Security  Articles -  H  2020  1  2  3  4  5  6  7  8  9  10  Security  List -  H  2021  2020  2019  2018  1  Security blog  Security blog


Windows 10 'S Mode' Coming Soon — For Security and Performance
10.3.2018 thehackernews Security

Microsoft has confirmed that the company is planning to convert Windows 10 S from a dedicated operating system to a special "S Mode" that will be available in all versions of Windows.
Windows 10 S, a new operating system designed for simplicity, security, and speed, was released by Microsoft last year. It locks a computer down to run applications only downloaded from official Windows Store, but the slimmed-down and restricted flavor of Windows did not exactly turn out to be a success.
Therefore, the company has now decided Windows 10 S be offered as an optional mode rather than a dedicated operating system.
Windows 10 S was developed to simplify administration for school or business sysadmins that want the 'low-hassle' guaranteed performance version. It has been designed to deliver predictable performance and quality through Microsoft-verified apps via the Microsoft Store.
However, in a blog post published Wednesday, the corporate VP of Microsoft's operating systems group, Joe Belfiore admitted that the naming for Windows 10 S "was a bit confusing for both customers and partners."
Microsoft, therefore, decided that the original version of Windows 10 S would disappear and become an S Mode in Windows.
"Starting with the next update to Windows 10, coming soon, customers can choose to buy a new Windows 10 Home or Windows 10 Pro PC with S mode enabled, and commercial customers will be able to deploy Windows 10 Enterprise with S mode enabled," Belfiore said.
"We expect the majority of customers to enjoy the benefits of Windows 10 in S mode," he added.
Previous rumors also suggested that Windows 10 Pro customers with S Mode enabled on their devices would have to pay $49 to disable the mode to get access to a full version of Windows 10 Pro, but these rumors were inaccurate.
No user, be it a Windows 10 Home, Enterprise, and Pro customer, has to pay anything to disable the S Mode, as Belfiore wrote that "if a customer does want to switch out of S mode, they will be able to do so at no charge, regardless of edition."
"We hope this new approach will simplify and make it possible for more customers to start using Windows in S mode: a familiar, productive Windows experience that is streamlined for security and performance across all our editions," Belfiore said.
S Mode is expected to with the next major Windows 10 update, thought to be called the Spring Creators Update, likely to arrive next month, and it is now up to PC makers to choose whether to enable the new S Mode or not.


McAfee Launches Security Platform for Azure Cloud
7.3.2018 securityweek  Security

Migrating to the cloud is complex. One of the biggest concerns is a loss of visibility on data in the cloud; and this concern only grows with increasing regulatory requirements. GDPR, coming into force in less than 3 months time, is a case in point.

Cloud access security brokers (CASBs) can improve visibility and control, but aren't necessarily tailored to a specific cloud. Today, McAfee announced the first product resulting from its purchase of Skyhigh Networks, finalized in January 2018: the McAfee Skyhigh Security Cloud for Azure.

"Moving applications, data and workloads to the cloud exposes enterprises to new threats and risks," explains Rajiv Gupta, SVP of McAfee's cloud security business unit. "At the same time, the adoption of cloud allows organizations to transform their business. This is why we are on a mission to make cloud the most secure environment for business. The introduction of McAfee Cloud Security Platform for Microsoft Azure is an important step to fulfilling this mission for our customers."

The new product offers five particular use cases for Azure users: configuration and compliance audit, activity monitoring, threat protection, DLP, and account management.

The configuration element detects misconfigurations in any Azure account. AWS S3 bucket misconfigurations have exposed millions of sensitive records in recent years, and in some cases left the accounts vulnerable to a MITM attack dubbed GhostWriter.

Detected misconfigurations can be corrected using McAfee best practices; CIS benchmark recommendations for Azure; and compliance recommendations for HIPAA-HITECH, ISO, FedRAMP, ITAR, other regulations, or internal compliance policies. "The solution can help with an organization's attempts to meet the GDPR regulations -- that are coming into force in less than 50 working days," said Nigel Hawthorn, EMEA marketing director at McAfee.

The activity monitoring element provides the visibility that can otherwise be lost in the cloud. It monitors both managed and unmanaged subscriptions, and captures a full audit trail of all activity. "We now have the visibility and control we need to be able to allow access to the cloud-based tools our employees need to be competitive and efficient, without compromising our security standards," comments Rick Hopfer, CIO at Molina Healthcare.

Threat protection is provided by AI-based user behavior analytics and signature-less, advanced malware analysis. Anomalous user behavior can highlight insider threats and unwarranted privilege escalation; while McAfee anti-malware will detect malware traveling into the cloud, and identify behavior indicative of malware data exfiltration or ransomware activity.

Data loss prevention (DLP) will help prevent unauthorized regulated data from being stored in Azure storage services -- which will be critical to maintaining GDPR compliance. McAfee's content analytics engine can be used to discover sensitive data stored in Azure services, using keywords and phrases, alpha-numeric patterns, file metadata, and more. It "allows us to extend DLP outside the perimeter and into the cloud and the user experience is seamless," says Mike Benson, CIO at DirecTV.

Account management is provided by McAfee's central policy engine, which aids the development of policies that can be enforced on new and pre-existing content, user activity, and malware threats. Options include the use of pre-built templates, the ability to import policies from other McAfee customers or partners, and a policy creation wizard to create custom policies to conform with corporate or regulatory requirements.

Security in the cloud is a shared responsibility between the cloud provider and the customer. It is a common failure to recognize this that leads to the misconfigurations so commonly found in AWS S3 buckets. In reality, both AWS and Azure have multiple flexible options for file and folder access -- and data protection problems are often based on this flexibility. The new McAfee/Skyhigh Azure solution is designed to remove confusion and apply customer visibility and control into the Azure cloud.


23,000 Digital Certificates Revoked in DigiCert-Trustico Spat
2.3.2018 securityweek Security

Digicert vs Trustico

Certificate Authority (CA) DigiCert on Wednesday announced the en-masse revocation of more than 23,000 HTTPS certificates after certificate reseller Trustico sent over the private keys for those certificates.

The keys are supposed to be secret and only in the possession of certificate owners, not in the hands of the certificate authority, the reseller or any other third party. With the private keys exposed, DigiCert was forced to revoke impacted certificates within 24 hours, thus affecting a large number of customers.

The revocation appears to be the result of a one-month feud between Trustico and DigiCert and might evolve into an even larger number of certificates being axed.

This all apparently started on February 2, 2018, when Trustico sent a request to DigiCert “to mass revoke all certificates that had been ordered by end users through Trustico,” Jeremy Rowley, Executive VP of Product at DigiCert, explains. The CA refused, given the large number of certificates it was asked to revoke at once (50,000).

In August last year, DigiCert announced plans to buy Symantec’s website security and related public key infrastructure (PKI) solutions, after Symantec ended up in the crosshairs for wrongfully issuing TLS certificates on several occasions. Since December 1, 2017, Symantec SSL certificates have been issued by DigiCert.

With major browsers already announcing plans to distrust older Symantec certificates, Trustico too decided to abandon those certificates, and announced in mid-February that it would cease to offer Symantec branded SSL Certificates: Symantec, GeoTrust, Thawte and RapidSSL.

“As a valued partner of Comodo, Trustico have updated their systems to minimize disruption to customers with their API and ordering processes by enabling the automatic selection and ordering of equivalent products from the Comodo range,” Trustico said at the time.

A couple of weeks later, on February 27, Trustico sent DigiCert a file with 23,000 private keys matching certificates issued to reseller’s customers, which triggered a 24-hour revocation process.

“Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys. When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours,” DigiCert said in a Wednesday statement.

Because of these actions, starting today, visitors of impacted websites will see in their browsers that the connection to the domain is untrusted, unless the revoked certificates have been replaced in the meantime.

Since the beginning of February, DigiCert and Trustico have been communicating with each other over this, but each company has a different side of the story.

According to DigiCert, Trustico informed them that the certificates had been compromised and that it was in the possession of said private keys. Thus, DigiCert requested proof of compromise and received said keys.

“At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys,” Rowley says.

In addition to revoking the certificates, DigiCert decided to email all impacted customers to inform them on its action: “Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.”

Trustico, on the other hand, claims that it never said the certificates had been compromised, but that it informed DigiCert that it believed “Symantec to have operated our account in a manner whereby it had been compromised.”

The reseller also says that it doesn’t believe it to be “ideal to have any active SSL Certificates on the Symantec systems,” especially with Chrome set to distrust of all Symantec SSL certificates.

“The same management team responsible for that situation is duly employed at DigiCert and are fully managing our account, causing grave concern on our part as it appears to be business as usual with a new name. We were also a victim whereby Symantec mis-issued SSL Certificates owned by us, subsequently we were asked to keep the matter quiet, under a confidentially notice,” the company claims.

Moreover, Trustico points out that it never authorized DigiCert to email its customers about the revocation, but adds that it too sent a notice to the impacted clients.

The bottom line here, however, is the fact that DigiCert ended up revoking 23,000 HTTPS certificates because their private keys were compromised. Even if the keys hadn’t been compromised when the spat started, the fact that the reseller sent those keys in an email represented a compromise in itself.

“In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates,” DigiCert points out.

The fact that Trustico kept those private keys on their platform is also worrisome.

Both Trustico and DigiCert said they would be working with the impacted customers to replace the axed certificates and that free replacement certificates are available for those clients.


SecOps: The Roadkill Victim of DevOps' Need for Speed
1.3.2018 securityweek Security

DevSecOps Remains a Theory Not Often Implemented in Practice

DevOps was born from the understanding that greater efficiency comes from breaking down business silos (in this case, development and operations) and working as a single unit. With the increasing understanding and regulatory demands that security should be baked into new products during their development, the logical extension is that security should be included in a new combined working model: DevSecOps.

The potential advantages of DevSecOps are well understand and frequently urged -- but not so commonly implemented. A new survey and report (PDF) from threat detection firm Threat Stack demonstrates that DevSecOps remains a theory not often implemented in practice.

Threat Stack questioned more than 200 security, development and operations professionals working for firms ranging from SMBs to large corporations in North America, across multiple industry sectors. The response shows that DevSecOps is well-understood and frequently lauded by firms, but not so often enacted.

The primary reason appears to be not just a lack of support from the highest levels, but actual discouragement from business leaders. More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. "Since the directive for speed starts at the very top, it's hard to ignore;" comment the report's authors; "even if it means that security becomes roadkill in the process."

The demand for development speed from the business leaders then transfers to the existing DevOps team. Sixty-two percent of the responders said that DevOps push back against demands to deploy secure technology, and 57% push back on security best practices -- presumably because implementing security is seen as incompatible with the overriding need for speed.

This is a common perception. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business and business development. "Innovators will tell you the opposite," he says. "It's there to give the driver the confidence to go as fast as possible." In this view, security is the enabler of agile business -- but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Surprisingly, however, the theory of DevSecOps is well received. Eighty-five percent of the responding organizations claim that bridging the gap between DevOps and security is an important goal, while 62% of developer and operations professionals say it has become a bigger priority.

Threat Stack has isolated three key factors at play in this apparent contradiction. The first is that security is still siloed and considered a separate function. "A security specialist," notes the report, "is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in 'when needed'."

The second is that development is separate from security. "Forty-four percent of developers aren't trained to code securely. Without this basic knowledge, coding is often done without security in mind. This forces security to become a bottleneck when they must inevitably step in and intervene."

Thirdly, operations is little different. "A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can't configure servers securely. It also means that they don't see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren't trained in security, there's no way SecOps can succeed."

At the same time, security cannot be absolved from all responsibility for the lack of progress in DevSecOps. Just as developers can't code securely, security teams can rarely code at all. Security teams, suggests Threat Stack, "need to learn how to code and integrate their efforts into continuous deployment cycles. Don't wait for this process to happen organically; you must make a conscious investment in alignment and education across teams."

"Businesses have grappled with the 'Speed or Security' problem for years but the emergence of SecOps practices really means that companies can achieve both," said Brian Ahern, Threat Stack chairman and CEO. "The survey findings show that the vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It's important that stakeholders across every enterprise prioritize the alignment of DevOps and security."

The key to developing an efficient DevSecOps regime is to break down silos -- but that includes breaking down self-imposed as well as organizationally-imposed silos.

Boston, Mass.-based intrusion detection firm Threat Stack raised $45 million in a Series C funding in September 2017, bringing the total raised by the company to more than $70 million.


Fortinet Enhances Network Security OS, Adds AI-based Threat Detection
1.3.2018 securityweek Security

Two major new product announcements were made at Fortinet’s Accelerate 18 conference this week, including a new machine learning (ML) threat intelligence and detection offering, along with a major upgrade to the Fortinet Security Fabric (FortiOS).

Accelerate 18, held in Las Vegas, Nevada, is Fortinet's annual global partner and user conference, attended by around 2,000 Fortinet partners, customers, and industry and technical experts.

The new ML product is called FortiGuard AI. It emerges from five years of analyses by FortiGuard Labs' 215 researchers in 31 countries analyzing the threat data from a global network of more than 3 million security sensors. The analyses have been used, employing supervised learning techniques, to train the FortiGuard AI automatic detection engine.

Fortinet LogoMachine learning threat detection is currently the best option for detecting new and unknown malware. But the accuracy of machine learning detection systems depends on the volume and accuracy of the data from which it learns. By spending five years in the process, and using supervised learning (that is, under the control of human analysts), rather than unsupervised learning, the quality and accuracy of Fortinet's ML system should be high.

The system now analyzes millions of threat samples every week. More than 5 billion processing nodes identify both the clean and malicious features of the threat samples to generate threat intelligence. That intelligence then automatically updates defensive signatures across the entire Fortinet Security Fabric.

"Fortinet Labs' five-year investment in automated analysis and detection of polymorphic threats," comments CISO Phil Quade, "has resulted in FortiGuard AI, a giant leap towards [automatically detecting polymorphic and zero-day threats]. FortiGuard AI analyzes and identifies threats with speed, agility, and accuracy to provide proactive threat detection at machine speed and scale. This frees threat analysts and network operators to focus on critical threat research and higher-order problems, reduces exposure to zero-day attacks, and minimizes the risk to Fortinet customers while increasing the attacker's costs."

The firm also announced the inclusion ML-based User and Entity Behavior Analysis (UEBA) capabilities into its SIEM product (FortiSIEM). The solution 'learns' patterns of normal user or entity behavior, and will then automatically detect anomalies. Concurrent logins from separate locations, users accessing corporate data in the middle of the night, and excessive logins to rarely used servers will all send alerts to the security team for relevant action.

Fortinet has also announced version 6 of its Security Fabric. "FortiOS 6.0," says founder, president and CTO Michael Xie, "delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business."

The Security Fabric is based on the world's most deployed network security operating system. It was launched in 2016 to allow different segments of network security to integrate seamlessly and to cooperate actively under the management of a central control. FortiOS 6.0 is expected to be available before the end of March 2018.

Example enhancements include multi-cloud visibility, where cloud connectors provide visibility spanning private clouds (with support for VMware NSX, Cisco ACI and Nokia Nuage); public clouds (supporting AWS, Azure, Google Cloud and Oracle Cloud); and SaaS clouds with CASB connectors (supporting Salesforce.com, Office 365, Dropbox, Box, AWS and more).

FortiClient 6.0 includes expanded OS support for Linux, providing IoT endpoint security. Actionable insights from the IoT devices can be shared with the Security Fabric, while telemetry can provide a deeper insight on what is running on a network's endpoint devices to quickly identify vulnerabilities.

Other enhancements involve network security, advanced threat protection, email and web applications, security management and analytics, and unified access.

"Using a single partner for integrated protection across multiple threat vectors, from public cloud workloads to email SaaS applications, is a key priority for ShipServ," says Dominic Aslan, VP of IT operations at the online marketplace for the marine industry. "Fortinet is an all-in-one cyber security company with a common, intuitive security management interface across all the Fortinet Security Fabric solutions, making it much easier to support."


Over $100,000 Paid Out in 'Hack the Air Force 2.0'
15.2.2018 securityweek Security
HackerOne on Thursday announced the results of a bug bounty challenge run by the U.S. Air Force on its platform. More than $100,000 were paid out for over 100 vulnerabilities reported during Hack the Air Force 2.0.

The challenge ran between December 9 and January 1. The U.S. Department of Defense paid out a total of $103,883 for 106 valid vulnerability reports submitted by 27 hackers from the U.S., Canada, U.K., Sweden, Netherlands, Belgium and Latvia.

The largest single payout, which is also the highest reward in any federal bug bounty program to date, was $12,500.

Of the 106 flaws, 55 were discovered on the first day of Hack the Air Force 2.0 during a live hacking event at the WeWork Fulton Center inside the Fulton Center subway station in New York City.Hack the Air Force 2.0

Seven U.S. Airmen and 25 civilians earned a total of over $26,000 on the first day, including $10,650 by Mathias Karlsson and Brett Buerhaus, who demonstrated how malicious actors could have breached an unclassified DoD network by exploiting a vulnerability in the Air Force’s website.

“We continue to harden our attack surfaces based on findings of the previous challenge and will add lessons learned from this round,” said Air Force CISO Peter Kim. “This reinforces the work the Air Force is already doing to strengthen cyber defenses and has created meaningful relationships with skilled researchers that will last for years to come.”

The first edition of Hack the Air Force paid out more than $130,000 for 207 valid vulnerability reports. The bug bounty challenges run by the Pentagon on the HackerOne platform since 2016 led to the discovery and patching of more than 3,000 vulnerabilities, with a total of over $400,000 awarded to white hat hackers.

The Pentagon also has a vulnerability disclosure policy that aims to provide guidance to researchers on how to disclose security holes found in the organization’s public-facing websites. While no monetary rewards are being offered, the policy provides a legal avenue for reporting flaws.


Windows Analytics Helps Assess Risk of Meltdown, Spectre Attacks
15.2.2018 securityweek  Security
Microsoft is stepping up its efforts to help IT professionals better assess whether their Windows devices are protected against the industry-wide Meltdown and Spectre attack techniques.

Publicly detailed in the beginning of this year, the two attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Residing in the processors themselves, the bugs affect billions of devices.

Tech companies were informed on the bugs last year and worked hard on releasing both software and firmware mitigations, but some of the patches added instability and their delivery was stopped. Microsoft too decided to disable mitigations for one Spectre attack variation as systems became unstable.

After halting the initial patches several weeks ago, Intel recently rolled out new microcode updates to address one of the Spectre vulnerabilities in its Skylake processors. IBM, Oracle, and many other vendors rushed to push out patches for the bugs as well, and malware that abuses the vulnerabilities emerged as well.

Being hardware-based security vulnerabilities, Meltdown and Spectre represent a challenge for the entire industry, Microsoft says. Not only are updates required for both CPU microcode (firmware) and the operating system, but the anti-virus has to be compatible with the patches as well, at least on Windows.

To help IT professionals assess whether the Windows devices in their networks are protected against Spectre and Meltdown, Microsoft has added new capabilities to its free Windows Analytics service.

With the help of these new features, admins can access reports on the status of all Windows devices they manage, Terry Myerson, Executive Vice President, Windows and Devices Group, explains.

Now, admins can learn whether the anti-virus (AV) software is compatible with the required Windows OS updates, thus knowing whether it is safe or not to install the patches.

Furthermore, information on which Windows security update is running on a managed device and if any of these updates have been disabled is now available (IT administrators have the option to install the security update but disable the fix).

Now, Windows Analytics also offers details on the firmware installed on the device, providing information on whether the firmware includes the specific protections required. This insight, however, will be initially limited to the list of approved and available firmware security updates from Intel.

“We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft,” Myerson points out.

Windows Analytics is currently running on millions of devices, Microsoft says. The newly included capabilities will be available on all Windows 7 SP1, Windows 8.1 and Windows 10 devices running the service.


Windows Analytics now includes Meltdown and Spectre detector
15.2.2018 securityaffairs Security

Good news for administrators of Windows systems, Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics.
Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics. The Meltdown-and-Spectre detector was available since Tuesday when Microsoft announced the new capabilities implemented in the free Windows Analytics service.

The new capabilities allow admin to monitor:

Anti-virus Status: Some anti-virus (AV) software may not be compatible with the required Windows Operating System updates. This status insight indicates if the devices’ anti-virus software is compatible with the latest Windows security update.
Windows Operating System Security Update Status: This Windows Analytics insight will indicate which Windows security update is running on any device and if any of these updates have been disabled. In some cases, IT Administrators may choose to install the security update, but disable the fix. Our complete list of Windows editions and security updates can be found in our Windows customer guidance article.
Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.
The check for the status of the Operating System could allow admins to verify if Meltdown and Spectre patched are correctly working.

The antivirus check allows admins to verify if the running AV is compatible with required Windows Operating System updates.

The check for firmware status currently works only for Intel chips.

Windows Analytics Meltdown Spectre

Meltdown-and-Spectre detector is available for Windows 7 through Windows 10 and requires that systems are running the February 2018 patch levels (Win7 SP1, KB2952664; Win8.1, KB2976978; and for Win10, KB4033631).

Windows Analytics Meltdown Spectre


Security Awareness Training Top Priority for CISOs: Report
14.2.2018 securityweek Security
Thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense. Twenty-five percent prioritize infrastructure upgrades and network defense.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled more than 100 of its 7,000 global members to produce the first of its planned annual CISO Cybersecurity Trends Study. ISACs are non-profit organizations, usually relevant to individual critical infrastructure sectors, designed to share threat information among their members and with relevant government agencies. They were born from Bill Clinton's 1998 Presidential Decision Directive PDD 63.

The FS-ISAC's 2018 Cybersecurity Trends Report (PDF) notes a distinction in priorities based on the individual organization's reporting structure. Where CISOs report into a technical structure, such as the CIO, the priority is for infrastructure upgrades, network defense and breach prevention. Where they report into a non-technical function, such as the COO or Legal, the priority is for staff training.

This could be as simple as CISOs prioritizing areas for which they are most likely to get funding. However, that staff training is considered the overall priority does not surprise Dr. Bret Fund, founder and CEO at SecureSet.

"I think that speaks to CISOs seeing first-hand how their largest risks of breach rest in the people component vs. the product or process components," he suggests. "Executives and Boards cannot underestimate the need for a robust security culture inside their organizations; and the way that you achieve that is through proper education and training."

Dan Lohrmann, chief security officer at Security Mentor, agrees. "The mission-essential business aspects that end user security awareness training is now playing in global financial organizations must be front and center surrounding around all data handling and incident response." He recommends metrics-based training so that progress can be monitored.

The report finds no common reporting structure within financial organizations. Only 8% of CISOs report directly to the CEO. Sixty-six percent report to the CIO (39%), the CRO (14%) or the COO (13%). Despite these differences, there appears to be no impact on the frequency of reporting to the board of directors on cybersecurity.

Reporting most frequently occurs every three months (54% of CISOs). Eighteen percent report every six months, and 16% report annually. Only 6% report monthly.

There is no indication within the report on structural trends, which could provide an insight into the evolving role of the CISO. Greg Reber, CEO at AsTech, thinks this is an omission. "At AsTech, we see moves away from CISOs reporting to CIOs, as the incentives can be at odds," he explains. "CIOs may need to get things done quickly to realize financial goals -- moving processing to the cloud environments for example -- while CISOs are chiefly concerned with risk management."

He also notes a failure to comment on cyber risk insurance. "This falls into an 'event response' category, which we see as a top priority. However, it didn't appear in the top three responses in this survey." Reber equates 'cyber defense' with a Maginot Line philosophy, and believes resources should be balanced between defense and response.

"This report from FS-ISAC highlights the continued need for cyber awareness and vigilance from staff," comments Stephen Burke, founder and CEO at Cyber Risk Aware. "Hackers are great at exploiting human nature, using social engineering tactics to gain their victims' trust. Once they can get through defense and onto a user's machine they may use sophisticated methods to stealthily move laterally across a network stealing data or credentials."

FS-ISAC's recommendations to its members based on its survey findings is that staff training should be prioritized regardless of the reporting structure. "People can be the solution to these growing online risks, or they can be contributors to the growing level of security problems," says Lohrmann. "Effective security awareness training will enable the enterprise to successfully stop cyberattacks."

Venture and M&A

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.

*Additional reporting by Mike Lennon


Online Auction Safety Tips for Buyers and Sellers
11.2.2018 securityaffairs Security

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?
Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.
online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.
That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.


Abusing X.509 Digital Certificates to establish a covert data exchange channel
6.2.2018 securityaffairs Security

Researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 Digital Certificates to establish a covert data exchange channel
Last year, during the Bsides conference in July 2017, the security researcher at Fidelis Cybersecurity Jason Reaves demonstrated how to covertly exchange data using X.509 digital certificates, now the same expert published the proof-of-concept code.

The X.509 is a standard that defines the format of public key certificates currently used in many Internet protocols, including TLS/SS. TLS, for example, uses X.509 for certificate exchange, during the handshake process that establishes an encrypted communication.

The covert channel devised by Reaves uses fields in X.509 extensions to carry data, it could be exploited by an attacker to exfiltrate data from a target organization without being detected.

“The research demonstrates that a sufficiently motivated attacker can utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process.” reads the paper published by the expert.

“In brief, TLS X.509 certificates have many fields where strings can be stored. You can see them in this image[16]. The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself. “

The proof-of-concept code published by Reaves uses the field ‘class=wrap_text>SubjectKeyIdentifier‘

Digital certificate extensions were added in version 3 of the X.509 protocol and allow the CAs to add descriptions to a certificate, unfortunately, they can be abused to embed malicious data.

Attackers can send small amounts of data to an external server without being noticed.

Anyway, these extensions can be very large, for this reason, many libraries attempt to limit the ultimate handshake packet size. The expert noticed that the extension in the certificate itself can be created to a length that appears to only be limited by memory.

Data hidden in the X.509 metadata are impossible to detect, the PoC code published transfers the Mimikatz post-exploit attack tool in the TLS negotiation:

x.509 certificates embedded mimikatz

As possible mitigations, Reaves suggests to block self-signed certificates such the ones used in the PoC and check for executables in certificates.


#ThinkBeyond – Security solutions from market leaders may all fail in your particular environment
30.1.2018 securityaffairs Security

Buying solutions proposed by analyst firms without carefully analyzing your organization expose it to cyber threats. It’s time to #ThinkBeyond this broken paradigm.
The cybersecurity market is expected to double by 2022, analysts estimated the growth could reach three hundred thousand dollars, at a Compound Annual Growth Rate (CAGR) of 11.0%. In the same period, the number of cyber attacks are expected to increase, hackers will adopt new sophisticated techniques while the surface of attacks of companies and organizations is enlarging due to the adoption of paradigms such as the Internet of Things, Cloud computing, and mobile computing.

Another important element that will characterize the next months it the adoption of new regulations and directives, such as the GDPR and the NIS directive, that will influence the evolution of the market.

Businesses will face the “perfect storm,” the ideal condition for security firms that continue to develop new solutions designed to cover a specific portion of the market instead of responding to the real needs for cyber security of their customers.

The increasing number of successful cyber attacks and the daily security breaches reported by experts demonstrate that most of the companies are still far from an adequate security posture.

In origin it was mainly a problem of awareness on cyber threats, but now the critical issue is represented by the ability of businesses and decision makers in buying security solutions that match their needs.

The purchase of a new security solution or a service is often driven by the recommendations of analysts that produce any kind of report to influence the final decision of the management and the IT staff.

The emulation is part of the human nature, for C-Level personnel is easy to select their business partners by choosing them from the companies listed in authoritative studies and publications such as the Gartner Magic Quadrant.

Evidently, this approach is not sufficient to ensure the resilience to cyber attacks of a modern business.

In many cases the same security companies suggested by these reports were involved in embarrassing incidents, this is the case of the accountancy firm Deloitte that was awarded as the best Security Consulting Services providers by Gartner, but that was victims itself of a sophisticated hack that compromised its global email server in 2016.

These studies could influence a blind and an unaware choice of security solutions, they could give businesses a false sense of security.

It is absurd to compose a security infrastructure only by implementing the recommendations of the analyst firms while the events in the threat landscape demonstrate that such an approach is ruinous.

A model of cyber security driven by profits could not be effective against cyber threats. Threat actors rapidly and continuously change their Tactics, Techniques, and Procedures (TTPs ), and security industry is not able to follow them.

Security investments should be measured by the amount of cyber risk mitigated per dollar spent, only in this way it is possible to evaluate real enhancement of the resilience of an architecture while adding new components to the mosaic.

Before deciding to read a report from major analyst companies that suggest products from IT giants, it is essential for any organization to assess and prioritize all cyber risks and business processes.

The risk assessment must involve as many stakeholders, this is the best way to protect our infrastructure from several threat actors.

Once all the risks are identified and prioritized, the company will have to mitigate them by using systems inside their infrastructure and eventually integrating them with proper solutions. Instruments like Gartner’s Magic Quadrant could help companies to select vendors with a filtrated vision of the market, however, we cannot forget that security solutions from market leaders may all fail in a particular environment.

The adoption of security solutions that are recognized by the analysis as leading products of the cyber security industry will not protect our organizations for multiple reasons.

The reality is disconcerting, in most of the security breaches the attackers were able to bypass the stack of security solutions deployed by the victims to defend their infrastructure.

We cannot continue to build our defence implementing a model of cyber security that is imposed by a restricted number of firms. From the attacker’s perspective, #ThinkBeyondit is easy to predict the type of defence measures in place and adopt the necessary changes in their attack chain.

Don’t forget that threat actors continuously monitor our infrastructure and companies need to avoid in providing points of reference that could be the starting points for their offensive.

The choice of the components for the infrastructure of a company must be driven by an objective analysis of the context in which they operate and carefully considering the evolution of cyber threats.

Security solutions must be user-friendly, overly-complex systems make it hard to use. Another problem related to the choice of security products and services is related to the capability of the organization in processing their output of the defence systems. In a real scenario, cyber security analysts often miss the vast majority of alerts and warnings because of the huge volume of information generated by security solutions.

Most of the leading security firms urge a layered approach in cyber security, but what happens if these layers are not able to “correctly” exchange information each other, or in a worst scenario there are affected by vulnerabilities that can be triggered to compromise the security of the overall architecture.

Building a layered defense system doesn’t mean to simply put together the security products and service suggested by prominent studies, but the analysis must go beyond.

The integration is the most complicated part in setting up a security infrastructure, every time the IT staff intends to add another piece to their cyber barricade it needs to carefully understand the way various components interact and which are the behavior of the resulting system.

Buying solutions proposed by analyst firms will not protect the organizations, spending more doesn’t necessarily mean you will be secure, this must be clear to anyone that works to increase the resilience of its systems to cyber attacks. It’s time to #ThinkBeyond this broken paradigm.


Amazon Acquires Threat Hunting Firm Sqrrl
24.1.2018 securityweek Security

Sqrrl, a Cambridge, Mass.-based big data analytics startup that is commercializing NSA technology to help organizations detect threats lurking in their infrastructure, has been acquired by Amazon.

The company announced Tuesday that it has been acquired by Amazon and would be joining the Amazon Web Services (AWS) family.

Sqrrl Logo

Founded in 2012, Sqrrl has raised more than $28 million in funding, including $12.3 million in June 2017 and $7 million in February 2015.

At the core of Sqrrl Enterprise is Accumulo, a database project that began at the NSA in 2008 when the spy agency was searching for a platform that could meet its growing data challenges. In 2011, NSA open sourced Accumulo, which has since become a project at the Apache Foundation. Accumulo was inspired by Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift.

In the summer of 2012, a group of the core creators, committers, and contributors to the Accumulo project co-founded Sqrrl.

Built on top of Accumulo, Sqrrl’s software analyzes masses of data in order to uncover hidden patterns, trends, and links, and enables security analysts to visually navigate the relationships between assets and actors involved in a given event. As a result, security teams can detect and mitigate data breaches resulting from cyber-espionage, insider threats, and other types of hard-to-detect attacks.

Six of the seven original members of the Sqrrl had worked for the NSA.

The company did not provide details on how its technology would be integrated into AWS offerings, but it could be used to enhance Macie, a recently-launched security service that helps AWS users discover, classify and protect sensitive data. Amazon Macie uses machine learning to automatically identify and protect personally identifiable information (PII), intellectual property and other sensitive data, and informs users of how their data is being accessed or moved via dashboards and alerts.

“For now, it is business as usual at Sqrrl,” noted Mark Terenzoni, Sqrrl CEO. “We will continue to work with customers to provide advanced threat hunting capabilities. And, over time, we’ll work with AWS to do even more on your behalf.”

Terms of the acquisition were not disclosed, though Axios reported in December that talks were under way for Amazon to buy Sqrrl for "a bit north" of $40 million.

Sqrrl's financial backers include Spring Lake Equity Partners, Matrix Partners, Rally Ventures, Accomplice, and Atlas Venture.


Clothing Retailer Fallas Hit by Payment Card Breach
24.1.2018 securityweek Security

Clothing retailer National Stores, which operates 340 stores across the United States, informed customers this week that their payment card information may have been stolen by hackers.

Los Angeles, California-based National Stores, Inc. operates Fallas, Fallas Paredes, Fallas Discount Stores, Factory 2-U, Anna's Linens, and Falas stores in 22 U.S. states and Puerto Rico.

On December 22, the company learned from a third-party that its payment systems may have been breached by malicious hackers. An investigation launched by National Stores revealed that its point-of-sale (PoS) systems had been infected with malware.

According to the company, the malware may have stolen credit card information between July 16 and December 11, 2017. The compromised data includes names, payment card numbers, expiration dates, and security codes.

The list of potentially impacted stores includes more than 270 locations in California, New York, Nevada, Texas, Arizona, New Mexico, Illinois, Florida, Oklahoma, New Jersey, Massachusetts, Virginia, North Carolina, South Carolina, Maryland, Wisconsin, Michigan, Ohio, Georgia, and Puerto Rico. Over 90 of the affected stores are in California, followed by Texas, with 45 locations.

“We have been working closely with the FBI, cybersecurity experts, and payment card brands to contain the incident and protect our customers' payment cards,” said Michael Fallas, CEO of National Stores. “The malware has been removed from our system, and no customers will be responsible for any fraudulent charges to their accounts. We are in the process of strengthening the security of our point of sale systems to prevent this from happening in the future.”

The retailer has advised customers to keep a close eye on account statements and credit reports, and immediately notify their bank of any suspicious activity.

Fallas is not the only clothing retailer to suffer a payment card breach in recent years. The list also includes Brooks Brothers, Buckle, Forever 21 and Eddie Bauer.


Researchers found misconfigured Jenkins servers leaking sensitive data
21.1.2018 securityaffairs Security

Security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.
The researchers clarify that he did not exploit any vulnerabilities to gain access to Jenkins servers, he simply analyzed open ones.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

The researcher used the Shodan search engine to find Jenkins servers accessible online, he discovered roughly 25,000 instances. The analysis of approximately half of them revealed that 10-20% were misconfigured, then the researchers manually analyzed each of them and notified affected vendors.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Jenkins%20servers

Tunç also found some Jenkins servers that implemented SAML/OAuth authentication system linked to Github or Bitbucket, unfortunately, they allowed any GitHub or Bitbucket account to log in rather than legitimate owners.

“Misconfigured in this context means any one of the following:

Wide open to the internet with either guest or administrative permissions by default – guest can be just as catastrophic and damaging as having admin rights
The web application was behind a log-in prompt but allowed ‘self-registration’ which granted guest or admin rights
The web application was behind a SAML/OAuth log-in linked to Github or Bitbucket but was misconfigured to allow anyGithub/Bitbucket account to log-in to Jenkins rather than being locked down to the organisation’s user pool
” wrote the expert in a blog post.

Tunç reported that almost all of the misconfigured instances he analyzed also leaked sensitive information, including credentials for private source code repositories, credentials for deployment environments (e.g. usernames, passwords, private keys and AWS tokens), and job log files that included credentials and other sensitive data.

The researcher also found Google had exposed sensitive tokens on their Jenkins instance, the company promptly solved the problem after being informed via its bug bounty program.

Other instances discovered by the experts that belong to major organizations are:

London’s government-funded transport body Transport for London;
Supermarkets Sainsbury’s and Tesco;
A company who manufacturers toys for children;
Credit checking company ClearScore;
Newspaper publisher News UK;
educational publisher Pearson, and newspaper publisher News UK.
“It’s 2018 and most organisations don’t have the most basic of responsible disclosure processes in place. Surprisingly (or not) big names fall foul of this problem too.” concluded the researcher.

“If you work in InfoSec or are responsible for the security of your infrastructure, now’s a good time to methodically crawl through your infrastructure to ensure you’re not unknowingly exposing sensitive interfaces to the internet. It only takes one misconfigured instance to destroy your business.”


Cloudflare Launches Remote Access to Replace Corporate VPNs
19.1.2018 securityweek Security
Mobile and cloud computing have challenged the concept of perimeter security. There is no longer an easily definable perimeter to defend. VPNs are a traditional, but not ideal solution. Neither approach addresses the attacker who gets through the perimeter or into the VPN. Google long ago recognized the problems and introduced BeyondCorp as an alternative to perimeters and VPNs for its own worldwide employees.

BeyondCorp replaces the need for VPNs. Instead it focuses on authenticating the device (which it provides and identifies with a device certificate) and its user, and then imposes tiered authentication around its applications. In effect, it removes the distinction between a trusted network and an untrusted network, and focuses on authenticated access from any location.

It is a good security model, but one that is beyond the reach of companies that don't have Google's resources. Now Cloudflare has announced a new service for its customers that it calls Cloudflare Access and describes as 'democratizing' the BeyondCorp model. It allows employees to operate outside of the corporate network without requiring them to use a VPN, "which," writes Cloudflare engineer Venkat Viswanathan in an associated blog post Wednesday, "slows down work because every page load makes extra round trips to the VPN server. After all this hassle, users on the VPN are still highly susceptible to phishing, man-in-the-middle and SQL injection attacks."

"VPNs are slow, and clunky, and frankly, don't make sense for an increasingly mobile workforce accessing increasingly cloudified apps," said Matthew Prince, co-founder and CEO of Cloudflare. "Cloudflare Access gives centralized application access control for legacy or cloud apps without slowing down connections, regardless of where someone is working around the world."

Unlike BeyondCorp, however, Cloudflare cannot provide corporate devices for the users. Customers remain responsible for the security of the remote devices. "We don't insist on clients providing company devices to employees," Prince told SecurityWeek, "but we recommend that they tick some sort of identity provider. That could be Google, Microsoft Active Directory, Okta or something they've built themselves. How much they use that service and lock down the individual devices is up to them, but we would recommend that they use multi-factor authentication on those devices."

Cloudflare's role in this model is to protect the customer's individual applications within separate authentication wrappers. "While perimeter defense is based on the idea of a moat around the castle," said Prince, "this new model puts each application (the castle's individual crown jewels) into separate safes. We don't care whether the customer uses a combination lock safe, or a physical key safe or an electronic keypad safe. We'll support any of the different mechanisms for unlocking the safe -- but what we provide is the safe itself. We provide the thing that wraps around wherever the crown jewels are located and protects them. It is the customers that decide how they want to verify if the device and user are legitimate and authorized to open the door that we provide."

Cloudflare's Access product does not defend the user's device, but it does defend the company's applications. "Even if an attacker manages to get into a device, every access to the company network is logged by Cloudflare. The customer can monitor for anomalies. So, the model of wrapping authentication around each application not only adds friction to any attack, it also provides a central repository where the security team can look for anomalies, track bad behavior and quickly respond accordingly. The customer's administrator for the Cloudflare service would have a single view of every employee's device -- when it logged into and used each of the different services -- on a service by service basis. If anything anomalous happens, the administrator can withdraw the user's Access instantly."

The logs are accessible through a Cloudflare API, so anomaly detection can be automated using anomaly detection tools in-house. "Over time," said Prince, "as Access matures, there will be additional tools that we provide to allow customers to look for things that might be anomalous. For example, if a device has only logged into three services in its entire history, and then suddenly logs into five new services, we would surface that in the logs and show it to the admins. This is not currently available," he added. "You could build it through our APIs, but it's something we are likely to make available in future versions of our product."

Cloudflare's new Access product is a replacement for corporate VPNs using much of Google's BeyondCorp model.

"When a user accesses an individual application," explained Prince, "it would be like passing through a VPN on a per application basis. Users would hit a Cloudflare data center which prompts for proof of identity and authorization to access a particular application. If that authorization proves 'true', then the user gets a fast lane back to the actual application, which could be running anywhere on the internet, whether in-house or a third-party such as Salesforce. The user gets a much faster experience through not having to back haul everything through some centralized VPN server." Like a VPN, all traffic is protected by encryption.

"If you think of the problems that VPNs are trying to solve, they're simply trying to let the good guys in and keep the bad guys out. Access solves that exact same problem, but does it in a way that is more robust. It supports cloud environments, it supports remote workers without slowing down their connection, and it actually provides a better security model where you have individuals being logged as they pass through authentication checkpoints to use each different application."

Cloudflare Access is being sold on a per seat basis: $3 per person, per month. There is no limit to the number of applications that can be accessed by each user via the service. Volume discounts are available for large deployments.

San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.


Google Brings Security Analytics to G Suite
18.1.2018 securityweek Security
Google this week announced security center for G Suite, a tool that brings together security analytics, actionable insights, and best practice recommendations from Google.

The new tool provides a snapshot of important security metrics in one place, including information on suspicious device activity. The security center can be used to gain visibility into how spam and malware are targeting users within an organization, as well as to access metrics to demonstrate security effectiveness.

Security analytics functions help security teams take advantage of insights into which users are being targeted by phishing, allowing them to prevent potential attacks. The security center also displays information on when Google Drive files trigger DLP rules, thus enabling admins to avoid data exfiltration.

Security recommendations, which are based on the analysis of organization’s current security posture, are also available to admins through Security health. Tailored to the organization’s specific needs, these recommendations cover issues such as data storage, file sharing, and mobility and communications settings.

The Security health section also includes information on the number of organizational units for which a setting is enabled or disabled, and details on organizational units with risky configurations. This is where admins can monitor settings for Gmail, Google Drive, and devices, as well as whether two-step verification has been enabled for both users and admins.

Google is making the new features available to G Suite Enterprise customers within the Admin console, which should automatically appear to all qualifying customers within the next few days.

To get started, admins should sign in to their Google Admin console, then click Security, and access Dashboard for an overview of security metrics like spam volume, email authentication, and Drive sharing. By selecting Security health, they can get information on how security settings are configured for the domain and can receive suggestions based on best practices.


VirusTotal Launches Visualization Tool
9.1.2018 secrityweek Security
VirusTotal this week announced the availability of a visualization tool designed to help with malware investigations.

Dubbed VirusTotal Graph, the new tool is available at https://www.virustotal.com/graph/ or through a public report in the tool section (which requires a VirusTotal login).

The tool should make it easier for investigators who are working with multiple reports at the same time, attempting to pivot between multiple data points (files, URLs, domains and IP addresses), as such work would normally result in having multiple tabs opened, which could complicate operations.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities,” VirusTotal notes.

Built on top of VirusTotal’s data set, the new tool was designed to “understand the relationship between files, URLs, domains and IP addresses” and to bring the necessary information on these five entity types (relationships are included) together on a single interface, thus making it easier to navigate.

Some of the features available for users include a search box (it even supports multiple indicators of compromise, via a Multi-entity search section), node summary section (summarizes the more relevant information), node expansion section (to correlate information from more than one entity), node action menu, detection dropdown (shows the number of AV detections), and node list (shows the list of all nodes in the panel).

The key elements of the VirusTotal Graph user interface will provide investigators not only with the most relevant information at a glance when clicking on a node, but also with the option to explore and expand each of the nodes in their graph, and build a network and observe connections across samples. Zooming in or out on a graph is also possible.

VirusTotal also allows users to save the graphs so they can access them at any time, as well as to share their findings with other users (generating permalinks to the graph is also possible). VirusTotal makes all saved graphs public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

Furthermore, with the help of VirusTotal Public or VirusTotal Intelligence report, users will be able to add labels and access in-depth reports.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon,” VirusTotal concludes.

Additional information on the new tool is available on VirusTotal’s support page and in two YouTube videos providing tutorials on Files and Domains.


Nhash: petty pranks with big finances
22.12.2017 Kaspersky Security
According to our data, cryptocurrency miners are rapidly gaining in popularity. In an earlier publication we noted that cybercriminals were making use of social engineering to install this sort of software on users’ computers. This time, we’d like to dwell more on how exactly the computers of gullible users start working for cybercriminals.

Beware freebies

We detected a number of similar websites with offers to download various types of free software. Some of them really were free applications (such as OpenOffice), while others attempted to entice users with “free” software packages of Adobe Premiere Pro, CorelDraw, PowerPoint, etc. From the victim’s point of view, the software was indeed free – it didn’t ask for activation keys and could be used immediately. Moreover, the cybercriminals used domain names resembling those of recognized legitimate products, such as thefinereader.ru, theopenoffice.ru, etc. There was one thing all these apps had in common – they were installed on the victim computer along with a custom-configured version of cryptocurrency mining software from the NiceHash project.

All sites followed the same design template, differing only in their product descriptions and download links

Mining coins at any price
Kaspersky Lab’s products detect the NiceHash miner with the verdict not-a-virus:RiskTool.Win64.BitCoinMiner.cgi; it is not malicious according to Kaspersky Lab’s classification. According to KSN data, around 200 files are detected with this verdict. We chose the file FineReader-12.0.101.382.exe for analysis. It was obtained from the website thefinereader.ru which is no longer available; at this website, it was presented as a “free full version” of ABBYY FineReader. It should be noted that this hacked version, minus the miner component, has long been available on the internet via Torrent file distribution systems:

The executable file contains the installation package Inno Setup; unpacking it will produce a number of folders containing the actual software and its resources, as well as an installation guide script. The installer’s root folder looks like this:

The {app} folder is of interest to us; it contains the software that is installed. This folder contains a ‘portable’ version of FineReader:

The lib folder contains some suspicious-looking files:

Among these files is the NiceHash miner that we mentioned above. There are also text files in this folder that contain the information required to initialize the miner – namely the wallet details and the mining pool’s address. This folder will be installed stealthily to the victim computer while FineReader is installing.

A shortcut will also be created in the autorun folder:

The shortcut reveals the path to the miner’s work directory on the C drive:

That leaves the tskmgr.exe and system.exe files of interest for analysis. Both files are BAT scripts compiled into PE files. Let’s look at the contents of system.exe after extracting the BAT script:

It ensures the wallet’s address is up to date and initializes the miner’s operation. It contacts the following addresses:

http://176.9.42.149/tmp1.txt
http://176.9.42.149/tmp3.txt?user=default&idurl=3
http://176.9.42.149/tmp2.txt?user=3id170927143302
After the third query, the following response is received:

This is a PowerShell script that assigns a unique ID to the infected computer and launches mining with the correct wallet details (in this specific case, the zcash cryptocurrency is mined). IDs are generated following a specific algorithm based on the mining start time. For example, the ID 4v09v2017v03v24v26 is made up of the date (14.09.2017) and time (03:24:26).

We have also identified other types of covert miners with a slightly different logic. Below is the same Inno Setup installation package, but if we take a look at its contents, we can see lots of shortcuts:

Let’s take a look inside:

This is a classic case – the shortcuts are scattered across the system; when opened by the user, they launch the miner. The package includes the TrayIt! utility that hides the miner’s window from the user by minimizing it to the system tray. This miner doesn’t receive any data from the server, but instead operates using the wallet and pool details that were hardwired into it.

Finances
Among the mining pools used by cybercriminals, we detected some that provided statistics about the wallets and the number of miners. At the time of our analysis, total revenue from all wallets was nearly US$3400.

The t1WSaZQxqBLLtGMKsGT6t9WGHom8LcE8Ng5 wallet

The t1JA25kJrAaUw9xe6TzGiC8BU5pZRhgL4Ho wallet

The t1N7sapDRuYdqzKgPwet8L31Z9Aa96i7hy4 wallet

The 3MR6WuGkuPDqPZgibV6gi4DaC7qMabEFks wallet

Conclusion
This small piece of research once again demonstrates that no one should ignore protection measures and get lulled into a false sense of security, believing cybercriminals are only interested in financial organizations; practice shows that regular users are also targeted. The mining software that we analyzed, albeit incapable of inflicting any damage, can seriously impair your workstation’s performance by hijacking its resources and making it work for somebody else.

Indicators of Compromise
C&C
176.9.42.149

MD5
a9510e8f59a34a17ca47df9f78173291
19cdaf36a4bafd84c9f7b2cfff09ca50
613bd514f42e7cc78d6e0e267fc706d0
ab31d1cbed96114f2ea9797030fb608f
0a571873a125c846861127729fcf41bb
fd8f89a437bcb5490a92dc1609f190d1
dd639dc20f62393827c2067021b7fd50
6b567d817b94f714c0005e183ffb6d47
11e66ac4c9e7e3d0b341bdb51f5f8740
58c7db74c6ce306037f22984dd758362
f38b5a31eee2fd8c97249cefbc5fa19f
f378951994051bf90dc561457c88c69f
fb9c1f949f95caeada09c0fd70fb5416
b017f2836988f93b80f4322dbd488e00
211c6c52527b8c1029d64bb75a9a39d8
57cda2f33fce912f4f5eecbc66a27fa6

URLs
thefinereader[.]ru
abby-finereader[.]ru
thexpadder[.]ru
theteamspeak[.]ru
thecoreldraw[.]ru
the-powerpoint[.]ru
theoutlook[.]ru
picturemanager[.]ru
furmark[.]ru
thedxtory[.]ru
thevisio[.]ru
kmp-pleer[.]ru
theadobepremiere[.]ru
cdburner-xp[.]ru
theopenoffice[.]ru
iobit-uninstaller[.]ru


Singapore Issues Cryptocurrency Warning
19.12.2017 securityweek Security

Singapore Tuesday issued a warning about cryptocurrencies after a recent surge in prices sent investors flocking to bitcoin.

"The Monetary Authority of Singapore advises the public to act with extreme caution and understand the significant risks they take on if they choose to invest in cryptocurrencies," the city-state's central bank said in a statement.

"MAS is concerned that members of the public may be attracted to invest in cryptocurrencies, such as Bitcoin, due to the recent escalation in their prices."

It said the recent spike in bitcoin prices comes from speculation, and cautioned that the bubble may burst.

Singapore's central bank joins a number of regulators who have warned about cryptocurrency investments, including the US Federal Reserve, which said bitcoin could threaten financial stability.

Regulators in Seoul have banned South Korean financial institutions from dealing in virtual currencies.

The MAS, which also acts as a financial regulator in the city-state, noted that cryptocurrencies are not backed by any central bank and are unregulated, which means those who lose money after investing in them have no room for redress under Singapore law.

"There is also a risk of loss should the cryptocurrency intermediary be hacked, as it may not have sufficiently robust security features," the regulator said.

Earlier on Tuesday, a South Korean virtual currency exchange declared itself bankrupt after being hacked for the second time in a year.

The closure comes eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million), nearly 40 percent of the exchange's total assets -- were stolen in a cyber-attack blamed on North Korea.

Global bitcoin prices have soared around 20-fold this year, with the cryptocurrency trading above $18,000 on Tuesday.

Created in 2009 as a piece of encrypted software, bitcoin been used to buy everything from beer to pizza, and is increasingly accepted by major companies such as online travel giant Expedia.

Analysts have put the surge down to growing acceptance among traditional investors and a decision by US regulators to allow bitcoin futures to trade on major exchanges.

Previously only traded on specialist platforms, bitcoin started trading on the Cboe Futures Exchange earlier this month before hitting the major Chicago Mercantile Exchange (CME) on Monday.


Get the Ultimate 2018 Hacker Bundle – Pay What You Want
11.12.2017 thehackernews Security
Due to the growing number of threats in the computer world, ethical hackers have become the most important player for not only governments but also private companies and IT firms in order to safeguard their systems and networks from hackers trying to infiltrate them.
By 2020, employment in all information technology occupations is expected to increase by 22 percent, where demand for ethical hackers and IT security engineers will be the strongest. So, it's high time that you should start preparing yourself in the field of ethical hacking.
Although there are many popular and best online courses available in the market, you can't learn everything from a single book or a course.
Good news, we bring an amazing deal of this month for our readers, known as The Ultimate White Hat Hacker 2018 Bundle online hacking bundle, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!
You will get at least 4 hacking courses for less than the average price you pay (as little as $1), and all 8 online courses for the average price (which is $12.11 at the time of writing).
Here's the brief of all 8 courses which is included in this Pay What You Want deal and requires a minimum of the average price:
1. Learn Hacking Windows 10 Using Metasploit From Scratch
Hack Windows Like a Pro, Secure It Like an Expert, and Detect the Hacker
This online course helps you learn how black hat hackers hack Windows using advanced techniques while improving your knowledge on how to analyze and secure Windows and combat hackers.
2. Hack People, Systems, and Mobile Devices
Learn Advanced Social Engineering Techniques to Crack Mobile Devices
This course helps you learn ethical hacking techniques and methodology used in penetration systems to better protect yourself and those around you.
3. Web Application Penetration Testing Professional: WAPTP v3.1
Attack Web Apps with the Latest Professional Tools & Tricks
This online course helps you build towards mapping an application for insecurities, and understanding how to identify and mitigate threats, with WAPTP v3.1 which is a highly practical and hands-on training for web application penetration testing.
4. From Zero to Hero in Web, Network, and WiFi Hacking
Learn Basic to Advanced Web, Network, and WiFi Hacking
This online course helps you learn the essential elements of WiFi hacking so you can start applying them to a career in ethical hacking.
5. Ethical Hacking Using Kali Linux From A to Z
Discover the Power of Kali Linux, One of the Most Popular Ethical Hacking Tools
This course introduces you to the latest ethical hacking tools and techniques with the popular Kali Linux, using a testing lab for practicing different types of attacks.
6. Learn Website Hacking and Penetration Testing From Scratch
Learn How to Hack Sites Like A Black Hat Hacker and How to Protect Them Like A White Hat Hacker
This course helps you gain a complex understanding of websites, and then learn how to exploit them to carry out a number of powerful cyber attacks and test the security of websites and apps, and fix vulnerabilities.
7. Cyber Security Volume II: Network Security
Discuss Network Security, Firewalls, and Learn the Best Password Managers On the Market
This course helps you learn network hacking techniques and vulnerability scanning to discover security issues and risks across an entire network, learning skills for which big companies are willing to pay top dollar.
8. Ethical Hacking for Beginners
Hack Your Way to a Secure and Threat-Free Environment Using Best-in-Class Tools and Technique.
This course helps you learn ethical hacking and identify threats and vulnerabilities to secure your IT environment.


Chrome Improves Security for Enterprise Use
8.12.2017 securityweek Security
Chrome's Site Isolation Feature Renders Each Web Site in a Separate Process

Google is boosting the security of its browser with the release of Chrome 63, which brings a host of enhancements aimed at enterprises and also addresses 37 vulnerabilities.

The new browser iteration, Google says, can better protect enterprises from potential dangers like ransomware, malware, and other vulnerabilities. This is possible because of better process isolation, support for more advanced security standards, and the adoption of new policies.

One of the major enhancements Chrome 63 introduces is Site Isolation, where content for each open website is rendered in a separate process, isolated from the processes of other websites. The browser already includes sandboxing technology, but the new feature should deliver stronger security boundaries between websites.

Now, Chrome also allows IT admins to configure a new policy and restrict access to extensions based on the permissions required. Thus, they can block all extensions that require the use of a webcam or microphone, or those that want to access and modify data on the websites visited.

In an attempt to ensure more secure communication, the new browser release also enables Transport Layer Security (TLS) 1.3 for Gmail. TLS 1.3 support will be expanded to the broader web in 2018, Google reveals.

While Chrome browser users should not be impacted, IT admins can post feedback on any systems that are not interoperable with TLS 1.3. “As admins prepare for the wider use of TLS 1.3, they can configure this policy for network software or hardware that will not transit TLS 1.3 connections,” Google notes.

For the next year, the Internet giant also plans support for the NTLMv2 authentication protocol in Chrome 64, including Extended Protection for Authentication (EPA) on Mac, Android, Linux and Chrome OS. Thus, the same level of security as in Chrome on Windows will be available on all platforms performing NTLM authentication.

IT admins can already enable the feature in chrome://flags/#enable-ntlm-v2, but Google plans on making NTLMv2 the default NTLM protocol starting with Chrome 65. The update makes Chrome the only browser to support NTLMv2 with EPA on non-Windows platforms.

The Internet search company also plans on improving the browser’s stability by blocking third-party software from injecting code into Chrome on Windows.

Because some businesses rely on code injection, however, a new policy set to be introduced in the coming months should provide admins with extended support for critical apps. To check whether their software is injecting into Chrome, admins can visit chrome://conflicts.

Google also included patches for 37 vulnerabilities in Chrome 63, including 19 security flaws reported by external researchers. These include 1 Critical severity, 6 High risk, 7 Medium severity, and 5 Low risk bugs.

The company paid over $46000 to the reporting researchers. The highest bounties were paid for a Critical Out of bounds write in QUIC ($10500), a Heap buffer overflow in PDFium ($6337), two Use after free in PDFium issues ($5000 each), an Out of bounds write in Skia ($5000), and a Use after free in libXML ($3500).


The Worst Password Offenders of 2017
7.12.2017 securityweek Security
Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six 'government' entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.

To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said "Passwords used by Donald Trump's incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks."

In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, "many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors -- even cybersecurity advisor Rudy Giuliani -- were reusing insecure, simple passwords."

Paul Manafort, who was indicted in October by a federal grand jury as part of Robert Mueller's investigation into the Trump campaign, had been using 'Bond007' as his password for multiple personal accounts, including Dropbox and Adobe. Sean Spicer makes the list at #10 because, says Dashlane, "the former Press Secretary sent numerous Tweets of what appeared to be his very own passwords."

While the Democratic Party experienced several cybersecurity incidents last year, other U.S. government entities that made Dashlane's 2017 list include the Department of Defense (DOD at #4) and the Republican Party (at #5). For the DOD, Dashlane comments, "Defense contractor Booz Allen Hamilton left the Pentagon severely exposed by leaving critical files on a non-password protected Amazon server. Included in the exposed data were several unencrypted passwords that could have been used to access classified D.O.D. information."

The Republican Party is included for a similar reason: the exposure of sensitive data (by one of its analytics firms) of 198 million U.S. voters on an unprotected Amazon server.

Related: Clinton Email Server Vulnerable for 3 Months

It's not just U.S. political entities in the list, however. Coming in at #3 is the entire 'UK Government'. In March, the National Cyber Security Center (NCSC) chief executive Ciaran Martin wrote to political parties warning, "This is not just about the network security of political parties' own systems. Attacks against our democratic processes go beyond this and can include attacks on Parliament, constituency offices, think tanks and pressure groups and individuals' email accounts."

In June, the Times reported, "Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found." Again, the lists of passwords were probably aggregated from numerous earlier mass hacks -- but disturbingly, the most common password was 'password'.

Following these events it would be logical for members of parliament and IT administrators to have tightened password management. But in early December, several members tweeted that they routinely share their work computer password with staff, including interns http://www.securityweek.com/uk-members-parliament-share-passwords-staff .

Four commercial organizations make Dashlane's worst offenders list: Equifax (#2), Google (#6), HBO (#7) and Imgur (#8). Equifax is included not because of its loss of the personal details of 145.5 million people (basically a patching issue http://www.securityweek.com/equifax-confirms-apache-struts-flaw-used-hack rather than a password issue), but because of what appears to be a generally lax attitude towards password hygiene. A smaller and less well known Equifax breach this year occurred -- in Equifax's own disclosure letter to the Attorney General of New Hampshire -- because "unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees' PINs (i.e., the password to access the online portal)."

Compounding this, researchers discovered that an Equifax server in Argentina was protected by 'admin/admin'. Anyone guessing these credentials would be able to access the server and find and modify employees' user accounts. Obscured, but not encrypted, the user's credentials were a plain text user name with a password comprising the user's surname.

Google makes the list because of the May phishing attack http://www.securityweek.com/google-tightens-oauth-rules-combat-phishing that compromised an unknown number of Google users' login credentials.

HBO http://www.securityweek.com/hbo-hackers-demand-millions-ransom-note is included because following a series of hacks and breaches in 2017, "employees came forward with reports of terrible cybersecurity practices, including the reuse of passwords for personal and work accounts." One stolen and leaked Word document actually contains the personal email address and passwords of an HBO SVP.

Imgur is included because of a breach that occurred in 2014 but was only discovered this year. "The company admitted that at the time of the hack it was using an outdated algorithm to encrypt its users' passwords," explains Dashlane. "Although it updated its encryption last year, the damage was already done as 1.7 million user passwords were potentially compromised."

What is clear from this list is that despite all of the warnings and breaches, people and organizations who should be setting an example for everyone else are still demonstrating very poor password hygiene for both themselves and their users. Multi-factor authentication wherever possible will certainly help users protect themselves; but the first and primary line of defense is to use and never reuse very strong unique passwords -- and to hope that the service that requires them will never store them in plaintext.


Google Unwanted Software Policy – It’s a fight against snooping apps
4.12.2017 securityaffairs  Security

Google has expanded enforcement of Google’s Unwanted Software Policy waring Android developers to explicitly declare data collection behaviors.
A few days ago, Google was caught collecting users’ location data even when location services were disabled, many privacy experts questioned the behavior of the tech giant.

Google promptly admitted the practice and suspended it.

Now Google made another move to protect the privacy of its users, it has warned Android developers to explicitly declare data collection behaviors of their apps.

Google revisioned the Safe Browsing rules expanding the enforcement of Google’s Unwanted Software Policy.

“In our efforts to protect users and serve developers, the Google Safe Browsing team has expanded enforcement of Google’s Unwanted Software Policy to further tamp down on unwanted and harmful mobile behaviors on Android.” reads the announcement published by Google.

“As part of this expanded enforcement, Google Safe Browsing will show warnings on apps and on websites leading to apps that collect a user’s personal data without their consent.”


If the developers don’t comply with Google rules within 60 days, the company will warn users via Google Play Protect or on webpages that lead to these apps.

“Starting in 60 days, this expanded enforcement of Google’s Unwanted Software Policymay result in warnings shown on user devices via Google Play Protect or on webpages that lead to these apps.” the announcement said.

Developers of apps that handle either personal data (phone number, e-mail) or device data (such as IMEI number) must prompt the user, and include a privacy policy in the app.

“Additionally, if an app collects and transmits personal data unrelated to the functionality of the app then, prior to collection and transmission, the app must prominently highlight how the user data will be used and have the user provide affirmative consent for such use,” added Google.

Data collection requirements apply to all functions of the app, including crash reporting, the company highlighted that apps cannot transmit the list of installed packages unrelated to their app without an affirmative consent.

Developers can also request an app review using this article on App verification and appeals, it contains guidance applicable to apps in both Google Play and non-Play app stores.


Cryptocurrency Miners hidden in websites now run even after users close the browser
1.12.2017 securityaffairs Security

Some websites use a simple trick to keep their cryptocurrency miners scripts running in the background even when the user has closed the browser window.
Website administrators and crooks are looking with an increasing interest at JavaScript-based cryptocurrency miners due to rapid increase in cryptocurrency prices.

These scripts exploit the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies. Some websites use a simple technique to keep their cryptocurrency mining JavaScript under the radar and secretly running in the background even when the users close his web browser.

In many cases the scripts are used as an alternative monetization model to banner ads. Recently, the Pirate Bay was spotted using the Coinhive browser-based cryptocurrency miner service.

The scripts can mine cryptocurrencies as long as the visitors are on their site, they lost access to the computer processor and associated resources when the Window is closed.

Experts from security firm Malwarebytes have discovered that some websites use a simple trick to keep their cryptocurrency mining scripts running in the background even when the user has closed the browser window.

The technique leverages a hidden pop-under browser window that is opened by the mining window and that fits behind the taskbar and hides behind the clock on Microsoft’s Windows computer.

This hidden window is used to run the crypto-miner code consumes CPU cycles and power from visitor’s computer until he will not spot the window and close it.

“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock.” reads the blog post published by MalwareBytes.

“The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:

Horizontal position = ( current screen x resolution ) – 100
Vertical position = ( current screen y resolution ) – 40
If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:”

cryptocurrency miners
The technique is simple as efficient, it is difficult to identify and able to bypass most ad-blockers. Experts observed that the cryptocurrency miners run from a crypto-mining engine hosted by Amazon Web Servers.

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient.” continues the post.

“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.”

To remain under the radar, the code of cryptocurrency miners runs in the hidden browser maintains CPU usage threshold to a medium level.

These scripts work on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.

cryptocurrency miners 2
cryptocurrency miners 3

Users can spot miner windows by looking for any browser windows in the taskbar or running the Task Manager on their computer to ensure there is no running browser processes that are consuming CPU resources.

Some antivirus software block cryptocurrency miners, an alternative is represented by web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners.

Unfortunately, No Coin still not support Microsoft Edge, Apple Safari, and Internet Explorer.


Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser
30.11.2017 thehackernews Security 

Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.
Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies.
After the world's most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.
However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.
Unfortunately, this is not the case anymore.
Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.
How Does This Browser Technique Work?
According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft's Windows computer.
From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.

Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.
"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself," Jérôme Segura, Malwarebytes' Lead Malware Intelligence Analyst, says in the post. "Closing the browser using the "X" is no longer sufficient."
To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.
You can also have a look at the animated GIF image that shows how this clever trick works.
This technique works on the latest version of Google's Chrome web browser running on the most recent versions of Microsoft's Windows 7 and Windows 10.
How to Block Hidden Cryptocurrency Miners
If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.
More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.
Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.
For this, you can contact your antivirus provider to check if they do.
Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.
Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.
No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.


Five Emerging Threats That Worry Global Security Professionals
29.11.2017 securityweek Security
Over the next year, five separate threats will have one major effect: the current rate of security breaches will increase and worsen. This is the view of the Information Security Forum (ISF), an international network of more than 10,000 security professionals.

The five primary threats to cyber security are the continuing evolution of crime-as-a-service; the effect of unmanaged IoT risk; the complexity of regulation; the supply chain; and a mismatch between Board expectation and Security capability.

Talking to SecurityWeek, ISF managing director Steve Durbin explained that the growing effect of crime-as-a-service is his own biggest concern. This, he suggested, is a result of the increasingly professional nature of organized cybercrime.

"Crime as a service has reached maturity, with criminal organizations providing easy access for entry level criminals," Durbin said. "I think that next year we are going to see attacks becoming more sophisticated and targeted. One of the problems is that cybercriminals have become very good at sharing information, and being able to do some of the things that the good guys are perhaps not as good at doing -- sharing intelligence and so on."

The root cause is that organized crime has moved aggressively into the dark web, resulting in what Durbin views as something similar to a very large corporation.

"There's this big umbrella organization that we call cybercrime. Underneath that we've got some very large, very professionally run cybercrime groups -- organized crime -- who are clearly looking to continue to recruit and expand, and are also happy to sell products and services to others. When I talk about criminals being better at communication," he said, "I relate it to the way that good corporations operate: they have marketing plans; they have outreach plans; they have communication around some of the services that are available as part of crime-as-a-service. They're not sharing methods and exploits to the extent that competitors could take over -- but are they are sharing it in terms of increasing their footprint. At the more sophisticated levels, cybercrime operates very much like a professional business."

For Durbin, there are a few 'mega' organized crime groups, supplemented by a number of smaller, highly capable groups, coming out of the former soviet states. But below these -- and to some degree what worries him most -- are the disorganized wannabees coming into the game on the back of crime-as-a-service. Counter-intuitively, they are disrupting and worsening the accepted status quo; and he gives ransomware as an example.

"In the 'good' old days of ransomware," he explained, "we knew that the cybercriminal was only really interested in this to get money. There was a game to be played, and everybody knew the rules. The criminals would drop some malware onto our systems to prevent us from accessing our information so that they would get paid a certain amount of money."

This was enough to make it profitable for the criminal, but not so much that the victim would not or could not pay. "What we're now seeing," he continued, "is elements of ransomware that are not following these rules. For example, keys not being handed over when ransoms are paid; and that's a concern because the rules of the game have changed." In short, the commoditization of cybercrime through crime-as-a-service is introducing anarchy that makes it difficult for defenders to plan a posture, and difficult for organized crime to remain organized.

It will be interesting to see, he added, whether a degree of self-regulation emerges. "It's possible that some of the larger crime groups will decide that the emerging aspirant criminals are actually bad for business, and decide to do something about it."

The second threat is the internet of things (IoT), with two major areas of concern. Firstly, home devices are insecure, default passwords are not always changed, and people take work home. But what really concerns him is IoT in the critical infrastructure. "Regulation and legislation would work if we were starting from a blank piece of paper," he said; but we are not. "We've been installing embedded devices in manufacturing for years. At the time, manufacturers did not consider security to be an issue, and organizations do not have clear visibility of all the devices they use."

He gave an example of a member organization, a Forbes Global 2000 company, that shut down its plant. "In the course of that shutdown, some of the machinery burst back into life because there were some IoT devices connected to the Internet that they hadn't been aware of." The company had forgotten about parts of its own IoT; but it was capable of autonomously restarting the machinery.

The third emerging threat is the increasing burden and complexity of regulation. Although it is designed to improve security, Durbin fears that regulation will pull attention and resources away from important security initiatives. The General Data Protection Regulation (GDPR) is a perfect example of complexity in requirement and lack of understanding by stakeholders. But GDPR is far from being the only new regulation coming into force, and he fears that the increasing burden of compliance and legislative variances across jurisdictions will increase the burden for multi-nationals and those businesses targeting international trade.

The fourth and fifth emerging threats -- the supply chain, and a mismatch between Board expectation and Security capability -- are really two sides of the same coin. While senior management is increasingly concerned about security, and is increasingly held responsible for the firm's security, it still does not understand what its security team is doing or is even capable of doing. This also occurs in third-party related organizations, fourth parties and beyond (the supply chain). But if the Board does not really understand its own security capabilities, it has even less understanding of the security of its supply chain; and that is a threat vector that is growing rapidly through the digitization of business.

Durbin believes the solution can only come from baking security into the whole ethos of the organization so that the security team is an integral concept rather than a separate silo. "I often talk about the day when we don't have security people because the organization has become so aware of security being integral to the business that security has become completely integrated into the business functions. Security must become inbuilt into the organization by design. We're a long way off that, but the immediate challenge that a lot of CISOs face is around communication, around being taken seriously by the organization."

If, and perhaps only when, security by corporate design becomes a reality will all five of ISF's emerging threats be brought under some semblance of control. In the meantime, Durbin feels that breaches will increase, and the security landscape will only get worse long before it gets better.


Firefox will notify users who visit sites that suffered a data breach
24.11.2017 securityaffairs Security

Mozilla developer revealed the Firefox browser will soon include a new feature to notify users who visit sites that suffered a data breach
Firefox browser is going to introduce a new security feature to make the users’ experience online more secure, it will warn users if they visit websites that have experienced data breaches.

The news was revealed by the Mozilla developer Nihanth Subramany and it was confirmed by the presence of a recently-released GitHub repo titled “Breach Alerts Prototype.”

“This is an extension that I’m going to be using as a vehicle for prototyping basic UI and interaction flow for an upcoming feature in Firefox that notifies users when their credentials have possibly been leaked or stolen in a data breach.” states the description published on GitHub.

The developer has teamed with haveibeenpwned.com as data source related for data breaches.

The new feature is still not complete, the developer explained that in its current state it is in no way meant to represent actual production code, or how the feature will work or look like when it ships.

He also listed the following basic goals for the new security feature:

Inform users about data breaches through the Firefox UI – for example, a notification when they visit a site (or maybe when they focus a form on a login page) known to have recently been breached.
Expose documentation/educational information about data breaches in the Firefox UI – for example, a “Learn more” link in the notification mentioned above leading to a support page.
Offer a way for interested users to learn about and opt into a service that notifies them (e.g. via email) when they may be affected by breaches in the future.
FireFox data breach notification service

The developer also approached privacy concerns since the users would need to supply an email address to receive security notifications.

“The third goal brings up some privacy concerns, since users would need to supply an email address to receive notifications. Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address? While the project is still in infancy, the idea is to offer as much utility as possible while respecting the user’s privacy.” added the developer.

The notifications will also include old data breaches such as the ones suffered by Adobe.com or LinkedIn.com several years ago.


Secureworks Releases Open Source IDS Tools
21.11.2017 securityweek Security
Secureworks has released two open source tools, Flowsynth and Dalton, designed to help analysts test rules for intrusion detection systems (IDS) and intrusion prevention systems (IPS) such as Snort and Suricata.

Dalton allows users to quickly and easily run network packet capture (pcap) files against IDS/IPS engines using bespoke rules and/or existing rulesets.

Common use cases for Dalton include testing ruleset coverage, developing and troubleshooting signatures, testing configuration changes, testing variable changes, testing specific IDS engine behavior, and creating custom packet captures.

Dalton includes a controller component, which provides a web interface and an API for retrieving job results and communicating with agents. These agents, which represent the second component of the tool, run on IDS sensors and provide an interface between the controller and the IDS engine.

The second tool released as open source by Secureworks is Flowsynth, which complements Dalton by making it easier for users to quickly model network traffic and generate custom pcaps.

“Flowsynth rapidly models network traffic and generates libpcap-formatted packet captures. It leverages the Scapy packet manipulation tool, but Flowsynth's input is a text-based, structured intermediate language that is simple to create and understand. It allows for programmatic network flow definitions as well as ad hoc and custom network traffic creation,” Secureworks explained.

The Dalton controller includes a web-based user interface that connects the tool to Flowsynth and allows the created pcaps to be easily sent to Dalton for testing.

The documentation and examples provided by Secureworks are specifically made for Suricata and Snort, both of which are also open source.

The security firm says Dalton and Flowsynth are based on tools that its Counter Threat Unit research team has used internally for several years. “They have been so useful that Secureworks decided to make them available to the network IDS community,” the company said.


StartCom CA to Shut Down After Ban by Browser Vendors
20.11.2017 securityweek Security
The board of directors of China-based certificate authority StartCom announced on Friday that it has decided to shut down the company following the decision of major browser vendors to ban its certificates.

StartCom is a subsidiary of WoSign, a certificate authority (CA) owned by Chinese cybersecurity firm Qihoo 360. In September 2016, Mozilla informed the community of more than a dozen incidents involving WoSign and StartCom, including misissuance of certificates and attempting to hide the fact that WoSign had acquired StartCom in November 2015.

Shortly after, WoSign started making changes to leadership, operational processes and technology. However, all the major browser vendors – Apple, Microsoft, Google and Mozilla – announced in the following months their decision to ban WoSign and StartCom certificates.

StartCom has been having problems with getting reincluded in certificate trust stores, which is why its board decided to shut down the company. StartCom will stop selling certificates in January 1, 2018, and it will continue to maintain its Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) services for another two years. In 2020, the company will eliminate its three root pairs.

“Yes, of course we will still contribute to Community and focus on security research,” said Xiaosheng Tan, chairman of StartCom’s board and CSO of Qihoo 360. “During the last ten years, the 360 security research teams have discovered hundreds of vulnerabilities in the major software companies and earned many acknowledgments in the world. Qihoo 360 and the PKI community share the same goal, which is making the internet a better place.”

As for WoSign, the company is working on getting re-included into trust stores. Earlier this year, its source code and infrastructure were analyzed by Germany-based Cure53 over a period of 40 days. The audit led to the discovery of 22 issues, but a majority of them were not actual vulnerabilities and Cure53 concluded that WoSign had made security a priority.

Mozilla will completely ban WoSign and StartCom certificates starting with Firefox 58, scheduled for release in January next year. Google did so in September with the release of Chrome 61. Microsoft also stopped trusting certificates issued by the companies after September 2017.


The controversial certificate authority StartCom will go out of business on January 1, 2018
20.11.2017 securityaffairs Security

The Startcom CA board chairman Xiaosheng Tan, announced that the controversial certificate authority will end its activity on January 1, 2018.
The controversial certificate authority StartCom is going to close, according to board chairman Xiaosheng Tan, the business will end its activity on January 1, 2018.

Starting from January 1, 2018, StartCom will no longer issue new digital certificates, but CRL and OCSP service will continue for two years, until the expiration of the StartCom’s three key root pairs.

🌽🌽🌽🌽 CORN FACTS 🌽🌽🌽🌽 @SwiftOnSecurity
First reply to StartCom announcing the end of its certification business is a founding engineer glad it's dead 😳https://groups.google.com/d/msg/mozilla.dev.security.policy/LM1SpKHJ-oc/ReT-B5lgAQAJ …

9:44 PM - Nov 17, 2017

Re: Termination of the certificates business of Startcom
Posted by joachim.ba...@gmail.com, Nov 17, 2017 9:32 AM

groups.google.com
3 3 Replies 24 24 Retweets 56 56 likes
Twitter Ads info and privacy
In July, Google warned website owners that it will completely ban digital certificates issued by the Chinese certificate authority WoSign and its subsidiary StartCom. The Tech giant announced it will no longer trust the WoSign certificates starting with Chrome 61.
Startcom and Wosign certificates have been put on untrusted lists by almost any major browser firms, including Mozilla, Apple, Google and Microsoft.
For this reason, according to Tan the shut down of the CA “would not have a major impact.”

According to w3techs.com, about 0.1 per cent of websites worldwide still use StartCom as an SSL certificate authority.

The following diagram shows the historical trend in the percentage of websites using StartCom.
StartCom CA


The Disconnect Between Security Perception and Security Reality
14.11.2017 securityweek Security
A new global survey highlights the disconnect between security expectations and security reality for many IT/security professionals.

There is an awareness of the likelihood of security attacks (45% of respondents expect one within the next 12 months). There is ongoing empirical evidence of the failure of security professionals to stop these attacks -- most recently with Equifax. Despite this, 89% of survey respondent believe they are in a good position to protect themselves from attack.

The survey report (PDF), 'Security Practices and Expectations Following the World's Biggest Breach' (Equifax) was published on Monday by Varonis. Five hundred IT and security professionals with personal responsibility for security were questioned between September 28 - October 6, 2017. Two hundred are located in the U.S., with 100 in each of the UK, France and Germany. All work for companies with more than 1,000 employees from within a variety of different vertical industry sectors.

SecurityWeek asked Matt Lock, director of sales engineers at Varonis, why there should be this difference between expectation and reality. One often-quoted possibility is the Optimism Bias (Wikipedia) -- the hard-coded biological instinct that bad things happen to other people, not to me.

Lock doesn't feel that the survey sheds any light on the reasons for the disconnect, merely that it exists. From a personal stand-point he points to over-confidence and possibly a lack of visibility into their own networks. On the former, he commented, "Some really do feel they are completely prepared and have figured out how to keep their organizations safe. In 2017, many well-respected organizations, which would seem to have the resources to ward off cyberattacks, fell victim to breaches and ransomware. Was over-confidence to blame?"

For the latter, he wonders if track-record might be a contributing factor: professionals who don't believe they have been breached might believe "that what they're doing must be working. The reality, however, might be that they have been breached but just don't know it."

Nevertheless, despite the confidence in their ability to resist future attacks, around 25% of the respondents confirmed that their organization had experienced data loss, data theft or ransomware during the last two years. This was highest in Germany, where 34% of respondents reported that their organization had been a victim of ransomware.

The perceived ability to resist attacks is not the only surprising detail to come from the survey. Given the relative imminence of GDPR next year, and the common perception that many companies are still not GDPR-compliant, it would be unsurprising to see 'compliance' as an issue of concern.

This is not shown in practice. In the US, compliance ranks only third in concerns for 2018 (behind data theft and data loss). In the UK it ranks fifth, behind the extra concerns for ransomware and cloud issues, while in neither France nor Germany does it rank anywhere in the top five concerns for next year.

"One possible explanation," Lock told SecurityWeek, "is that the U.S. is reacting more strongly towards GDPR because there hasn't been a regulation quite as stringent in place save for a few highly regulated industries. The attitude in UK, France, and Germany may be that GDPR is just a new spin on the current EU Data Protection Directive (DPD)."

However, he suggests this might change once GDPR starts to be enforced. One possibility is that organizations believe that 2018 will be a bedding-in period for the regulations, and they won't be enforced before 2019. He also suggests that top-of-mind for security professionals could be their most recent fire-fight. "In many ways," he suggested, "security professionals are fighting the last fight; they may be focusing their attention on ransomware and wipers, rather than looking ahead to the GDPR."

A further surprising detail comes in the rate of cyberattack experience. A common perception is that the U.S. experiences more attacks than Europe. There are two reasons -- firstly, it is simply a fact because of the degree of IT reliance in North American business; and secondly, the more stringent breach notification laws current in America make breach reporting more common than in Europe; that is, Europe doesn't report all of the attacks it experiences.

However, this perception is reversed by the survey respondents. Twenty-three percent of U.S. organizations have experienced the loss or theft of company data over the last few years; but this figure rises to 29% in Europe.

"The results are surprising," comments Lock; "and this survey gives us a peek behind the curtain. The figures in the survey suggest there's no correlation, and that organizations are being hit in greater numbers than we previously thought -- possibly they are simply keeping that information to themselves to avoid negative publicity. We may see a notable increase in reported attacks once GDPR kicks in. The results suggest the problem could be much worse than we realize."


#AskACISO Interview with Paul Rivers, CISO at Yale University
10.11.2017 securityaffairs Security

Could you tell us something about yourself?

I have been involved in IT and information security for 25 years. I have been in financial services, higher education and security consulting.

yale cisoHave you, or would you ever consider, hiring an individual who has been known to be a hacker? If no, why, and if yes what would the benefits to your organization be?

Yes, I would certainly consider it. I suppose I would need to know exactly what is meant by “hacker”, which is a term that people seem to take to mean whatever they want.

People who like to understand how things work and know how to break them are invaluable to a security team. What I would want to understand about a hacker or anyone else is whether they can exercise good judgment about risk, and fully understand and will abide by the rules of engagement within the organization. Technical superstars are like raw energy, they can be channeled to useful or destructive purposes when building a team and running a program. So, superstar technical chops are but one part of the overall equation.

What are the biggest challenges that come with working as a CISO in the public sector? Is lack of budget an issue?

I can’t speak to the public sector, but I can speak to the challenges of working at top-tier research and teaching institutions. The challenges are largely cultural. Top research and teaching institutions operate in many respects as if they are a large federation of small, independent start-ups and entrepreneurship. When I have worked in the financial services sector, by contrast, there is a single mission for the entire organization. It is easier to fit a security program to a single mission. In research institutions, the missions are diverse and often unrelated. It also means communication by necessity must be emphasized even more than it is otherwise, as there are orders of magnitude more stakeholders across these largely independent units. And yet, the overall organization is still one legal entity, and so carries with it an overall level of inherent risk that goes beyond what a typical startup carries. The culture of openness and sharing, which is fundamental and vital to a university and must be maintained, adds yet another difficulty, as you can learn a great deal about the internals of a university simply by reading its websites. Social engineering is thus an even more difficult vector to address. The diversity of technology, again a necessary part of top-tier universities, adds additional challenges.

Budget is always a challenge, but that’s as true in a university as it is almost anywhere. To sum up the above, there are necessary and inherent characteristics about top-tier universities that will always make adequate information security more challenging than most other industries.

yale university

What do you consider your main tasks and responsibilities in your role?

Identify and credibly stack rank risk across the organization, ensure this information is presented to and understood by the right levels within the organization to make decisions on risk treatment, and then ensure those decisions are carried out. Beyond this, I must bridge the gap in understanding between technical staff and the rest of the organization, so that everyone is properly engaged in managing cybersecurity risk.

How should modern CISO’s prepare for the inevitable breach?

Practice. Do not just practice with the technical team, make the case for full practice and participation by the CEO, Legal, Public Relations, and all the other usual suspects on the leadership team. You do not want to be in the position of figuring out roles and responsibilities during a live event. Ensure legal and PR has vetted the plan. Have a retainer agreement for incident response for supplementation of internal labor and appropriate management of apparent conflicts of interest. Finally, talk to other CISOs who have been through public breaches.

What are the key questions a security professional needs to ask internally?

The answer to this question depends on what kind of security professional we are talking about. What seems to be common across intrusion analyst, pen tester, security operations manager, security director and CISO would be are we credible in how we identify, assess and prioritize risk? Are we resorting to chicken-little tactics, which might have some effect in the very short term, but ultimately undermines and hobbles a security program in the longer term?

How can you balance innovation and security when you must move quickly?

“Security is everyone’s job” can be a vacuous bumper sticker slogan, or it can be a real way in which roles outside of security and outside of IT are assigned real responsibilities for addressing cyber risk. When the entire organization understands their very concrete role in managing cyber risk and has the support to carry it out, security has scaled from a single team to the organization. This does not solve the problem referenced in this question, but it is a huge step in the right direction.

There was a hot topic in the Netherlands. “Email spoofing against Dutch Parliament could lead to serious spear phishing attacks”. What are your thoughts on these attacking vectors? (Email Spoofing) / (Spear Phishing)

What often gets discussed here: there are technical measures (SPF/DKIM/DMARC) that can help. There is training and awareness which supposedly helps. Neither is full-proof.

What seems to be discussed less often is cultural issues. Organizations often have terrible mass communication practices or they have internal processes which have never been looked at through the lens of a threat modeler. Email has inherent “watermark of authenticity” issues, but addressing these process and cultural weaknesses often get overlooked.

Yale University has so many websites. How do you guys keep them all secure against (criminal) hackers?

To say something that to those outside information security will seem surprising and even provocative: they are not all secure.

As mentioned above, higher education is more open than perhaps any other sector, and this is a feature of higher education that should not change. This does mean more risk. So, it is even more important in higher education to be able to triage all assets, including websites, into risk tiers so that the most stringent controls and the most resources can be devoted towards securing and testing the highest risk assets.

Is there any chance that Yale University will launch a bug bounty program at HackerOne/Bugcrowd in the future? If yes, could you give us more details about this?

I am new to Yale, so I do not know how this might play out. In principle, I am fully in favor and support the idea of bug bounty

After that Paul replied to us that he supports bug bounty programs. I asked him if he wants to talk with his management about running a potential program at HackerOne.

“Yes, I will put a bug bounty program such as HackerOne on my issues list to review. Some patience will be required, as again I am new to Yale and am in the process of triage for all issues related to Yale’s cybersecurity program. I’ll say again I am philosophically in favor of such approaches.”


Amazon Adds New Encryption, Security Features to S3
8.11.2017 securityweek Security
Amazon announced this week that it has added five new security and encryption features to its Simple Storage Service (S3), including one that alerts users of publicly accessible buckets.

Improperly configured S3 buckets can expose an organization’s sensitive files, as demonstrated by several recent incidents involving companies such as Viacom, Verizon, Accenture, Booz Allen Hamilton, and Dow Jones.

In an effort to help organizations avoid data leaks, Amazon introduced permission checks that provide clear information and indicators about publicly accessible buckets. The feature was made available shortly after Amazon announced the launch of a set of managed configuration rules designed to help users secure their S3 buckets.

With the introduction of permission checks, users immediately know if a bucket is configured for public access via the main page of the S3 Console and in each bucket’s own page.

Amazon permission checks

Users can now also install an encryption configuration to mandate that all objects in a bucket must be stored in encrypted form. This means that customers will not have to create a bucket policy for rejecting non-encrypted objects.

Two of the new features are related to Cross-Region Replication, functionality that allows users to copy mission-critical objects and data to a bucket in a different AWS account. Objects are typically copied with the associated access control list (ACL) and tags, but a new feature enables users to replace the ACL while the data is in transit to ensure that the owner of the destination bucket has full access.

When administrators use Cross-Region Replication, they can now also replicate objects that are encrypted with keys managed via the AWS Key Management Service (KMS).

The last new feature is related to S3 inventory reports, which now provide information on the encryption status of each object.

All the new features are immediately available at no extra charge.


Avira Helps ISPs, Manufacturers Build Security Into Routers
7.11.2017 securityweek Security
Avira, a firm known mostly for its antivirus products, announced on Monday the launch of a new IoT security solution designed to help Internet service providers (ISPs) and router manufacturers protect their customers’ home networks.

Avira SafeThings is a router application and behavioral threat intelligence platform that offers benefits for both service providers and end users. By installing the product on the routers they provide to customers, ISPs can prevent malicious activity, such as distributed denial-of-service (DDoS) attacks coming from their networks. As for router manufacturers, SafeThings can help them deliver value-added IoT security services.

End users whose routers have Avira SafeThings installed gain complete visibility of the devices on their network, and obtain information on potential threats via a simple user interface. The vendor claims the product has zero impact on browsing and streaming performance.

According to Avira, SafeThings uses artificial intelligence and machine learning to create a profile for each device and establish its normal behavior, and develop protection policies. The security firm says the product only analyzes metadata on gateway traffic, which eliminates the need for invasive deep packet inspection (DPI).

SafeThings uses a software agent named Sentinel to fingerprint IoT devices connected to the router, and enforce protection and communication rules generated based on data from the Avira Protection Cloud.

The product also includes an API named Data Forefront that allows service providers and OEMs to control SafeThings functionality, such as specifying the type of action that is taken if a hacked device is identified.

“We've designed SafeThings to effectively solve the IoT vulnerabilities without being too invasive, expensive, or complicated for the end user – and we've done this in a way that provides additional benefits for the internet service providers and router manufacturers,” said Travis Witteveen, CEO of Avira.

“We see SafeThings as a 'B2B2C' product, providing consumers with the security and privacy protection they need while delivering it to them via the internet service providers and router manufacturers. As an embedded software solution, SafeThings is imminently flexible according to each client's technical and marketing needs,” Witteveen added.


Microsoft Publishes Standards for "Highly Secure" Windows 10 Devices
7.11.2017 securityweek Security
Microsoft this week published information on the standards a Windows 10 device is required to meet to be considered highly secure.

The company has provided details on both hardware and firmware requirements that these devices should meet, including information regarding processor type, amount of required RAM, virtualization support, support for specific UEFI versions, secure boot support, and more.

In Microsoft’s vision, only devices with an Intel CPU through 7th generation processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx and current Intel Atom, Celeron and Pentium processors, along with those featuring AMD through the 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx) can be considered highly secure.

The systems must include a processor that supports 64-bit instructions, and should also support Input-Output Memory Management Unit (IOMMU) device virtualization, must have virtual machine extensions with second level address translation (SLAT), and should not mask the presence of these hardware virtualization features, but be available for the operating system to use.

A Trusted Platform Module (TPM) version 2.0 is also needed, along with a cryptographically verified platform boot (Intel Boot Guard in Verified Boot mode, or AMD Hardware Verified Boot, or an OEM equivalent mode with similar functionality). The system must also meet the latest Microsoft requirements for the Trustworthy Computing Group (TCG) specification.

On the firmware side, Unified Extension Firmware Interface (UEFI) version 2.4 or later is a must, as well as firmware that implements UEFI Class 2 or UEFI Class 3. According to Microsoft, only devices that ship with Hypervisor-based Code Integrity (HVCI) compliant drivers can be considered highly secure.

The tech company also notes that a system’s firmware must support UEFI Secure Boot and must have UEFI Secure Boot enabled by default to meet the requirements for highly secure Windows 10 devices. Secure MOR revision 2 is also required, along with support for the Windows UEFI Firmware Capsule Update specification.

The publishing of these standards appears yet another step Microsoft is taking toward providing users with increased security and privacy when using Windows 10 devices. Last year, the company announced that all new platform installations would require signed kernel mode drivers, while this year it revealed Windows 10 protections against various threats, including code injection attacks, PowerShell attacks, and zero day exploits.


Automated System Defeats reCAPTCHA With High Accuracy
2.11.2017 securityweek  Security
A newly devised system that targets the audio version of Google’s reCAPTCHA challenges can break them with very high accuracy.

Dubbed unCAPTCHA, the automated system designed by computer science experts from the University of Maryland (UM) is said to be able to defeat the audio reCaptcha system with 85% accuracy.

The system uses browser automation software to interact with the target site and engage with the captcha. The tool, which has been published on GitHub, can properly identify spoken numbers to pass the reCaptcha programmatically and trick the site into thinking their bot is a human, the authors claim.

“Specifically, unCaptcha targets the popular site Reddit by going through the motions of creating a new user, although unCaptcha stops before creating the user to mitigate the impact on Reddit,” the experts say.

To correctly bypass the captcha, which includes numbers that are read aloud at varied speeds, pitches, and accents through background noise, the attack identifies the audio message on the page, downloads it, and then automatically splits it by locations of speech.

Next, each number audio bit is uploaded to 6 different online audio transcription services that are free to use, namely IBM, Google Cloud, Google Speech Recognition, Sphinx, Wit-AI, and Bing Speech Recognition, and the results are collected.

“We ensemble the results from each of these to probabilistically enumerate the most likely string of numbers with a predetermined heuristic. These numbers are then organically typed into the captcha, and the captcha is completed. From testing, we have seen 92%+ accuracy in individual number identification, and 85%+ accuracy in defeating the audio captcha in its entirety,” the system’s authors reveal.

Another recently revealed tool for defeating CAPTCHA systems is targeting text-based systems and was designed to mimic the human eye. Called the Recursive Cortical Network (RCN), it incorporates neuroscience insights into a structured probabilistic generative model framework.

In a paper (PDF), the team of researchers behind RCN explain that the tool is capable of solving Google reCAPTCHA with a 66.6% accuracy, but that it is also highly efficient against other systems: 64.4% for BotDetect, 57.4% for Yahoo, and 57.1% for PayPal image challenges. The findings were published in the Science magazine.

“By drawing inspiration from systems neuroscience, we introduce a probabilistic generative model for vision in which message-passing based inference handles recognition, segmentation and reasoning in a unified way. The model demonstrates excellent generalization and occlusion-reasoning capabilities, and outperforms deep neural networks on a challenging scene text recognition benchmark while being 300-fold more data efficient,” the researchers say.


Skybox Raises $150 Million to Advance its Security Management Product
26.10.2017 securityweek Security
Security analytics firm Skybox announced Wednesday that it has secured $150 million growth equity comprising $100 million from CVC Capital Partners’ Growth Fund (CVC Growth), and $50 million from Pantheon. This more than doubles existing investment in the firm, which now stands at around $280 million. It received $96 million from Providence Strategic Growth (PSG) in February 2016.

Skybox was originally founded in 2002 in Jerusalem, Israel, by Gidi Cohen and Eran Reshef. It is now headquartered in San Jose, California, but with its development center in Herzliya Pituach in the Tel Aviv District of Israel.

Skybox offers cybersecurity management software that provides visibility into its customers' unique attack surface. It uses analytics to detect and prioritize risk exposure, and provides recommendations on how to address those exposures. Customers are large Global 5000 organizations and financial institutions, and government agencies; and include six of the top 10 global banks, 10 global telecommunications firms, five of the world’s largest consumer goods manufacturers and 10 of the largest energy providers globally.

The combination of increasingly sophisticated attackers from both cybercriminal gangs and state-sponsored attacks, combined with the more complex IT infrastructures evolving from accelerating digital transformation provides the backdrop for Skybox. In the first half of 2017, Skybox showed a 62 percent increase in sales and 59 percent increase in product transactions compared to the same period last year (January 1 - June 30).

“Enterprises, governments... everyone is either embarking on or going through massive digital transformation, and this means new challenges for security because the attack surface of these organizations is growing more complex,” said Cohen. “We’ve been consistently evolving our technology to meet those challenges. With this investment, we’ll accelerate that innovation, focusing on some of the most critical areas, such as security management for the cloud and the OT networks that control critical infrastructure.”

“Skybox’s track record is impressive and there is clear demand for their solutions,” said Jason Glass, senior managing director of CVC Growth Partners. “It is a true leader in cybersecurity management, helping organizations better protect themselves and become more efficient.”

Skybox announced, “This round of funding will enable an accelerated investment in sales and marketing, customer care and R&D. It will also be used for potential M&A activity, to capitalize on the approximately $10 billion market opportunity in cybersecurity management.”

However, in an interview with the Israeli business publication Globes, CEO Cohen also indicated that some of the money would be used to buy out existing investors. “As well as injecting new capital into the company, some of the existing investors in Skybox, including employees, have sold their holdings.” He added, “The buying of shares was a significant part of this financing round.”

The company said it has a compound annual growth rate (CAGR) of 46 percent, and positive cash flow between 2014 and 2016.


Microsoft Open Sources Website Scanning Tool 'Sonar'
26.10.2017 securityweek Security
Microsoft announced this week the availability of Sonar, an open source linting and website scanning tool designed to help developers identify and fix performance and security issues.

Developed by the Microsoft Edge team, Sonar has been made open source and donated to the JS Foundation. Microsoft will continue making improvements to the project, but external contributions are also welcome.

Linting is the process of analyzing code for potential errors. Sonar looks for a wide range of issues, including related to performance, accessibility, security, Progressive Web Apps (PWA), and interoperability.Sonar open source tool

In the case of security, Sonar looks for eight types of weaknesses, including SSL configuration problems using SSL Labs’ SSL Server Test.

Another test looks for HTTPS connections that don’t use the Strict-Transport-Security header, which ensures that a website can only be accessed via secure connections to prevent man-in-the-middle (MitM) attacks.

Developers can also verify if their applications or sites are vulnerable to attacks that rely on MIME sniffing, which allows browsers to detect file formats even if the media type is incorrect. While MIME sniffing has benefits, it also introduces some security risks, which can be mitigated if the website uses the X-Content-Type-Options: nosniff HTTP response header.

Sonar also checks if the set-cookie header defines the Secure and HttpOnly attributes, which prevent session hijacking via cross-site scripting (XSS) attacks by ensuring that cookies cannot be transmitted over HTTP and their value cannot be accessed via JavaScript.

Another useful feature for security is Sonar’s ability to determine if a website is running a vulnerable client-side JavaScript library or framework. It does this by using Snyk’s Vulnerability DB and js-library-detector.

Sonar is also designed to ensure that headers don’t leak potentially sensitive data, and prevent unauthorized redirects that could lead users to malicious websites.

Sonar can be used locally as a command line tool, but an online version is also available. The tool can be integrated with several other products, including aXe Core, AMP validator, snyk.io, SSL Labs, and Cloudinary.


Krebs reported that Dell lost Control of dellbackupandrecoverycloudstorage Domain in June 2017
26.10.2017 securityaffairs Security

The popular investigator Brian Krebs reported that the tech giant Dell lost the control of dellbackupandrecoverycloudstorage domain in June 2017.
It is really embarrassing, Dell forgot to renew the domain www.dellbackupandrecoverycloudstorage.com name that was used by the tech giant to install operating systems on the PC it has sold. The incident was discovered by a third-party entity that blamed the vendor for spreading malware through the domain.

According to the popular investigator Brian Krebs who first reported the news, the domain is administered by a third party, which didn’t renew the domain in June 2017.

“It’s not yet clear how or why DellBackupandRecoveryCloudStorage.com got away from SoftThinks.com — an Austin, Tex.-based software backup and imaging solutions provider that originally registered the domain back in mid-2013 and has controlled it for most of the time since. But someone at SoftThinks apparently forgot to renew the domain in mid-June 2017.” states Brian Krebs.

The www.dellbackupandrecoverycloudstorage.com domain provides information about Dell’s data protection products and is used as a back-end for an app called the “Dell Backup and Recovery Application” that is a solution bundled with Dell PCs. Dell defines the app as “a safe, simple, and reliable backup and recovery solution that can protect your system (OS, applications, drivers, settings) and data (music, photos, videos, documents, and other important files) from data loss.”

The Dell Backup and Recovery Application are also used by Dell to allows PC owners to do a factory reset of their machines.

Krebs alleges the domain redirected to websites hosting malware, according to AlienVault‘s Open Threat Exchange the Internet address that was assigned to DellBackupandRecoveryCloudStorage.com in late June is an Amazon server which is “actively malicious.”

“Reached for comment about the domain snafu, Dell spokesperson Ellen Murphy shared the following statement:

“A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application, www.dellbackupandrecoverycloudstorage.com, expired on June 1, 2017 and was subsequently purchased by a third party. The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed. Dell discontinued the Dell Backup and Recovery application in 2016.””

Krebs warned of scammers that are contacting Dell customers pretending to be Dell tech support specialists. The scammers employ social engineering techniques to make their scams more convincing by reading off the unique Dell “service tag” code printed on each Dell customer’s PC or laptop.

“How can scammers have all this data if Dell’s service and support system isn’t compromised, many Dell customers have asked? And still ask: I’ve had three readers quiz me about these Dell service tag scams in the past week alone. Dell continues to be silent on what may be going on with the service tag scams, and has urged Dell customers targeted by such scams to report them to the company.” concluded Krebs.

This is not the first time the registration related incidents caused problems to organizations. Earlier this month, a service on the Equifax website set up for obtaining free and discounted credit reports had been redirecting users to websites offering a fake Flash Player installer.


Firms Increasingly Turn to Machine Learning for Security Solutions
26.10.2017 securityweek Security
Forty-seven percent of organizations have already deployed machine learning (ML) solutions, with another 23% engaged in pilot projects, to help detect increasingly sophisticated incursions and lower the cost of response.

A study (PDF) commissioned by Cylance and undertaken by Enterprise Strategy Group (ESG) surveyed 300 IT and security professionals from mid-market and large enterprises. The respondents are located in the United States (43%), Japan (21%), United Kingdom (13%), France (12%), and Germany (11%); and all are involved in the purchase process for endpoint security.

The study sought to identify the 'top of mind' security threats, and the impact those threats have on endpoint security purchasing decisions.

Phishing is the biggest concern for most respondents. In the last two years, 55% have experienced phishing with a malicious attachment, 54% have experienced phishing with a link to a malicious website, and 29% have experienced instant messaging phishing with a link to a malicious website.

Phishing -- particularly spear-phishing -- has proven resilient against technological solutions. Although there are current attempts to develop ML solutions, some researchers believe it will not be possible. “With such a small number of known spearphishing instances, standard machine learning approaches seem unlikely to succeed: the training set is too small and the class imbalance too extreme,” notes a recent research paper.

ESG suggests that training is the best solution to phishing. “Organizations can reduce phishing response rates and raise security awareness by training employees to recognize spoofed emails and texts, and to practice good hygiene, such as checking URLs before clicking links,” says the report. “Training repetition, phishing simulations, and red teams, where an independent group attempts to induce bad employee behavior, can reinforce initial cybersecurity training, and 35% of organizations that have suffered a security incident are instituting additional end-user training.”

However, it is not the phishing itself that is the problem, but what the phishing leads to -- which is usually, ultimately, malware. Asked which threats are the most difficult to detect, 43% of respondents replied, 'unknown malware'; 31% replied 'zero-day exploits of new and unknown vulnerabilities', and 29% replied 'fileless attacks which employ weaponized content'.

These are precisely the attacks that signature-based detection systems cannot recognize, and where machine-learning behavioral detection systems excel.

Top of the mind threats

Ransomware, unsurprisingly, gets special consideration. “At 46%,” states the report, “nearly half of the respondents noted that their organization had been the victim of a ransomware attack in the last year and more than half of those (56%) reported more than 5% of their organization’s endpoints were infected. It is noteworthy that only 12% of affected organizations paid the ransom.”

But neither paying the ransom nor restoring impacted data from backup are necessarily the solution. “Nearly a quarter of research participants whose organizations have been recent ransomware victims stated that they experienced a recurrence of the same ransomware on the same endpoints and 38% experienced the same ransomware but on different endpoints.”

Somewhat surprisingly, financial loss (15%) and data loss (19%) are dwarfed by interruptions to standard business processes (32%) as the main effect of a security incident. Given the time and effort required to discover and remove malicious files with the risk of missing something, many organizations simply re-image the system from a golden master. This is still time-consuming.

“Twenty-nine percent of respondents said their organization reimages 100 or more systems every month, and 12% said their organization reimages more than 500 systems per month. It takes a dedicated team of IT professionals to reimage hundreds of endpoints each month, and the volume of infections hints at inadequacies in endpoint security controls,” says the report.

Just as cyber criminals have evolved their attacks to defeat first-generation signature based defenses with polymorphic malware and fileless attacks, it seems that security professionals are aware of the problems and are actively investigating or deploying second-generation ML-based behavioral detection systems in response.

Cylance, which commissioned the survey, raised $100 million is Series D financing in June 2016.


The Festive Complexities of SIGINT-Capable Threat Actors
25.10.2017 Kaspersky Security
To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt manipulation have proven enough for many researchers to shy away from the attribution space. And yet, we haven’t even discussed the worst-case scenarios. What happens to our research methods when threat actors start hacking each other? What happens when threat actors leverage another’s seemingly closed-source toolkit? Or better yet, what if they open-source an entire suite to generate so much noise that they’ll never be heard?

Thankfully, the 2017 VirusBulletin conference is upon us and, as in previous years, we’re taking the opportunity to dive into an exciting subject, guided by our experience from doing hands-on APT research.

During the past years, we discussed the evolution of anti-malware research into intelligence brokerage, the inherent problems with doing attribution based solely on fifth-domain indicators, and an attempt to have a balanced discussion between defensive cats and the sly mice that elude them. Continuing in this direction, this year we decided to put our heads together to understand the implications that the esoteric SIGINT practice of fourth-party collection could have on threat intelligence research.

A few types of SIGINT Collection
The means by which information is generated and collected is the most important part of an analyst’s work. One must be well aware of the means and source of the information analyzed in order to either compensate or exploit its provenance. For that reason, collection can be categorized by its means of generation in relation to the position of the parties involved, as discussed below. These definitions will serve as functional categories for our understanding as outsiders looking into the more complex spheres of collection dynamics.

To showcase the types of data collection, let’s imagine a competent entity named ‘Agency-A’ as a stand-in for a ‘God on the wire‘-style SIGINT agency interested in fourth-party collection.

There are multiple types of collection categories available to this entity. The more obvious being information collected by Agency-A directly (first-party) or shared with Agency-A by partner services (second-party). Third-party collection, or information collected via access to strategic organizations, whether they realize it or not, has gotten a lot of attention over the past few years. This would include ISPs, ad networks, or social media platforms that aggregate great troves of valuable data.

Similarly, we will use further entities Agency-B as a second semi-competent SIGINT agency upon which Agency-A can be recurringly predatory for the sake of explanation. When necessary an even less competent Agency-C will serve as prey.

Yet, things get most interesting when we start talking about:

“Fourth-party collection – …involves interception of a foreign intelligence service’s ‘computer network exploitation’ (CNE) activity in a variety of possible configurations. Given the nature of Agency-A as a cyber-capable SIGINT entity, two modes of fourth-party collection are available to it: passive and active. The former will take advantage of its existing visibility into data in transit either between hop points in the adversary’s infrastructure or perhaps in transit from the victim to the command-and-control servers themselves (whichever opportunity permits). On the other hand, active means involve the leveraging of diverse CNE capabilities to collect, replace, or disrupt the adversary’s campaign. Both present challenges we will explore in extensive detail further below.”

In less technical terms, fourth-party collection is the practice of spying on a spy spying on someone else. Or with age-old cryptographic interlocutors: Bob is obsessed with Alice. Alice is being spied on by her overzealous neighbour Eve. In order for Bob to be a creeper without arousing suspicion, he decides to spy on Eve with the purpose of getting to know Alice through Eve’s original privacy violation.

As you might expect there are different ways to do this and many of them enjoy the benefit of being near impossible to detect. Where possible, we have added examples of what to us looks like possible active attempts to collect on another’s collection. Otherwise, we have added thought experiments to help us wrap our heads around this shadowy practice. Two examples worth bringing to your attention (reproduced faithfully from our paper):

‘We heard you like popping boxes, so we popped your box so we can watch while you watch’

Attempting to highlight examples of fourth-party collection is a difficult exercise in the interpretation of shadows and vague remnants. While passive collection is beyond our ability to observe, active collection involves the risk of leaving a footprint in the form of artefacts. In the course of APT investigations, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has encountered strange artefacts that defy immediate understanding in the context of the investigation itself. While we cannot be certain of the intent or provenance of these artefacts, they nonetheless fit a conceptual framework of active fourth-party collection. Here’s a few examples:

Crouching Yeti’s Pixelated Servers
In July 2014, we published our research on Crouching Yeti, also known as ‘Energetic Bear’, an APT actor active since at least 2010. Between 2010 and 2014, Crouching Yeti was involved in intrusions against a variety of sectors, including:

Industrial/machinery
Manufacturing
Pharmaceutical
Construction
Education
Information technology
Most of the victims we identified fell into the industrial and machine manufacturing sector, indicating vertical of special interest for this attacker.

To manage their victims, Crouching Yeti relied on a network of hacked websites which acted as command-and-control servers. For this, the attackers would install a PHP-based backend that could be used to collect data from or deliver commands to the victims. To manage the backend, the attackers used a control panel (also written in PHP) that, upon checking login credentials, would allow them to manage the information stolen from the victims.

In March 2014, while investigating one of the hacked sites used by Energetic Bear, we observed that for a brief period of time, the page for the control panel was modified to include an <img src> tag that pointed to a remote IP address in China. This remote 1×1 pixels wide image was likely intended to fingerprint the attackers as they logged into their control panel. The fingerprinting could have been used to collect attributory indicators. The usage of an IP address in China, which appeared to point to yet another hacked server, was most likely an attempt at a rudimentary false flag should this injection be discovered.

NetTraveler’s Most Leet Backdoor
While investigating the Nettraveler attacks, we obtained a disk image of a mothership server used by the threat actor. The mothership, a combination staging and relay server, contained a large number of scripts used by the attackers to interact with their malware, as well as VPN software and other IP masking solutions used to tunnel into their own hacking infrastructure.

Beyond the fortuitous boon of seizing such a content-rich server, GReAT researchers made a further unexpected discovery: the presence of a backdoor apparently placed by another entity.

We believe the backdoor was installed by an entity intent on maintaining prolonged access to the Nettraveler infrastructure or their stolen data. Considering that the NetTraveler operators had direct access to their mothership server and didn’t need a backdoor to operate it, we consider other possible interpretations less likely.

The artefact encountered is the following:

Name svchost.exe
MD5 58a4d93d386736cb9843a267c7c3c10b
Size 37,888
Interestingly, the backdoor is written in assembly and was injected into an empty Visual C executable that served as a template. This unusual implementation was likely chosen in order to confuse analysis or prevent detection by simple antivirus programs.

The backdoor is primitive and does nothing but listen to port 31337 (The most ‘LEET!’ port) and wait for a payload to be sent. The acceptable payload format is depicted here:

The assembly code is then executed and can perform any action chosen by the predatory attackers. The backdoor requires no authentication. Combining this sort of backdoor with Metasploit or other similar frameworks could have easily been used to control the system.

During the last years, we have seen a number of other peculiar incidents and cases which could constitute fourth party collection.”

To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”


Credentials (UN)Management in home banking.
25.10.2017 securityaffairs Security

Introduction
Out of the five main information security pillars, namely confidentiality, integrity, availability, authenticity and irrefutability, common users give more attention to the first one. But in real life even though in general people agree with the importance of backup, not many actually implement this security mechanism. What one says and what one do is not the same.

Nowadays, the concern with espionage acts grew with Snowden´s case, and that fact can be easily checked with media coverage of the case. From the mass coverage media such as The Huffington Post, The Washington Post, through information security expert Bruce Schneier, all bring insight about the impact of the information disclosed by the former NSA employee.

With that in mind, one can ask himself the question “how secret is my secret?”.

This paper is a brief of the full research The leakage of passwords from home banking sites: A threat to global cyber security? –Jounal of Payments Strategy and Systems Vol 11 Number 2 By Rodrigo Ruiz; Rogério Winter; Kil Jin Brandini Park; Fernando Amatte

We Got Something…
Account information of various websites were recovered. AS A CLEAR TEXT!

banking 1

Figure 1 – Citibank USA account information (“&username=userciti” and “&password=citipaswt”) recovered from disk.

Web Forms
Web forms defines the way users can interact with a website. The user enters some data, text or numbers in specific fields, clicks the submit button and waits for a response. All forms share this basic behavior and HTML commands are standard. Each development framework have its own way to generate forms, but they are not responsible to provide any kind of security on it.

A basic html web form will look like this:

HTML code

<form method="POST" action="">
<br>User : <input type="text" name="user" size="20">
<br>Password: <input type="password" name="password" size="20">
<br><input type="submit">
</form>
Considering this basic HTML form, one question remains: where is the security behind it?

Who Should Worry?
Users, developers, companies, and organizations of any size.

One should think about the implications of a password disclosure. The effects vary, according to the service, but ranges from espionage, sabotage and even unlawful money transfers.

Thus anyone that own, manage or use websites that requires identification and authentication should worry, since with this method if an attacker acquires access to the user machine he can easily search for those account information in a matter of hours.

Am I Really Protected?
Usually, the traffic of data is the main concern when the focus is in confidentiality. Thus, the encryption of the communication channel is largely used.

As an example, in the application network layer, the HTTPS protocol is used to provide that confidentiality.

Another safety measure is to forbid the use of weak passwords and to avoid plain text storage of passwords on servers.

But none of the above really matters if username and passwords are recorded as plain text on the client side. And in this paper, we proved that this happens with many internet web service providers.

How Was The Job Done?
First, it is important to notice that we need physical access to the disk for this method to work. We will discuss this matter further on the topic of possible protection from this flaw.

After navigation and authentication on the tested sites, we began by searching for a previously known string (the bogus password) on the disk. For the test performed we chose passwords that were not previously used on the tested machine in order to avoid false positives.

For that end we used a tool to search for strings on the disk with raw access, not caring for the particularities of the file structures or filesystem.

Making it Automatic
After the proof of concept, we tried to extract signatures for each service tested (websites visited).

We began with some bogus account information on various websites. With that, we extracted account signatures of some websites as see in Table 1:

banking 2

Table 1 – Signature of the Account Identification for Some of the Tested Sites.

The signatures allowed the carving of data from the disk, through the usage of the Foremost program, a forensic tool for extraction of files – “data carving” – of different formats.

This tool works as follows: It reads a block of data in memory, disk or files and looks for signatures related to files of well-known formats. The search showed the possibility of unveiling username and password previously used on the system:

The tests are still happening, and the same results were gathered from other sites like webmail (Figure 2), banking, government and military sites:

banking

Figure 2 – Login Information from Gmail (“mail?gxlu=inprivate.rfk%40gmail.com”)

Where Did We Find it?
In Internet Explorer´s case, the following directories and files contained the recovered information about authentication:

\users\user\appdata\local\microsoft\internet Explorer\recovery\last active\

\users\usuário\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\

\Pagefile.sys

In Chrome, Firefox and Safari´s case, the only file that contained the recovered information about authentication was Pagefile.sys. That proves that in their case the leakage of login information is due to the operating system´s paging process.

In the tests conducted with a Brazilian banking site, the following files contained the recovered information about authentication:

\Program Data\gpplugin\cef\bank.gbl.??

\users\usuário\appdata\local\microsoft\windows temporary\wk9???\adsadclient31.htm

About the Inspiration of This Research
From some previous work, the authors demonstrated that the browser’s functionality that promises anonymous browsing (e.g Internet Explorer´s In Private, Firefox´s Private Browsing, Chrome´s Incognito Mode and Safari´s Private Mode) show in certain circumstances flaws that allow an attacker to extract information about sites visited by the users.

In the first paper, “Tornando Pública a Navegação In Private”(Making InPrivate Navigation as public), published on the proceedings of the seventh international conference on forensic computer science, we tested for several conditions the anonymous browsing functionality of the browsers Internet Explorer 8 and Firefox 8.0.1 running inside virtual machines. We were able to recover, using data carving forensic techniques, images and page fragments that allowed the identification of the pages visited by the users as see in Figure 3:

banking

Figure 3 – One of the images recovered from disk after user navigation. The image was completely recovered but for copyright reasons is only partially displayed.

It is possible to see a fragment of a webpage recovered from disk after user navigation. Source: Tornando Pública a Navegação In Private (RUIZ, AMATTE and PARK).

<h2><a href=”http://www.simpsons.com.br/?p=148”

rel=”bookmark” title=”Permanent Link to Ned

Flanders e Edna Krabappel”>Ned Flanders e Edna

Krabappel</a></h2>

<div class=”post-title-info”>Autor: Felipe &nbsp;|&nbsp;

Categoria: <a href=”http://www.simpsons.com.br/?cat=5”

title=”Ver todos os posts em Informa

<p><ahref=”http://thesimpsons.com/nedna/”><img

src=”http://thesimpsons.com/nedna/collectibles/pronedna-

facebook-icon01.jpg” alt=”A favor” /></a> <a

href=”http://thesimpsons.com/nedna/”><img src=”http://

thesimpsons.com/nedna/collectibles/no-nedna-facebookicon01.

jpg” alt=”Contra” /></a></p>

This work was extended and published on the proceedings of the International Conference on Information Security and Cyber Forensics as Opening the “Private Browsing” Data – Acquiring Evidence of Browsing Activities. The paper included the following browsers: Internet Explorer 10, Firefox 24.0_1, Google Chrome 30.0.159969M_1 and Safari 5.1.7_1. The base guest virtual machine for each browser was replicated 4 times, each to be used in the four different tests performed on each browser:

Test S (Shutdown): Consists of visiting a web site available on the internet, making operations to interact with the site, finish the execution of the browser correctly and generating the virtual machine image for analysis.
Test F (Freeze): Consists of visiting a web site available on the Internet, making operations to interact with the site and with the browser still active, generating the virtual machine image for analysis.
Test K (Kill process): Consists of visiting a web site available on the internet, making operations to interact with the site, requesting that the operating system interrupts the browser execution and generating the virtual machine image for analysis.
Test P (Power down): Consists of visiting a web site available on the internet, making operations to interact with the site, requesting the virtualizer to turn off the virtual machine – simulating a power outage – generating the virtual machine image for analysis.
The results obtained showed no significant changes from the first research:

Table 2 – Results for Safari Browser

F Test K Test P Test S Test
Page address recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes
Table 3 – Results for Fire Fox Browser

Teste F Teste K Teste P Teste S
Page address recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes
Table 4 – Results for Chrome Browser

F Test K Test P Test S Test
Page address recover Yes Yes Yes Yes
Pic recover No Yes Yes Yes
Table 5 – Results for IE10

F Test K Test P Test S Test
Page address recovery Yes Yes No Yes
Pic recovery No No Yes No
How to Avoid It?
As previously stated, physical access to the disk is needed for this method. That could lead to the assumption that the use of cryptography would render the method useless. But this is not entirely true.

It is easy to notice that a malware running in the user machine could collect and send the banking account information gathered while the machine is in use (and thus with decrypted data in memory and disk).

So it becomes clear that other techniques are needed in order to avoid it.

Why Use a KeyLogger?
From that perspective, it is easy to notice that instead of a keylogger (that would need to wait until the user typed the account information), it is more effective to develop a malware that will search the disk for the signatures extracted. As a matter of fact, we already have a proof of concept, implemented using the Foremost forensic tool, that does exactly this.

More on the Subject
We also conducted tests on Linux and Safari and on mobile Android systems and were able to recover username and passwords on them.

It is important to notice that no unlawful actions were conducted, as no penetration tests were done. All username and password tested were personal or invalid/bogus.

Also noteworthy is the fact that when possible, we contacted the companies and organizations about this issue.

Conclusions
As previously stated, no amount of safety measures is enough when account information is stored as plaintext on the client side. We proved that this happens with major internet service providers.

Because of this finding, banking account information can be easily disclosed, and a keylogger is no longer needed. It is easier and more effective to carve the data from the disk.


One-Third of Industrial Networks Connected to Internet: Study
24.10.2017 securityweek Security

Many industrial and critical infrastructure systems are connected to the Internet, and the operational technology (OT) networks of some organizations have already been compromised, according to a new study from industrial security firm CyberX.

What makes the CyberX study interesting is the fact that it’s not based on a survey. Instead, the company used data obtained after passively monitoring traffic from 375 OT networks over the past 18 months. The organizations whose networks have been analyzed are from a variety of sectors – including manufacturing, energy and utilities, oil and gas, and pharmaceuticals and chemicals – in the United States, Europe and the Asia-Pacific region.

Organizations have often downplayed the risks associated with the presence of vulnerable industrial control systems (ICS) on their networks, claiming that devices are isolated, or air-gapped, and cannot be accessed remotely from the Internet.

However, CyberX’s study revealed that roughly one-third of organizations had industrial networks connected to the public Web. These systems are often accessible remotely for convenience, including for remote management, performing software updates, and even web browsing and email from the OT network.

More than 80% of industrial sites are running a remote management protocol such as RDP, VNC or SSH, allowing attackers on the OT network to remotely access and control other devices on the network via standard administration tools. Misconfigured wireless access points (WAPs) can also be leveraged as an attack vector, and one in five of the analyzed companies had at least one WAP.

CyberX also found that 76% of analyzed industrial sites have machines running obsolete versions of Windows, such as Windows 2000 and Windows XP, on their OT networks. Both Windows devices and industrial systems such as programmable logic controllers (PLCs) had vulnerabilities in 28% of cases.

Furthermore, many organizations haven’t made sure that strong authentication mechanisms are in place. In nearly 60% of cases, CyberX has seen plaintext passwords crossing the network, allowing man-in-the-middle (MitM) attackers to obtain valuable information.

The analysis shows that Modbus is the most widely used industrial protocol (58%), followed by Ethernet IP (28%), Siemens’ S7, OPC, OSIsoft PI and MMS.

Researchers also found that almost half of industrial sites did not have even basic antivirus protection on Windows endpoints.

“We’ve heard from customers that adding AV software to endpoints such as HMI workstations can sometimes void the warranty provided by their OT vendors. Vendors are concerned that the overhead of AV scanning software will impact the performance or reliability of their workstations,” CyberX said in its report. “Nevertheless, lack of AV protection increases the risk of having known malware on these systems — such as Conficker, WannaCry, and NotPetya — without even knowing about it.”

As a matter of fact, CyberX did see malware in 10% of the analyzed OT networks. The security firm has observed Conficker infections, which is one of the most widespread pieces of malware and it has been known to infect even critical infrastructure organizations. CyberX told SecurityWeek that it also noticed some threats that exhibited behavior consistent with the EternalBlue exploit, which has been used by both the WannaCry ransomware and the NotPetya wiper.

The data shows little difference between the security scores of various industries – there is only a +/- 5% variation from the median score of 61% across the analyzed sectors.

Median security score across industries