Microsoft has rolled out a new Windows Defender Browser Protection extension to help Chrome users stay safe from malware and phishing websites.
Aimed at delivering real-time protection, the browser extension can prevent online threats such as links in phishing emails, as well as websites that trick users into downloading and installing malicious software.
The manner in which Windows Defender Browser Protection works is pretty straightforward: it checks the accessed websites against a list of malicious URLs, to ensure that users stay secure when navigating the Internet using Chrome.
Thus, whenever a user clicks on a malicious link in an email or ends up navigating to a website specifically designed to deceive victims into disclosing personal, financial, or other sensitive information, or which hosts malware, the new Chrome extension displays an alert.
“If the malicious link matches one on the list, Windows Defender Browser Protection will show a red warning screen letting you know that the web page you are about to visit is known to be harmful, giving you a clear path back to safety with one click,” Microsoft says.
The list of harmful sites known to Microsoft is constantly being updated, so that Windows Defender Browser Protection can keep users safe from newly discovered phishing and socially engineered malware sites.
The Chrome extension takes advantage of the same intelligence that powers Microsoft Edge’s protection capabilities, allowing users to add an extra layer of security when browsing online.
Based on NSS Labs 2017 Web Browser Security Comparative Reports (which tested Chrome 60.0.3112.113, Edge 40.15063.0.0, and Firefox 55.0.3 running on Windows 10 Pro Enterprise), Microsoft Edge can deliver a much more efficient protection compared to Chrome and Firefox.
When measuring the browsers’ protection against phishing attacks, NSS Labs found that Edge could block 92.3% of phishing URLs, while Chrome’s rate was of 74.5% and Firefox fell behind at 61.1%. Furthermore, Edge blocked 99.5% of the Socially Engineered Malware (SEM) samples, Chrome blocked 87.5% of them, while Firefox only prevented 70.1% of samples.
The new Windows Defender Browser Protection extension is available through the Chrome Web Store.
Kaspersky Lab this week announced the launch of a new product designed to help companies protect their hybrid cloud environments against both internal and external threats.
According to the security firm, the new Kaspersky Hybrid Cloud Security can be integrated with Amazon Web Services (AWS) and Microsoft Azure, and it offers orchestration and protection capabilities to organizations of all sizes.Kaspersky launches Hybrid Cloud Security
The new offering also includes system hardening, operational hygiene, workload defense, and runtime protection capabilities, Kaspersky says.
In an effort to solve problems related to lack of visibility, which are often introduced by the use of multiple cloud management panels, Kaspersky says Hybrid Cloud Security integrates seamlessly with internal and virtual infrastructure.
The product allows security teams to control who can access corporate data in the cloud and on premises, and receive notifications whenever potential misuse is detected.
Kaspersky says its new product can detect ransomware and other threats, and block exploits. Hybrid Cloud Security also includes vulnerability assessment and automated patch management capabilities.
“Keeping in mind how much valuable data is now stored in the cloud, it is critical for businesses to ensure they have holistic protection and visibility across all cloud platforms,” said Vitaly Mzokov, solution business lead, Kaspersky Lab.
“Our philosophy is to create a well-balanced blend of best-of-breed protection, resource efficiency, and enterprise-level orchestration capabilities for public and private cloud environments. We are sure that this combination will provide our customers with a secure migration to Amazon and Microsoft Azure cloud within their digital transformation projects,” Mzokov added.
New Windows Defender Browser Protection Chrome extension aims to protect them from online threats. 20.4.2018 securityaffairs Safety
Microsoft announced the new Windows Defender Browser Protection extension that aims to protect them from online threats. Microsoft has a surprise for Chrome users in the Chrome Web Store, it’s the new Windows Defender Browser Protection extension that aims to protect them from online threats.
The new extension will help users in avoiding phishing emails, as well as, websites delivering malware.
links in phishing emails, as well as websites that trick users into downloading and installing malicious software.
“The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer. ” reads the description provided by Google on its store for the Windows Defender Browser Protection extension.
To protect Chrome users, Windows Defender Browser Protection checks the URL accessed against a list of malicious URLs, in the case it matches the list Windows Defender Browser Protection will show a red warning screen that informs users on the risks related to the malicious URL
The Chrome extension takes advantage of the same intelligence that powers Microsoft Edge’s protection capabilities, allowing users to add an extra layer of security when browsing online.
Microsoft aims to reach the level of security implemented with the Edge browser, according to the NSS Labs 2017 Web Browser Security Comparative Report while Edge blocked 99 percent of phishing attempts, Chrome blocked 87 percent and 70 percent in Firefox.
The NSS Labs report also measured the level of protection for each browser against phishing attacks.
According to NSS Labs, the Edge browser could block 92.3% of phishing URLs and 99.5% of the Socially Engineered Malware (SEM) samples, while Chrome was able to block 74.5% of phishing URLs 87.5% of SEM samples.
A vast majority of the companies present this week at the 2018 RSA Conference in San Francisco have not implemented the DMARC email authentication system on their domains, opening the door to fraudulent and fake emails.
Valimail, a San Francisco-based company that provides email authentication solutions, has analyzed the primary domains of 553 RSA Conference exhibitors and discovered that only 5.1 percent (28 firms) have properly implemented DMARC (Domain-based Message Authentication, Reporting and Conformance).
Valimail’s Domain Checker tool shows that the list of organizations whose domains are protected by DMARC includes Microsoft, F5 Networks, Splunk, Lookout, Malwarebytes, CrowdStrike, AlienVault, AWS and the U.S. Department of Justice.
The fact that the Justice Department is on this list is not surprising considering that the DHS issued a Binding Operational Directive (BOD) last year instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.
Valimail data shows that 18.6 percent of RSA Conference exhibitors have valid DMARC records, but have not enforced policies, which means their domains can still be impersonated by fraudsters and phishers.
More than 72 percent of the cybersecurity firms present at RSA have not bothered with DMARC at all, and four percent of them have invalid DMARC records.
DMARC has been around for several years, but adoption rates are relatively low in both private sector organizations and government agencies. One would expect companies that provide cybersecurity services to ensure their domains are protected, but Valimail data shows the contrary.
However, Valimail has found that many of the RSA exhibitors do implement some form of email spoofing protection, namely Sender Policy Framework (SPF).
DMARC is based on the SPF email validation system and the DomainKeys Identified Mail (DKIM) email authentication method. Valimail has found that 381 of the companies at RSA (representing nearly 69%) have valid SPF records for their domains.
“Phishing is one of the most common tactics employed by bad actors looking to defraud others, and impersonation attacks are the easiest variant to pull off,” Dylan Tweney, head of communications at Valimail, told SecurityWeek. “Despite DMARC being an open standard that, when used properly, will prevent these types of attacks, we’ve seen industry after industry struggle to adopt DMARC – and the cyber security industry is no different.”
“But today’s cloud service architecture makes it extremely difficult to properly implement and manage DMARC across a company, no matter what space you’re in. As companies look towards addressing this vulnerability, they need to look at tools like automation that can keep pace with today’s fluid email infrastructures,” Tweney added.
Released in the stable channel on Tuesday, Chrome 66 removes trusts in website certificates that Symantec issued before June 1, 2016, while also bringing a trial of Site Isolation, and patching 62 vulnerabilities.
The removal of trust in older Symantec certificates was triggered by the improper issuance of numerous digital certificates over the course of several years. Last year, Google said it wanted all website certificates issued by the Certificate Authority to be replaced until Chrome 70 arrives this fall. Mozilla too will completely remove trust in root certificates issued by Symantec.
Symantec last year sold its Certificate Authority business to DigiCert, which revealed last month that over 99% of the top 1 million websites already replaced the Symantec certificates. DigiCert has been issuing trusted certificates for the Symantec, Thawte, GeoTrust and RapidSSL brands since Dec. 1, 2017.
“Chrome 66 will not trust website certificates issued by Symantec's legacy PKI before June 1st 2016, continuing the phased distrust outlined in our previous announcements,” Google now says.
The new browser release also includes a small percentage trial of Site Isolation, in preparation of the feature’s broader launch. Announced in Chrome 63, Site Isolation is meant to improve the application’s overall security and to mitigate the security risks posed by the Spectre vulnerability.
Additionally, the new Chrome update includes 62 security fixes, including two Use after free in Disk Cache, rated Critical severity. Tracked as CVE-2018-6085 and CVE-2018-6086, both were reported by Ned Williamson.
More than half of the vulnerabilities were reported by external researchers, namely the pair of Critical bugs, 6 vulnerabilities rated High severity, 16 rated Medium risk, and 10 considered Low severity.
The High risk flaws were: Use after free in WebAssembly (CVE-2018-6087), Use after free in PDFium (CVE-2018-6088), Same origin policy bypass in Service Worker (CVE-2018-6089), Heap buffer overflow in Skia (CVE-2018-6090), Incorrect handling of plug-ins by Service Worker (CVE-2018-6091), and Integer overflow in WebAssembly (CVE-2018-6092).
The Medium severity issues addressed in Chrome 66 affected Service Worker, Oilpan, file upload, Omnibox, DevTools, Permissions, and V8. Google also addressed two Fullscreen UI spoof vulnerabilities.
The Low risk bugs impacted FileAPI, file://, DevTools, WebAssembly, and Navigation. The new browser release also addresses a CSP bypass, a SmartScreen bypass in downloads, confusing autofill settings, and an incorrect use of Distributed Objects in Google Software Updater on MacOS.
The updated application is available for download as Chrome 66.0.3359.117, for Windows, Mac and Linux. It should be delivered to existing users within the next several days or weeks.
CrowdStrike this week unveiled its new Falcon Endpoint Protection Complete solution and announced the addition of an automated threat analysis module to its Falcon platform.
Falcon Endpoint Protection Complete is a turnkey solution that combines Falcon Endpoint Protection technology with the experience and skills of the Falcon Endpoint Protection team.
CrowdStrike says the new solution, which can be used by organizations of all sizes, unifies people, technology and processes to address every aspect of endpoint security, from deployment, configuration and maintenance to monitoring, alert handling and remediation.CrowdStrike unveils new solutions
The new threat analysis subscription module added by CrowdStrike to its Falcon platform is called Falcon X and it’s designed to help analysts conduct comprehensive investigations in just seconds instead of hours or days, the endpoint security firm says.
Falcon X combines malware search, malware sandboxing and intelligence to provide indicators of compromise (IOCs) for the threat being analyzed and all its known variants. The results are shared with other security products via an API, including firewalls, gateways and orchestration tools.
Threat intelligence data associated with the analyzed attack is displayed alongside alerts to help analysts understand the risks and quickly take action.
CrowdStrike also announced that its Falcon Insight endpoint detection and response (EDR) solution now includes two new features designed to provide incident responders immediate access to all systems across the distributed enterprise.
The company says the new features, Real Time Response and Real Time Query, leverage the existing Falcon sensors, cloud and console without any impact on performance or infrastructure.
“The Real Time Response feature adds powerful interactive capabilities, delivering instant visibility into the local file system, registry, network, and more. It also allows responders to close the door on threats by killing malicious processes and removing remaining traces left behind by the attacker,” CrowdStrike explained. “Real Time Query delivers the ultimate visibility and control to responders, empowering them through custom-tailored information collection and response actions.”
Intel announced the new Threat Detection Technology and Security Essentials 18.4.2018 securityaffairs Safety
Intel announced a new Threat Detection Technology and a framework of critical root-of-trust hardware security capabilities in its chips. Intel continues to innovate its products, the tech giant announced two new technologies, the Threat Detection Technology (TDT) and Security Essentials.
The Threat Detection Technology leverages the silicon-level telemetry and functionality to allow security products detect sophisticated threats.
The new Intel Threat Detection Technology (TDT) includes two main capabilities, the Accelerated Memory Scanning and Advanced Platform Telemetry.
The Accelerated Memory Scanning feature allows anti-malware solutions to use Intel’s integrated GPU to scan and detect fileless malware attacks without having any impact on performance and power consumption.
Microsoft will integrate the Accelerated Memory Scanning feature into Windows Defender Advanced Threat Protection (ATP) within a couple of weeks.
According to Intel researchers, using the GPU instead of the CPU to scan the memory will allow frequent scanning reducing the impact on performance, Intel tests revealed that the CPU usage dropped from 20 percent to as little as 2 percent.
“The first new capability is Accelerated Memory Scanning. Current scanning technologies can detect system memory-based cyberattacks, but at the cost of CPU performance.” reads the announcement published by Intel
“With Accelerated Memory Scanning, the scanning is handled by Intel’s integrated graphics processor, enabling more scanning, while reducing the impact on performance and power consumption. Early benchmarking on Intel test systems show CPU utilization dropped from 20 percent to as little as 2 percent”
The second Intel Threat Detection Technology is Intel Advanced Platform Telemetry that was designed to include cloud-based machine learning and endpoint data collection to improve threat detection.
“Intel Advanced Platform Telemetry combines platform telemetry with machine learning algorithms to improve the detection of advanced threats, while reducing false positives and minimizing performance impact.” continues Intel. The New Intel Advanced Platform Telemetry technology will first be integrated into Cisco Tetration, a solution designed to provide data center security and cloud workload protection.
Intel has announced Security Essentials, a set of critical root-of-trust hardware security capabilities in Intel chips, including Core, Xeon and Atom processors.
“These capabilities are platform integrity technologies for secure boot, hardware protections (for data, keys and other digital assets), accelerated cryptography and trusted execution enclaves to protect applications at runtime.” continues Intel“This standard set of capabilities will accelerate trusted computing as customers build solutions rooted in hardware-based protections.”
Trend Micro Analyzes Writing Style to Detect Email Fraud
Trend Micro on Monday unveiled a new capability that allows its products to identify email fraud attempts by using a writing style analysis system powered by artificial intelligence (AI).
The new Writing Style DNA, which Trend Micro has integrated into multiple products, uses AI to create a blueprint of a user’s style of writing based on more than 7,000 characteristics.
The text of every incoming email is compared to the trained AI model. If it doesn’t match the known writing style, a warning is sent out to the intended recipient, the apparent sender – in business email compromise (BEC) attacks the fake email comes from a spoofed address or a hacked account – and the company’s IT department.
Writing Style DNA also allows executives to provide feedback on flagged emails to help improve detection rates and reduce false positives.
The new capability is expected to become generally available in June 2018 as part of Trend Micro’s Cloud App Security product for Microsoft Office 365 and the ScanMail Suite for Microsoft Exchange. It will also be included at no extra charge in other existing BEC protection systems. Beta versions are already available.
BEC scams involve fake emails typically referencing payments and transfers. They can be designed to impersonate a foreign supplier requesting a fund transfer to a new account, CEOs and other executives making transfer requests to employees in finance, or an employee/executive asking vendors to make payments to a specified bank account.
Last year, the FBI reported that BEC attacks caused losses of roughly $5.3 billion between 2013 and 2016 to more than 40,000 victims, and Trend Micro predicts that the total will increase to $9 billion this year.
Trend Micro also announced this week the general availability of Phish Insight, a free phishing simulation platform designed to help IT teams train employees to spot attacks.
“All it takes is one administrator, four steps and five minutes to run a real-world exercise designed to mimic what employees might see at their desks,” Trend Micro said. “With the detailed reporting results, displayed in a handy graphical interface, IT teams can then tailor their education programs to make lasting behavioral changes.”
Phish Insight has been available in Asia for a year and Trend Micro has now announced that the service can be used for free by organizations all around the world.
Intel Unveils New Threat Detection Technology 17.4.2018 securityweek Safety
Intel late on Monday announced two new security-related technologies, including a threat detection system and a framework for building protection into processors, and a strategic collaboration with Purdue University whose goal is to address the shortage of cybersecurity talent.
Following the discovery of the Meltdown and Spectre vulnerabilities, Intel has promised to take steps to avoid these types of situations through protections built into CPUs, a dedicated bug bounty program, and industry collaboration.
Intel recently detailed the protection mechanisms it plans on adding to its chips, and the company has now unveiled its Threat Detection Technology. This system uses silicon-level telemetry and functionality to help security products detect sophisticated cyber threats.Intel announces new silicon-level security technologies
One component of the Threat Detection Technology is called Accelerated Memory Scanning, which Microsoft will integrate into Windows Defender Advanced Threat Protection (ATP) later this month.
The Accelerated Memory Scanning capability will allow Windows Defender and other security products to more efficiently scan the system memory for threats by using Intel’s integrated graphics processor.
Using the GPU instead of the CPU will enable more frequent scanning, and will result in reduced impact on performance and power consumption, Intel said. Tests made by the company showed a drop in CPU usage from 20 percent to as little as 2 percent.
On the other hand, using the GPU to conduct scans can have a negative performance impact on processes that require the graphics processor, Intel admitted during a call with reporters. However, the company says it’s working on figuring out how to optimize performance based on the CPU and GPU workloads.
The second component of Intel Threat Detection Technology is called Advanced Platform Telemetry and it combines telemetry with machine learning algorithms to improve threat detection, reduce false positives, and minimize impact on performance.
The Advanced Platform Telemetry capability will first be integrated into Cisco Tetration, a product that provides holistic workload protection for multicloud data centers.
Intel has also unveiled Security Essentials, a framework that standardizes built-in security features in Intel chips, including Core, Xeon and Atom processors.
“These capabilities are platform integrity technologies for secure boot, hardware protections (for data, keys and other digital assets), accelerated cryptography and trusted execution enclaves to protect applications at runtime,” explained Rick Echevarria, vice president and general manager of Intel Platforms Security Division.
“This standard set of capabilities will accelerate trusted computing as customers build solutions rooted in hardware-based protections. Further, these capabilities, directly integrated into Intel silicon, are designed to improve the security posture of computing, lower the cost of deploying security solutions and minimize the impact of security on performance,” Echevarria added.
As for the strategic collaboration with Purdue University, Intel announced a Design for Security Badge Program whose goal is to accelerate the development and availability of cybersecurity professionals.
Cisco Launches New Email Security Services 16.4.2018 securityweek Safety
Cisco today announced new security products and services aimed at protecting email users from malware and phishing and spoofing attacks.
With malicious emails and spam continuing to be popular tools for cybercriminals looking to distribute malware, organizations should focus on protecting their domains from becoming the delivery mechanism of malicious emails, as well as defending users from phishing and spoofing attacks, Cisco says.
Through an OEM agreement with Agari, Cisco is now better positioned to market and sell new services that enhance its Email Security and is offering new email security services to its customers, namely Cisco Domain Protection and Cisco Advanced Phishing Protection.
Domain Protection prevents phishing through automated use of email authentication, and can also protect from fraud and maintain email governance through the analysis, updating, and auctioning against the misuse of domains to send malicious email.
It employs the Domain-Based Message Authentication, Reporting, and Conformance (DMARC) email authentication standard and delivers real-time reporting about noncompliant emails sent from a domain.
Advanced Phishing Protection, on the other hand, leverages machine learning to block “advanced identity deception attacks for inbound email by assessing its threat posture.” The new service validates the reputation and authenticity of senders to help organizations discover emails carrying targeted phishing and business email compromise (BEC) attacks.
To prevent malware attacks before they can hurt individuals or organizations, Cisco has added new capabilities to its Advanced Malware Protection (AMP) for Endpoints. The cloud-managed endpoint security solution now includes the necessary mechanisms to prevent fileless attacks, ransomware execution, and crypto-mining malware from infecting a system, the company says.
AMP also offers threat investigation features, courtesy of Cisco Visibility, a new cloud application built into the endpoint console. The solution combines threat intelligence from Talos and third parties with internal data (security events and alerts) from an organization’s infrastructure.
Cisco also promises fast access to data from Talos, Cisco Umbrella Investigate, Threat Grid, AMP, and other sources, all in a single place.
Through an expanded relationship with ConnectWise, Cisco Security is available for managed service providers (MSP) to include in their portfolio, thus making the new capabilities available to customers of all sizes.
A new ConnectWise Advanced Security Dashboard cloud management platform is available as part of the expanded relationship, complementing ConnectWise Unite with Cisco, the existing portal for MSPs.
The new Dashboard, which launches on April 19, offers the ability to deliver managed security services with Cisco’s AMP for Endpoints, Umbrella, Stealthwatch Cloud, Adaptive Security Appliances, Next-Generation Firewall, and Meraki MX appliances.
IBM Adds Intelligence to Incident Response, Threat Management 16.4.2018 securityweek Safety
IBM has added intelligent orchestration capabilities to its Resilient incident response platform, and launched new threat and vulnerability management services as part of its X-Force offering.
The latest announcements are what IBM has described as efforts to combine human and machine intelligence for more efficiently managing cybersecurity incidents.
The company says it has spent nearly 200,000 hours on the research and development of its new Resilient Incident Response Platform with Intelligent Orchestration, which is a result of IBM’s acquisition of Resilient Systems back in 2016.
The new orchestration capabilities allow security analysts to manage and automate hundreds of repetitive, time-consuming, and complicated response actions that until now required significant manual intervention.
IBM says the new platform provides out-of-the-box integrations and a drag-and-drop business process management notation (BPMN) workflow engine that makes it easier for security teams to investigate incidents. Integrations cover products from several major firms, including Cisco, Carbon Black, McAfee, Splunk and Symantec.
“The Resilient IRP automatically initiates activities across these partner technologies spanning monitoring and escalation, identification and enrichment, communication and coordination, and containment, response, and recovery,” IBM said.
As for the new X-Force Threat Management Services, they rely on a patented artificial intelligence engine that, according to IBM, will change the way analysts and technologies interact.
The goal is to allow analysts to more easily and efficiently investigate potential threats. Threat Management Services is powered by the new IBM X-Force Protection Platform, which combines tools from IBM and its partners with machine learning and AI algorithms to guide analysts through the threat management process and automate simple functions that previously required human intervention.
The new platform uses AI to compare an incident with real-time and historical data in order to help triage events. This includes eliminating false positives and duplicates, setting up quarantines, and escalating an incident to a higher-level analyst.
The new threat management product can be combined with the Resilient platform for more complex incident response activities.
Microsoft Office 365 Gets Built-in Ransomware Protection and Enhanced Security Features 12.4.2018 thehachernews Safety Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars. Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and business networks worldwide. From small to mid-range businesses, Microsoft Office 365 remains the most widely used and fastest-growing work office suite, so it's no surprise that it has become a primary target for viruses, ransomware, and phishing scams. In fact, most strains of ransomware target Microsoft productivity apps such as Word, Excel and encrypt sensitive data to hold the company hostage until the ransom is paid. Now, to combat such cyber attacks, Microsoft has announced some new security features for Office 365 that can help users mitigate the damage done by ransomware and other malware infections. The new features were initially introduced for OneDrive for Business, but that the company is now rolling them out to anyone who has signed up for an Office 365 Home or Personal subscription, Microsoft Office blog says. Here below I have briefed the list of new features: File Recovery and Anti-Ransomware Files Restore—Microsoft Office 365 now allows users to restore entire OneDrive to a previous point in time within the last 30 days. This feature can be used to recover files from an accidental mass delete, file corruption, ransomware, or any catastrophic event. Ransomware detection & recovery—Office 365 had also introduced a new security feature that detects ransomware attacks and alerts you through an email, mobile, or desktop notification while helping you restore your OneDrive to a point before the malware compromised files. Security and Privacy Features Office 365 has added three new features to help keep your confidential or personal data (such as tax documents, family budgets, or a new business proposal) secure and private when sharing them online. Password protected sharing links—This feature allows you to set a password for your shared file and folders, preventing unauthorized access even if your recipient accidentally forwards protected documents to others. Email encryption—This feature allows users to send/receive end-to-end encrypted emails in Outlook over a secure connection, providing additional protection to minimize the threat of being intercepted. Prevent forwarding—Microsoft now enables you to restrict your email recipients from forwarding or copying emails you send to them from Outlook. Besides this, any MS Office document attached to your emails will remain encrypted even after downloading, so if the recipient shares your attachment with others, they will not be able to open it. Advanced Protection from Viruses and Cybercrime Advanced link checking in Word, Excel, and PowerPoint—Office 365 also offers built-in real-time web protection, which monitors every link you click in Word, Excel, and PowerPoint and notifies you if it is suspicious. File Recovery and Anti-Ransomware features began rolling out starting today and will be available to all Office 365 users soon, while features to help keep your information secure and private (including password protected sharing links, email encryption, and prevent forwarding) will start rolling out in the coming weeks. Advanced link checking and advanced attachment scanning are already available in MS Outlook that protects you from previously unseen viruses and phishing scams in real-time. However, advanced link checking in Word, Excel, and PowerPoint will roll out in the second half of 2018.
New Authentication Standard Coming to Major Web Browsers 12.4.2018 securityweek Safety
Web browsers from Google, Microsoft, and Mozilla will soon provide users with a new, password-less authentication standard built by the FIDO Alliance and the World Wide Web Consortium (W3C) and currently in the final approval stages.
W3C has advanced a standard web API called Web Authentication (WebAuthn) to the Candidate Recommendation (CR) stage, the final step before the final approval of a web standard. Expected to deliver stronger web authentication to users worldwide, it is already being implemented for Windows, Mac, Linux, Chrome OS and Android platforms.
W3C’s WebAuthn API enables strong, unique, public key-based credentials for each site, thus eliminating the risk that passwords stolen on one site could be used on another. WebAuthn can be incorporated into browsers and web platform infrastructure, providing users with new methods to securely authenticate on the web, in the browser, and across sites and devices.
Along with FIDO’s Client to Authenticator Protocol (CTAP) specification, it is a core component of the FIDO2 Project, which enables “users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.”
CTAP enables an external authenticator to transmit strong authentication credentials over USB, Bluetooth, or NFC to a device that has Internet access (PC or mobile phone).
Both WebAuthn and CTAP are available today, so that developers and vendors can implement support for the new authentication methods into their products and services. Backed by leading browser vendors, the new specifications should provide ubiquitous, hardware-backed FIDO Authentication protection to all Internet users.
“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” Brett McDowell, executive director of the FIDO Alliance, said.
Enterprises and online service providers can soon deploy the new web authentication standards to protect themselves and their customers from the risks associated with passwords. The new FIDO2 specifications complement existing password-less FIDO UAF and second-factor FIDO U2F use cases. All FIDO2 web browsers and online services are backwards compatible with certified FIDO Security Keys.
The standards are currently being implemented in major web browsers, including Chrome, Firefox and Microsoft Edge. Android and Windows 10 will have built-in support for FIDO Authentication, FIDO says.
The Alliance says it would soon launch interoperability testing and that it also plans on issuing certifications for servers, clients, and authenticators adhering to FIDO2 specifications. Conformance test tools have already become available on FIDO’s website.
A new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, and CTAP) is also underway.
Web apps running in a browser on a device with a FIDO Authenticator can call to a public API to enable FIDO Authentication of users. Developers can learn more on FIDO’s new developer resources page.
With FIDO2, users would benefit from both simpler — they would log in with a single gesture, using internal / built-in authenticators (such as fingerprint or facial biometrics in PCs, laptops and/or mobile devices) or external authenticators (security keys and mobile devices) — and stronger authentication — credentials and biometric templates never leave the user’s device and accounts are protected from phishing, man-in-the-middle and replay attacks that use stolen passwords.
DMARC Not Implemented on Most White House Email Domains: Analysis 10.4.2018 securityweek Safety
Over 95% of the email domains managed by the Executive Office of the President (EOP) haven’t implemented the Domain Message Authentication Reporting & Conformance (DMARC) protocol, the Global Cyber Alliance (GCA) has discovered.
After analyzing 26 such domains, GCA discovered that 18 haven’t even started the deployment of DMARC, while 7 of them have implemented the protocol at the lowest level (“none”), which only monitors emails.
Because of that, none of these domains can prevent delivery of spoofed emails, GCA points out. Implementing DMARC ensures that fake emails (known as direct domain spoofing) that spammers and phishers send don’t end up in the users’ inboxes.
Some of the email domains under the control of the EOP include Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov, all well-known email domains. Only the Max.gov domain has fully implemented the defence against email phishing and spoofing, the GCA report shows.
Without DMARC, these domains can be easily “hijacked” by phishers looking to trick government employees, government contractors, and U.S. citizens. This could lead to money theft, exfiltration of secrets, and could even putt national security at risk.
This widespread lack of DMARC implementation is surprising, given that half a year ago the U.S. Department of Homeland Security (DHS) issued a binding operational directive ordering all federal agencies to start using HTTPS, DMARC and STARTTLS.
As of October 2017, only a small percentage of federal agencies had fully implemented the system, but a January report revealed that half of the U.S. government domains had implemented the protocol, yet most had only implemented the lowest level.
Recently, 4 email domains managed by the EOP have deployed DMARC, with WhiteHouse.gov and EOP.gov, two of the most significant government domains, implementing it at its lowest setting.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet. The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed. The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward,” said Philip Reitinger, president and CEO of the Global Cyber Alliance.
How to Make Your Internet Faster with Privacy-Focused 1.1.1.1 DNS Service
Cloudflare, a well-known Internet performance and security company, announced the launch of 1.1.1.1—world's fastest and privacy-focused secure DNS service that not only speeds up your internet connection but also makes it harder for ISPs to track your web history. Domain Name System (DNS) resolver, or recursive DNS server, is an essential part of the internet that matches up human-readable web addresses with their actual location on the internet, called IP addresses. For example, when you try to open a website, say thehackernews.com, your DNS looks up for the IP address linked to this domain name and load the site.
Since the default DNS services provided by ISPs are often slow and insecure, most people rely on alternative DNS providers—such as OpenDNS (208.67.222.222), Comodo DNS (8.26.56.26) and Google (8.8.8.8), to speed up their Internet. But if you use Cloudflare new 1.1.1.1 DNS service, your computer/smartphone/tablet will start resolving domain names within a blazing-fast speed of 14.8 milliseconds—that's over 28% faster than others, like OpenDNS (20.6ms) and Google (34.7ms). Even if you are visiting websites over HTTPS, DNS resolvers log every site you visit, making your ISP or 3rd-party DNS services know about everything you do on the Internet. "That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them," the company says. However, Cloudflare has changed this game with its new free DNS service, which it claims, will be "the Internet's fastest, privacy-first consumer DNS service," promising to prevent ISPs from easily tracking your web browsing history. Cloudflare public DNS resolvers, 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy), support both DNS-over-TLS and DNS-over-HTTPS to ensure maximum privacy. The company has also promised not to sell users’ data, instead to wipe all logs of DNS queries within 24 hours. It's also working with auditors at KPMG to examine its systems and guarantee it's not actually collecting your data. How to Change DNS Settings to Boost Internet Speed For Mac PCs: Open System Preferences. Search for DNS Servers and tap it. Click the + button to add a DNS Server and enter 1.1.1.1 and 1.0.0.1 (for redundancy). Click Ok and then Apply. For Windows Computers: Tap Start and then click on Control Panel. Click on Network and Internet, and then tap Change Adapter Settings. Right-click on the Wi-Fi network you are connected to, then click Properties. Select Internet Protocol Version 4 and click Properties, and then write down any existing DNS server entries for future reference. Now tap Use The Following DNS Server Addresses, and replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1; and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001 Click OK, then Close, and Restart your browser. For Android Devices: Connect to your preferred WiFi network. Enter your router’s gateway IP address in your browser. Fill in your username and password, if asked. In your router’s configuration page, locate the DNS server settings, and enter any existing DNS server entries for future reference. Replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1, and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001 Save your settings, then restart your browser. Note: Android requires a static IP to use custom DNS servers. This setup requires additional setup on your router, affecting your network’s strategy for adding new devices to the network. Cloudflare recommends configuring your router’s DNS instead, which gives all devices on your network the full speed and privacy benefits of 1.1.1.1 DNS. For iOS Devices (iPhone/iPad): From your iPhone's home screen, open Settings. Open Wi-Fi and then your preferred network in the list. Tap Configure DNS, and then click on Manual. If there are any existing entries, tap the - button, and Delete next to each one. Now, add 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy) to the DNS address. Now, tap the Save button on the top right. You’re all set to go! Your device now has faster, more private DNS servers. Well, I have already switched to Cloudflare DNS service. If you too, please tell me your experience in the comments below
Microsoft Adds New Security Features to Office 365 6.4.2018 securityweek Safety
Microsoft today announced new protections for Office 365 Home and Office 365 Personal subscribers, aimed at helping them recover files, protect data, and defend against malware.
Courtesy of the newly announced protections, Office 365 Home and Office 365 Personal users can now recover their files after a malicious attack like ransomware, Kirk Koenigsbauer, Corporate Vice President for Office at Microsoft, says.
The new functionality is available through a Files Restore option that has been long available for OneDrive for Business customers. The feature is now available for personal OneDrive accounts and is enabled for both work and personal files.
With the help of Files Restore, users can restore their entire OneDrive to a previous point in time within the last 30 days. The feature should prove highly useful in a variety of situations, ranging from an accidental mass delete to file corruption, ransomware encryption, or another catastrophic event.
To further protect users, Microsoft is bringing ransomware detection and recovery features to Office 365. This feature ensures that ransomware attacks are detected and also helps users restore their OneDrive to a point before files were compromised.
“If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you’ll find the date and time of attack preselected in Files Restore, making the process simple and easy to use. As these threats evolve, we are continuously improving detection capabilities to help keep you safe from the most advanced ransomware,” Koenigsbauer notes.
Microsoft is also retrofitting Office 365 with adding three new capabilities meant to help users keep their data secure and private when sending confidential or personal information online, regardless of whether via email or through sharing a link.
For starters, the software giant is allowing users to set and require a password to access a shared file or folder in OneDrive, thus preventing unauthorized access to their files, provided that the link is accidentally shared with a third-party.
Microsoft is also providing email encryption in Outlook.com, for an added layer of protection. Through end-to-end encryption of messages, the company aims at preventing hackers from intercepting and reading users’ communication.
“Encryption is particularly useful in cases where it is unclear what level of security your intended recipients’ email providers offer. Recipients receive a link to a trusted Office 365 webpage where they can choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email,” Koenigsbauer says.
Recipients viewing encrypted emails in Outlook.com, the Outlook for iOS and Android app, or the Windows Mail app do not need to engage in extra steps to read and reply to messages. Outlook.com can also detect sensitive information like social security numbers when a new email is composed, and can provide a suggestion to send with encryption.
Additionally, users can now restrict email recipients from forwarding or copying emails sent from Outlook.com. Moreover, all Office documents attached to these emails are now encrypted even after downloading, meaning that, if they are forwarded to a third party, the recipient won’t be able to open the attachment.
Later this year, Office 365 Home and Office 365 Personal subscribers will also be able to take advantage of advanced link checking in Word, Excel, and PowerPoint. The functionality follows the advanced link checking and attachment scanning added to Outlook.com in October last year in an attempt to keep users protected from previously unseen viruses and phishing scams in real-time.
“Starting later this year, links you click in Word, Excel, and PowerPoint will also be checked in real-time to determine if the destination website is likely to download malware onto your computer or if it’s related to a phishing scam. If the link is suspicious, you will be redirected to a warning screen recommending you don’t access the site,” Koenigsbauer notes.
AWS Launches New Tools for Firewalls, Certificates, Credentials 5.4.2018 securityweek Safety
Amazon Web Services (AWS) announced on Wednesday the launch of several tools and services designed to help customers manage their firewalls, use private certificates, and safely store credentials.
Private Certificate Authority
One of the new services is called Private Certificate Authority (CA) and it’s part of the AWS Certificate Manager (ACM). The Private CA allows AWS customers to use private certificates without the need for specialized infrastructure.
Developers can now provision private certificates with just a few API calls. At the same time, administrators are provided central management and auditing capabilities, including certificate revocation lists (CRLs) and certificate creation reports. Private CA is based on a pay-as-you-go pricing model.
AWS Secrets Manager
The new AWS Secrets Manager is designed to make it easier for users to store, distribute and rotate their secrets, including credentials, passwords and API keys. The storage and retrieval of secrets can be done via the API or the AWS Command Line Interface (CLI), while built-in or custom AWS Lambda functions provide the capabilities for rotating credentials.AWS announces new security tools
“Previously, customers needed to provision and maintain additional infrastructure solely for secrets management which could incur costs and introduce unneeded complexity into systems,” explained Randall Hunt, Senior Technical Evangelist at AWS.
AWS Secrets Manager is available in the US East and West, Canada, South America, and most of the EU and Asia Pacific regions. As for pricing, the cost is $0.40 per month per secret, and $0.05 per 10,000 API calls.
AWS Firewall Manager
The new AWS Firewall Manager is designed to simplify administration of AWS WAF web application firewalls across multiple accounts and resources. Administrators can create policies and set up firewall rules and they are automatically applied to all applications, regardless of the region where they are hosted.
“Developers can develop and innovators can innovate, while the security team gains the ability to respond quickly, uniformly, and globally to potential threats and actual attacks,” said Jeff Barr, Chief Evangelist for AWS.
AWS Shield Advanced customers get the new Firewall Manager at no extra cost, while other users will be charged a monthly fee for each policy in each region.
Amazon EFS data encrypted in transit
Amazon also announced that it has added support for encrypting data in transit for the Amazon Elastic File System (EFS), a file system designed for cloud applications that require shared access to file-based storage. Support for encrypting data at rest has already been available.
The company has made it easier for users to implement encryption in transit with the launch of a new EFS mount helper tool.
Software-defined Global Network as a Service Firm Meta Networks Emerges From Stealth 3.4.2018 securityweek Safety
Meta NaaS Provides a Software-defined Virtual 'Overlay' to Existing Disjointed Physical Networks
Emerging from stealth with $10 million in seed funding led by Vertex Ventures and the BRM Group, Tel Aviv-based Meta Networks has launched Meta NaaS -- a secure software-defined virtual private network aimed at redefining the concept of distributed, cloud-employing corporate networks.
The advent of public and private cloud services and offerings, together with the growth of mobile computing and remote working, plus the tendency for most companies to combine all of these with their own on-premise resources has had one major and well-recognized effect: there is no longer a physical network perimeter that can be defined and protected. Solutions generally require point products for every device, aimed at protecting the device and its communication to other parts of the network. This rapidly becomes very complex with multiple points of possible failure.
Meta Networks Meta NaaS provides a software-defined virtual 'overlay' to existing disjointed physical networks. It is user-centric, draws on the principle of zero-trust, and brings together all aspects of remote users, mobile devices, separate branch offices, on premise data centers and cloud apps within one single software-defined overlay. It creates a new perimeter in the cloud.
Like Google's BeyondCorp, the user is key. Every user device is given a unique permanent identity at the packet level, but is also given access to an always-on virtual private network (VPN). A global distribution of PoPs ensures high performance in accessing and using the VPN from any location, and all corporate traffic from corporate users is securely sent to the NaaS before being delivered to its destination. This includes both internal resources and internet traffic -- and security is handled in the NaaS rather than at the device.
"It's worldwide," Etay Bogner, CEO and founder of Meta Networks, told SecurityWeek. "You don't have to install any appliances. You connect separate offices through their existing routers. On top of the network we are deploying best network security. So instead of having the firewall deployed as an appliance in a specific physical location, we have the firewall functionality within the cloud in every one of the PoPs, and we apply security at those locations."
The effect is to provide security in even hostile environments -- mobile employees working in internet cafes or airport waiting lounges are as secure and productive as if they were still in the office.
Meta NaaS interoperates with other cloud-delivered security solutions, supporting a best-breeds security stack for the enterprise. It delivers identity-based policy routing and packet-level identity verification; and since it is cloud-based, it promises cloud advantages: agility, scalability and cloud economics.
"Meta NaaS is a new zero-trust paradigm for the 'virtual private network' that revolves around users rather than physical topology. This shift enables enterprises to effectively restore the perimeter by protecting all employee traffic -- both corporate and internet -- all of the time," said Bogner. "What elevates our technology is the cloud-native global backbone and the comprehensive, identity-based network security architecture designed to support millions of users efficiently."
"Meta NaaS is built around network users, not a physical business location," comments Ramon Snir, senior developer at Dynamic Yield, an existing customer. This is an advantageous approach for organizations like ours that have applications in data centers and clouds around the world, as well as an increasingly mobile workforce."
Bogner is keen to stress that this is not a new rip and replace technology. "Enterprises already have existing investment in on premise security. That doesn't have to be ripped out," he told SecurityWeek. But at the same time, when licenses lapse, they don't have to be replaced. Meta NaaS provides a road map towards a cloud-only security policy.
"Over time," added Amy Arie, Meta Networks' CMO, "the NaaS will offer greater security at lower cost."
The concept can be seen in its implementation by MyHeritage. The firm has 100 sales reps around the world, with applications housed in two data centers on different continents. Without Meta Naas, this required VPNs in each data center and an IT overhead in maintaining 100 clients -- and for the reps to understand which data center they needed. With Meta NaaS it is a single connection to the NaaS. The VPN is always operational, and access policies are maintained in the NaaS.
"Compared to managing VPNs in each of our data centers," said Moshe Magal, IT team leader at MyHeritage, "the Meta NaaS solution is much simpler and more convenient both for our IT team and our users."
Meta Networks is the fourth firm founded by serial entrepreneur, Etay Bogner. His first was SofaWare, a network security vendor that was ultimately acquired by Check Point Software. The second was Neocleus, a virtualization vendor acquired by Intel. The third is Stratoscale, an AWS compatible infrastructure and services firm.
Cloudflare Launches Free Secure DNS Service 2.4.2018 securityweek Safety
Cloudflare Launches Globally Available Secure Free DNS Resolver
Cloudflare launched a new free service, designed to improve both the speed and the security of the internet, on April Fool's Day (4/1/2018). But this is no joke. The idea is that 4/1 is geekery four ones, or 1.1.1.1 -- the name and heart of the new service.
1.1.1.1 (and 1.0.0.1) is the address of Cloudflare's new, globally available, free DNS resolver service. It is similar to -- but according to Cloudflare -- faster and more secure than, Google's 8.8.8.8 service. Both address speed and security issues in the standard internet DNS look-up process. The biggest problem is security because DNS lookups are primarily controlled by ISPs; and ISPs are commercial organizations seeking to monetize data; and are often heavily controlled or influenced by governments.
In the U.S., ISPs are allowed to sell customer data -- including website visits -- to marketing firms. In the UK, ISPs are required by law to record and hand over such customer data to law enforcement, intelligence and other government agencies. In Turkey, in 2014, the Turkish government censored Twitter by getting ISPs to block DNS requests for twitter.com -- and activists took to the streets to spray paint Google's 8.8.8.8 DNS service as a workaround. Turkey has a history of using the DNS system for censorship, including a block on Wikipedia in April 2017.
Google's service is good and fast, and bypasses ISP instigated blocks, but user data is still available to Google. Cloudflare wants to provide an even faster service, but one where no commercial entity can easily monetize the user data, nor government gain access without a court order. Since the firm is committed to never writing that data to disk, and to wiping all log records within 24 hours (to be independently audited by KPMG with a published public report) there will be little historical data available anyway.
"Cloudflare's business has never been built around tracking users or selling advertising," blogged Matthew Prince, co-founder and CEO of Cloudflare, on Sunday. "We don't see personal data as an asset; we see it as a toxic asset." Cloudflare retains the log data for a maximum of 24 hours for abuse prevention and debugging issues.
“We think it’s creepy that user data is sold to advertisers and used to target consumers without their knowledge or consent,” said Prince. “Frankly, we don’t want to know what people do on the Internet -- it’s none of our business -- and we’ve designed 1.1.1.1 to ensure that we, along with ISPs around the world, can’t.”
The insecurity of the DNS infrastructure struck the team at Cloudflare, he says, as a bug at the core of the Internet, "so we set out to do something about it." The firm decided to combine a DNS Resolver with its existing Authoritative DNS service across its worldwide network, but still needed some memorable IP addresses.
Little could be more memorable than 1.1.1.1. This address was held by the APNIC research group, which agreed to provide it to the new service. "We began testing and found that a resolver, running across our global network, outperformed any of the other consumer DNS services available (including Google's 8.8.8.8)," says Prince.
1.1.1.1 is primarily a consumer service (the IPv6 numbers are 2602:4700:4700::1111 and 2602:4700:4700::1001). Technical details are provided in a separate blog written by director of engineering, Olafur Gudmundsson. The service uses DNS Query Name Minimization defined in RFC7816 to minimize the data sent, and supports privacy-enabled TLS queries on port 853 (DNS over TLS), "so," he writes, "we can keep queries hidden from snooping networks."
Furthermore, he adds, "by offering the experimental DoH (DNS over HTTPS) protocol, we improve both privacy and a number of future speedups for end users, as browsers and other applications can now mix DNS and HTTPS traffic into one single connection."
Cloudflare is working with major browsers, operating systems, app manufacturers, cloud platforms, and router manufacturers to enable DNS over HTTPS. Mozilla is already working to integrate the standard into its Firefox browser:
“Like Cloudflare, Mozilla cares about making the Internet faster and more privacy-conscious so people have a better experience on the web,” says Selena Deckelmann, senior director of engineering, Firefox Runtime at Mozilla. “We are always looking for new technologies like DNS over HTTPS to ensure Firefox is at the cutting edge of speed, privacy and improving life online.”
The resolver is built on the fairly new open source Knot Resolver from CZ NIC -- whose original main developer has been working with Cloudflare for more than two years.
The service uses Cloudflare's 149 data centers distributed around the world. "In March alone, we enabled thirty-one new data centers globally," as far apart as Pittsburgh and Houston, Reykjavik and Tallinn, and Edinburgh and Bogota, notes Gudmundsson; "and just like every other city in our network, new sites run DNS Resolver, 1.1.1.1 on day-one!"
San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.
The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC Hi Internet, You might have heard about VPN’s & Privacy Browsers leaking users’ IPs via WebRTC [1] [2] Summary: Got CVE-2018-6849 reserved, wrote a Metasploit Module for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb) in MSF. #cheers What is WebRTC ? WebRTC (Web Real-Time Communication) provides supports to web browser on a real-time communication via API.So let’s get started….There are “multiple” online services and JavaScript code available which uses WebRTC function. Even if you are using VPN’s or Privacy based browsers it leaks your actual public and private IP address.I think this is more of a privacy issue rather than security if we talk specifically in browser-based bug bounty, however, such information can help an attacker to do further recon/attack if they are in the same network.Most of the browser have WebRTC enabled by default,Mozilla Team says :This is a well-known property of webrtc – see the duplicate bug. http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-07#section-5.4 Chrome Team says : We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.
Don’t forget Facebook even they have Webkits and it is vulnerable too. Facebook Team says :
Hi Dhiraj,
Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.
Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.
Android Team says:
The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.
Pheewww ! then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.
Duck Duck Go Team says: Hi again Dhiraj,
Thank you for trying out the new browser and for sending this report, including the security team. They’re currently looking into this and I’ll let you know if any further information is needed.
There’s a similar discussion in the Firefox Focus for Android repository on GitHub, so we’ll keep an eye on that too: https://github.com/mozilla-mobile/focus-android/issues/609
Hmmmm cool, then CVE-2018-6849was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched
Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.
Working of my MSF Module on DuckDuck Go Privacy Browser In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”
Outcome: So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849, which gave rise to a Metasploit module, which will in turn became a part of MSF library,
now that’s cool. Hope you like the read…… https://datarift.blogspot.it/p/private-ip-leakage-using-webrtc.html About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)
Ensuring best website security through SSL Certificate updates. 31.3.2018 securityaffairs Safety
What are the advantages for adopting an SSL Certificates and why is it important to discover and analyze SSL Certificates online? Secure Socket Layer (SSL) has gained weight with the increasing concern of security for all sensitive data online. In fact, it is the only reliable source for secure business and data handling. The entire information that travels between the computers all over the world is kept fully safe from potential dangers with the help of SSL. The business portals need high-level security to keep their own and their customers’ data away from malicious intentions.
Advantages of SSL Certificates The safety of the data traveling across the World Wide Web is encrypted by SSL. Only the intended users like sender and receiver can understand it. Any third person involved in data handling cannot pick any of its information. Credit card details, usernames, passwords etc. stay secured identity thieves and hackers. Here are some vital benefits of using SSL:
SSL for Promoting Customers Trust and Business Dealings A business thrives with its customers. That is why the valuable companies and entrepreneurs priorities to keep their customers satisfied and happy. One top important thing for a customer is his security and privacy. He does not want his sensitive personal details and data to get exposed to any other third person. Once a company ensures its customers that all their dealings are secured and data saved through proper encryption, the business prospers between the contractors.
Improving SEO with SSL Certificates
Google has a strict stance policy for keeping the security and privacy of its consumers intact. To implement this modern security measure for consumers, Google has set HTTPS a ranking tool. The secure HTTPS/SSL version promises the business websites to operate securely and exchange the data between its partners and customers without any fear of loss, hacking or theft.
Meeting the Standards of Payment Card Industry with SSL Online monetary dealings take place through credit cards and these cards carry highly sensitive and important information. The Credit Card Industry ensures the full protection of this valuable information through a setup standard. The companies can meet this standard of security by using SSL certificates only. A website passes some audits that declare that it is using SSL and complying with the Payment Card Industry standards.
SSL Certificates for Guarding against Scams
SSL certificates are actually procedures that encode a message between two parties: sender and receiver. No third party can snoop in. This cryptographic technology secures the link between a remote browser and a web server. This encrypted message is a hard nut for phishing proxies and hackers. They cannot make any use of the message in case they intercept it which is impossible for them. The coded message shows just like a string of random hash.
Importance of Discovering SSL Certificates Most of the e-commerce websites operate through the main domain and several subdomains. Each of these is involved in a heavy online business. IT professionals manage these portals through a number of intricate jobs. This leaves the website vulnerable to threats, thus SSL certificates need to be renewed.
Analyzing and discovering SSL certificates at a website is highly important at this stage. There are many companies that provide discovery tools. There is Comodo Certificate Manager. This finds the location, expiry date, and other information on an SSL certificate. Another service is DigiCert which discovers SSL certificates in use, finds neglected or expired certificates and identifies vulnerabilities.
What is CertDB
CertDB, however, is a more comprehensive SSL and TLS certificate discovery service. It is a search engine which can operate throughout the internet and analyze the certificates in real time. This service helps the users to discover the modern information and historical data because it scans the most common ports of the entire IPv4 range. Here are the salient features of CertDB:
Absolutely Free CertDB is absolutely free for users. Companies and websites owners need not worry about extra expenses for discovering certificates with the help of CertDB.
Comprehensive CertDB is comprehensive in its search and findings. The different types of SSL certificates and their latest info are fully discovered by CertDB. Experts can find recently registered domains, geographic location, soon to expire certificates, company names and many more
Modern CertDB scans the internet regularly for certificate-driven data about websites, organizations and certificate issuers. It is accurate and continuously updated. CertDB generates big amounts of data for analysis and discovery of statistical and detailed information about specific companies, their business objectives and integration between them.
Best UI User-friendly interface makes CertDB easy and favorite for companies and organizations. Entrepreneurs, marketers, and business analysts prefer CertDB because it is trouble-free and does not need IT specialists only for working on it. Developed by skilled, IT specialists and analysts SP*SE team, CertDB is the latest forever-free tool for organizations, students, entrepreneurs, tech geeks and e-commerce owners.
"Fauxpersky" Credential Stealer Spreads via USB Drives 30.3.2018 securityweek Safety
A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.
Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a ‘compiled’ exe with their code in it.
On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.
Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.
Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script.
Explorers.exe includes a function called CheckRPath() designed to check the connected drives for the aforementioned files and to create them if they are not already present on the drive. The malware sets the attributes System and Hidden to the files and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.
The attackers use a fairly basic method to ensure that all the necessary files are present in the source directory (called Kaspersky Internet Security 2017) when it is copied to the new destination. A text file in the directory instructs users to disable their antivirus if execution fails and also includes a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).
To perform the keylogging activities, Fauxpersky (specifically, svhost.exe) monitors the currently active window using the AHK functions WinGetActiveTitle() and input() (monitors user keystrokes to the window). Keystrokes are appended to Log.txt, which is saved in %APPDATA%\Kaspersky Internet Security 2017.
For persistence, the malware changes the working directory of the malware to %APPDATA% and creates the Kaspersky Internet Security 2017 folder. It also checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.
Spoolsvc.exe changes the values of registry keys to prevent the system from displaying hidden files and to hide system files (this explains why it sets the attributes of its own files to both System and Hidden). Next, it verifies if explorers.exe is running and launches it if not, thus ensuring persistent execution of the malware.
The keylogger also creates shortcuts to itself in the start menu startup directory to ensure persistence.
To exfiltrate the keylogged data, the malware uses a Google form, freeing the attackers from having to maintain an anonymized command and control server.
“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,” Cybereason concludes.
Axonius emerged from stealth mode on Tuesday with a platform designed to help organizations identify and secure all the devices on their network by leveraging existing security and management tools.
The company aims to bridge the gap between device discovery and vulnerability assessment products with a solution that combines data from existing tools in an effort to provide a centralized view of all devices and help enterprises ensure that all their systems are patched.
Vulnerability assessment tools may be efficient in identifying and prioritizing systems that need patching, but they often don’t have access to all devices due to the fragmented nature of corporate environments.
Axonius says its Cybersecurity Asset Management Platform can leverage combinations of nearly 30 tools from various vendors in order to discover all the devices on a network, obtain information about those systems, and ensure that they are not neglected by vulnerability scanners.Axonius emerges from stealth mode
The company has created what it calls “adapters” to integrate tools from Microsoft, Amazon, Cisco, enSilo, ESET, Forcepoint, Fortinet, IBM, Juniper, McAfee, ManageEngine, Qualys, Rapid7, Splunk, Symantec, VMware and others into its platform.
New adapters will be added in the future based on customers’ needs – the company is currently working on integrating tools from Carbon Black, Cylance, ObserveIT, CrowdStrike and others. Adding new adapters is in most cases an easy task given that most vendors provide APIs.
The company told SecurityWeek that it’s unlikely for an organization that has a problem with fragmentation and visibility not to have at least some of the supported tools – for example, Microsoft’s Active Directory can be found in most companies.
Security teams can manually query devices to ensure that they adhere to their organization’s policies, but they can also configure the platform to automatically alert them via email or syslog whenever a device that fits specified criteria is detected.
In addition to helping organizations gain full visibility into the devices on their network, Axonius says its platform can also be used to enforce policies. Employees can manually choose to either block a device, scan it, or deploy an agent, but they can also automate various tasks using plugins.
Since it does not require the deployment of an agent, Axonius says its platform can be deployed quickly and easily once it has access to all the credentials and third-party tools. The company claims it has deployed its solution in an afternoon at an organization with roughly 10,000 endpoints, and the job has never taken more than a couple of days.
“Since we do connect to the security and management systems a customer already has, there's no custom work to do, no professional services, and we're able to start showing value immediately,” Nathan Burke, CMO of Axonius, told SecurityWeek. “At most organizations, security teams are swamped and time is their scarcest resource. The last thing they want to do is spend time on a lengthy and complicated deployment.”
Deploying the solution only requires a VMware ESXi machine that has inbound and outbound access to all managed adapters. Pricing for the product is based on an annual subscription and it depends on the number of devices.
Axonius’ headquarters is in New York and its research and development department is located in Israel. The company received $4 million in seed funding in September 2017 and it has now announced the general availability of its product, which it claims is already used by very large companies around the world to manage more than 100,000 endpoints.
Since emerging from Intel as a standalone cybersecurity company in April 2017, McAfee has consistently made multiple new product announcements simultaneously. It has continued that model this week with a new version of the Enterprise Security Manager (ESM 11), and enhancements to Behavioral Analytics, Investigator, Advanced Threat Defense, and Active Response.
Significantly, it has also unveiled two new security operation centers (SOCs) that combine physical and cybersecurity into the McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. This is McAfee using its own products for its own organization: McAfee 'eating its own dog food' as its own Customer Zero.
McAfee LogoThe SOCs have a triple purpose -- to protect McAfee; to use McAfee products in a live scenario to provide practical feedback to the developers; and to provide an educational environment for customers to see McAfee SOC products in live action rather than choreographed simulation. The 'practical feedback' also provides an illustration of a key principle in McAfee's product philosophy: man and machine integration, each learning from and benefiting the other.
"The big deal for the McAfee Security Fusion Centers," writes McAfee CISO Grant Bourzikas in an associated blog, "is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems." The Fusion Centers also, of course, demonstrate McAfee's faith in its own products.
The new ESM 11 architecture shares large volumes of raw, parsed and correlated security events to allow threat hunters to quickly search recent events, while storing the data for future forensic and compliance requirements. The architecture is horizontally scalable with active/active availability through the addition of extra ESM appliances or virtual machines.
Behavioral Analytics provides machine learning technology to discover high risk events that might otherwise be missed by human hunters. It distills billions of events down to hundreds of anomalies and then to 'a handful of prioritized threat leads' -- highlighting the signal in the noise -- and integrating with the McAfee product portfolio and other third-party SIEMs.
Investigator shares data with open source and third-party tools to streamline workflows and improve collaboration.
Active Response has been enhanced by integration with Investigator to help analysts scope the impact of a threat across endpoints in real-time. Integration with Advanced Threat Protection also allows analysts to view sandbox reports and IoCs from a single workspace; while allowing the detection of PowerShell exploits and their remediation by isolating any affected host.
"Existing tools and approaches are too reliant on human expertise" says Jason Rolleston, VP of security analytics, commenting on the product announcements. "The answer is human-machine teaming, where analytics- and machine learning-powered solutions augment the security team to detect more threats, faster and with fewer people."
ESM 11 and Behavioral Analytics are available now. Investigator will be available in April, and the enhancements to Advanced Threat Defense and Active Response will be available in May.
The Internet Engineering Task Force has finally announced the approval of TLS 1.3 26.3.2018 securityaffairs Safety
The Internet Engineering Task Force (IETF) has finally announced the approval of TLS 1.3, the new version of the Transport Layer Security traffic encryption protocol. It was a long journey, the IETF has been analyzing proposals for TLS 1.3 since April 2014, the final release is the result of the work on 28 drafts.
The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.
TLS 1.2 and TLS 1.3 are quite different, the new version introduces many major features to improve performance and to make the protocol more resilient to certain attacks such as the ROBOT technique.
Below the description of one of the most important changes introduced with TLS 1.3:
The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC. A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties. Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy. All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers. The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive. The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec (except when needed for middlebox compatibility). Elliptic curve algorithms are now in the base spec and new signature algorithms, such as ed25519 and ed448, are included. TLS 1.3 removed point format negotiation in favor of a single point format for each curve. Other cryptographic improvements including the removal of compression and custom DHE groups, changing the RSA padding to use RSASSA-PSS, and the removal of DSA. The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation. Session resumption with and without server-side state as well as the PSK-based ciphersuites of earlier TLS versions have been replaced by a single new PSK exchange. TLS 1.3
TLS 1.3 deprecates old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.
In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.
In February, the OpenSSL Project announced support for TLS 1.3 when it unveiled OpenSSL 1.1.1, which is currently in alpha.
One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.
“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.
According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.
The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form.
TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.IETF approves TLS 1.3
There are nearly a dozen major functional differences between TLS 1.2 and TLS 1.3, including ones that should improve performance and eliminate the possibility of certain types of attacks, such as the recently disclosed ROBOT method. The most important changes have been described by the IETF as follows:
The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC. A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties. Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy. All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers. The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive. The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec (except when needed for middlebox compatibility). Elliptic curve algorithms are now in the base spec and new signature algorithms, such as ed25519 and ed448, are included. TLS 1.3 removed point format negotiation in favor of a single point format for each curve. Other cryptographic improvements including the removal of compression and custom DHE groups, changing the RSA padding to use RSASSA-PSS, and the removal of DSA. The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation. Session resumption with and without server-side state as well as the PSK-based ciphersuites of earlier TLS versions have been replaced by a single new PSK exchange. The most controversial of these changes is related to the introduction of the 0-RTT (zero round trip time resumption) mode. This feature brings significant improvements in terms of speed, particularly in the case of resumed connections, but it makes the connection slightly less secure.
The main concern are replay attacks, but experts believe the risk is manageable and website administrators should not have anything to worry about. However, some members of the IETF believe there are bound to be successful attacks against existing mitigations in the future. Cloudflare published a blog post last year detailing 0-RTT benefits and risks.
Cloudflare announced support for TLS 1.3 in September 2016, but the company reported in late December 2017 that major web browsers had yet to enable the new version of the protocol by default, with only 0.06% of the traffic passing through its network leveraging TLS 1.3.
Cloudflare has blamed this delay on network appliances that need to intercept HTTPS traffic on corporate networks, and the original design of TLS 1.3. Poor implementation of TLS 1.3 has been known to cause serious problems.
The OpenSSL Project announced support for TLS 1.3 in February when it unveiled OpenSSL 1.1.1, which is currently in alpha.
Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says
Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims.
According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says.
The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by the sftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password.
In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what’s considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago.
Because of that, recovering encrypted passwords via brute force attacks is not difficult at all, Palant says. In fact, he underlines that graphics processing units (GPUs) are great at calculating SHA-1 hashes. With some of them capable of calculating billions of SHA-1 hashes per second, it would not take more than a minute to crack the passwords encrypted and stored in Firefox.
This NSS bug was first reported about nine years ago, but remains unpatched. And it wouldn’t even be that difficult to address the issue, the developer says.
“NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years,” Palant notes.
Robert Relyea, who has worked for over 20 years on NSS, notes that, while the iteration count could be increased, it would not affect the security of old databases, which would remain readable. Only changing the master password (even to the same password) for them would also increase the iteration count.
The issue was thought resolved in PKCS #12, but it wasn’t fixed for the NSS database password (Firefox Master Password) too. Thus, Relyea reopened the bug, so it could be properly addressed.
Mozilla is also working on a new password manager component for Firefox. Dubbed Lockbox and available as an extension, it might not solve the issue either, Palant says, pointing out that it relies on Firefox Accounts, which could prevent wide adoption.
Even if this issue still exists in Firefox, setting up a master password for Firefox’ manager is still better than using none. Of course, using a password manager that isn’t impacted by such bugs is even better, although cracking firms would say that the security of such tools is debatable.
