Remember: To Err is human, blaming it on others is EVEN MORE human.

While 62% of consumers feel businesses are responsible for data security, many have their own poor security hygiene. For instance, 41% fail to take advantage of security measures available to them, such as two-factor authentication for social media accounts. In addition, more than half (56%) still use the same password for multiple online accounts.

“Consumers are evidently happy to relinquish the responsibility of protecting their data to a business, but are expecting it to be kept secure without any effort on their part,”

For More:
https://www.infosecurity-magazine.com/news/consumers-overwhelmingly-blame?utm_source=twitterfeed&utm_medium=twitter

Good news - Firefox to add "Breach Alerts"

Firefox is testing out a warning system that will notify users when they visit breached sites and offer the option to be notified if a site they previously visited becomes breached in the future.

The “Breach Alerts”  will not prevent a user from visiting a site but will give them some soret of idea that the sites security features are less than optimal using data provided by Have I Been Pwned?.

For More:
https://www.scmagazine.com/firefox-browser-tests-notifications-to-alert-users-when-visiting-breached-sites/article/710711/

HP (once a great company, now,) Installs Telemetry software without the user permission and sends data back once a day.

And, HP customers also complained that the installation slowed down their system significantly.


Another user owning an HP laptop head on to Reddit and said:

"So today all of a sudden, I'm experiencing a considerable slowdown in my laptop (Pavilion P3V59PA). Once I look for the problem in Task Manager, I found out that the program called HP Touchpoint Analytics Client (and it's subsequent follow up) constantly jumping the memory usage (~300Mb at a minimum, ~nearly 2Mb at maximum)."

 "I don't remember ever installing this program whatsoever, and in control panel, I found that for some reason this program was silently installed today, without my consent

For More:
https://thehackernews.com/2017/11/hp-computers-telemetry-data.html

Another reason to use MFA (Multi Factor Authentication) -77% of the FTSE 100 were exposed

If they had enabled Multi Factor Authentication (MFA) then , the RISK associated could have been low/Minimal

77% of the FTSE 100 were exposed with an average of 218 usernames and password stolen, published or sold per company.

A significant number of credentials linked to FTSE 100 organisations were still left compromised over the three months following the discovery.


For More:
https://blog.knowbe4.com/77-of-the-ftse-100-have-compromised-credentials-what-is-your-stolen-password-percentage

Crime-as-a-service (CaaS), is among the top five global security threats that businesses will face in 2018.

The rest are

1. the internet of things (IoT)
2. Supply chain risk
3. Regulatory complexity 
4. Unmet board expectations (this one could be the hardest to resolve)

For More:
https://www.infosecurity-magazine.com/news/isf-top-2018-threats

Root access without a password in MacOS?

Sometimes, Fact is stranger than fiction

A new bug in Apple’s operating system MacOS allows anyone to become an admin by entering “root” as login and then pressing enter.

Several information security professionals confirmed to Motherboard that they can reproduce the bug on MacOS 10.13, the latest version of the operating system.


This bug allows any user logged into MacOS to authenticate as root without entering an admin password. And if the Mac has more than one user, this attack works even if the computer is locked.

The bug allows someone to change other users’ passwords since the bug unlocks the system keychain. 

For More:
https://motherboard.vice.com/en_us/article/3kvxg5/apple-mac-bug-root-admin-without-password

Ever Heard of "Golden SAML" - This is a technique for Compromising (SAML based) SSO

The pre-reqs  for this are heavy however,the returns could be great for the hackers


It could allow an attacker to fake enterprise user identities and forge authentication to gain access to valuable cloud resources in a federation environment

“Golden SAML poses serious risk because it allows attackers to fake an identity and forge authentication to any cloud app (Azure, AWS, vSphere, etc.) that supports SAML authentication. Using this post-exploit technique, attackers can become any user they want to be – with the highest level of privileges – and gain approved, federated access to a targeted app,” researchers wrote.

The prerequisites of such attacks, however, are considerable. Among other things, hackers will need the private key that signs the SAML objects, an Active Directory Federation Services user account, token-signing private key, an identity provider (IdP) public certificate and an IdP name.

For More
https://threatpost.com/saml-post-intrusion-attack-mirrors-golden-ticket/128993/

If you are using ZyXEL device and haven't changed the default password , your device might be compromised

An uptick in botnet activity associated with a variant of Mirai. Targeted are ports 23 and 2323 on internet-connected devices made by ZyXEL Communications that are using default credentials.

In October 2016, Mirai malware spread itself to IoT devices gaining access via default password and usernames. The malware then roped affected devices into a botnet and carried out distributed denial of service (DDoS) attacks


For More:
https://threatpost.com/newly-published-exploit-code-used-to-spread-marai-variant/128998/

OWASP Top 10 - 2017 has three new additions

Making its appearance for the first time in OWASP's top 10 list is a category dubbed XML external entities (XXE), pertaining to older and poorly configured XML processors. Data gathered from source code analysis testing tools supported inclusion of XXE as a new vulnerability in the top 10 list, according to OWASP.

The two other new additions to the list are insecure deserialization errors, which enable remote code execution on affected platforms, and insufficient logging and monitoring

PDF version here:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

UBER - Not only did they have a data breach , they also paid ransom to keep it a secret

The $100K Question would be - Did the hackers really delete the data?

Instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information instead of disclosing the breach, the company paid $100,000 in ransom to the two hackers who had access to the data in exchange for keeping the incident secret and deleting the information


For More:
https://thehackernews.com/2017/11/uber-hack-data-breach.html

Google - We don't need your permission to collect your location information

Google has been caught collecting location data on every Android device owner since the beginning of this year (that's for the past 11 months)—even when location services are entirely disabled.

All it wants is to have your Android device to be connected to the Internet.

Each time your Android device comes within the range of a new cell tower, it gathers the cell tower address and sends this data back to Google when the device is connected to a WiFi network or has a cellular data enabled

For More:
https://thehackernews.com/2017/11/android-location-tracking.html

Black Friday Deals - Here are 6 real phishing emails (that you might receive or already received)

1. Ray-Ban 80% Discount Sale
2. Neuberger Berman Gift Card Perk
3. Free Apple iPhone 6
4. Americanas 60% Laptop Sale
5. Free Preloaded Amazon Gift Card
6. Michael Kors 80% Handbag Sale

For More:
https://www.darkreading.com/mobile/6-real-black-friday-phishing-lures/d/d-id/1330468?image_number=7

SCARY STUFF: Over 400 of the World's Most Popular Websites Record Your "EVERY KEYSTROKE"

Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. 



Research from Princeton University released last week indicates that online tracking is far more invasive than most users understand

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded.

For More:
https://motherboard.vice.com/en_us/article/59yexk/princeton-study-session-replay-scripts-tracking-you

Do you have Lolipop, Nougat or Marshmallow (I meant Android OS, NOT those tasty eatables) then you should read this. it seems 77.5% of Android systems at risk.

Since a majority of Android devices nowadays have these three versions of the OS, therefore, around 77.5% of the Android devices are at risk.

The MediaProjection service can be exploited due to a critical flaw. The service is designed to capture user’s screen and record system audio.


Android’s MediaProjection service has existed since long, but apps needed root access and signed up with the release keys of the device in order to use the service
But when Android Lolipop 5.0 was released, Google made this service open to everyone but did not secure it with the requirement of permission from the users

For More
https://www.hackread.com/android-flaw-lets-attacker-capture-screen-record-audio/

(Privacy) Gone with the wind - More than 200 Indian government websites expose citizens' key personal details

The irony is that the Indian government has made it mandatory for every Indian citizen to get their Aadhaar ID to avail of various social welfare schemes and government services

The government also wants all its citizens to link their Aadhaar IDs to their bank accounts, mobile numbers, insurance policies, PAN (Permanent Account Number) and other services.

Aadhaar is currently the world's largest biometric database and has already collected the iris scans and fingerprints of more than a billion Indians. However, many security experts have voiced serious security and privacy concerns over the system, especially due to the fact that it holds billions of users' sensitive and confidential details.


For More:
http://www.ibtimes.co.uk/aadhaar-data-leak-more-200-indian-government-websites-expose-citizens-key-personal-details-1647982

Android Whatsapp users should be aware that when we DELETE a message ,it stays (sounds Strange?)

WhatsApp messages that are deleted are actually still on the device and can be easily accessed


This is according to a report from the Spanish Android blog Android Jefe, which found that deleted WhatsApp messages – at least, the first 100 characters – can be read off of the notification log of the device.

    What we found is that the messages are stored in the notification register of the Android system. So, it’s just a matter of entering that record to see the messages that the other person deleted.

Notification History is a hidden feature that first got added in Android 4.3. Hidden it may be, but there are apps on Google Play that will happily reveal it for you


For More:
https://nakedsecurity.sophos.com/2017/11/16/deleted-whatsapp-sent-messages-might-not-be-gone-forever/

Terdot trojan - once infected you may end up with TearDrop(s)

It can target social media networks  including Facebook, Twitter, Google Plus, and YouTube, and email  service providers including Google's Gmail, Microsoft's live.com, and  Yahoo Mail.

It can also bypass restrictions imposed by TLS (Transport Layer Security) by generating its own Certificate Authority (CA) and generating certificates for every domain the victim visits


For More:
https://thehackernews.com/2017/11/facebook-twitter-hack.html

The cost to change one line of code on a piece of avionics equipment is #1 Million , and it takes a year to implement.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.


For More:
http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/

Watch out for this banking Malware - ICEDID

The malware listens for the target URL from the list (of financial institutions) and, once it encounters a trigger, executes a designated webinjection. The webinjection sends the victim to a fake bank site set up in advance to match the one originally requested,” researchers wrote.

It performs a smart trick:
To thwart detection by the end user, the malware redirects traffic at the same time keeping the bank’s correct URL in the address bar. That live connection also means the bank’s correct SSL certificate always shows

For More
https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/

GMAIL users - Pay attention!!

Google's study finds that victims of phishing are 400 times more likely to have their account hijacked than a random Google user

Gmail users also represent the largest group of phishing victims, accounting for 27 percent of the total in the study


For More:

https://blog.knowbe4.com/google-our-hunt-for-hackers-reveals-phishing-is-far-deadlier-than-data-breaches

New twist in the Kaspersky story - WikiLeaks Says CIA Impersonated Kaspersky Lab

According to WikiLeaks, its analysis revealed that by using these fake certificates, the CIA made it look like data was being exfiltrated by one of the impersonated entities – in this case Kaspersky Lab.

“We have investigated the claims made in the Vault 8 report published on November 9 and can confirm the certificates in our name are fake,” Kaspersky Lab told SecurityWeek. “Our private keys, services and customers are all safe and unaffected.”

The news that the CIA may have impersonated Kaspersky Lab in its operations has led some to believe that the U.S. may have actually used such tools to falsely pin cyberattacks on Russia.

For More:
http://www.securityweek.com/wikileaks-says-cia-impersonated-kaspersky-lab

Important - Microsoft Security Advisory - for all MS-OFFICE users

Scenario
In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file.

Mitigating DDE Attack Scenarios
Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.


For More:
https://technet.microsoft.com/library/security/4053440

Hackers Hacking Hackers - When you use someone else's code , you should know that it could be a trojan.

Vulnerability Scanning script found with Backdoor
Remember, Nothing is free in this world.

1. First, it scans a set of IP addresses to find GoAhead servers vulnerable to a previously disclosed Authentication bypass vulnerability (CVE-2017-8225) in Wireless IP Camera (P2P) WIFI CAM devices.
2. In the background, it secretly creates a backdoor user account (username: VM | password: Meme123) on the wannabe hacker's system, giving the attacker same privilege as root.
3. Script also extracts the IP address of the wannabe hacker, allowing script author to access the compromised systems remotely.
4. Moreover, it also runs another payload on the script kiddie’s system, eventually installing a well-known botnet, dubbed Kaiten.

For More
https://thehackernews.com/2017/11/iot-vulnerability-scanner.html

Did you know that Equifax might have your salary info and selling it for $20

Every payroll period, Facebook, Amazon, Microsoft, and Oracle also provide an electronic feed of their employees’ hourly work and wage information to Equifax. So do Wal-Mart, Twitter, AT&T, Harvard Law School, and the Commonwealth of Pennsylvania. Even Edward Snowden’s former employer, the sometimes secretive N.S.A. contractor Booz Allen Hamilton, sends salary and other personal data about its employees to Equifax Workplace Solutions.

If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.

That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

In May 2017, Equifax informed some of its customers that unauthorized access to their employee tax records continued, undetected, for nearly a year, between April 17, 2016, and March 29, 2017. These Equifax security lapses occurred in another of TALX’s databases, the Tax Form Management platform, after “crooks were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees,”

For More:
https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database

Netflix users beware - This is not something that is happening to others. I, had also received this hoax email (a few days back)

According to security firm Mailguard, if recipients click the link in the email, they are directed to a fake Netflix page asking them to login and provide their personal information, including credit card details.


Mailguard offers these tips to help users detect the real source and purpose of an email:

• Always hover your mouse over links within emails and check the domain they're pointing to. If they look suspicious or unfamiliar don't open them
• Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware
• 9 out of 10 cyber-attacks are delivered via email, so it's essential to have the best email filtering in place to protect your systems
• Keep up to date on the latest scams.

For More:
https://finance.yahoo.com/news/hackers-launch-identity-theft-attack-151546094.html

FREE - SANS Cheat Sheet for Incident Response

Get it Here

https://digital-forensics.sans.org/media/EricZimmermanCommandLineToolsCheatSheet-v1.0.pdf

what is SOAR? - Security Orchestration, Automation and Response

Another buzzword to sell new products but, will they really do anything useful?
Probably so, here is an interesting essay from Bruce on the "Orchestration" and "incident response" to understand it better

Data does not equal information, and information does not equal understanding



Data does not equal information, and information does not equal understanding

Uncertainty demands initiative, while certainty demands synchronization

When things are uncertain, you want your systems to be decentralized. When things are certain, centralization is more important. Good incident response teams know that decentralization goes hand in hand with initiative.


Automation has its place. If you think about the product categories where it has worked, they’re all areas where we have pretty strong certainty. Automation works in antivirus, firewalls, patch management and authentication systems

For More info:
https://securityintelligence.com/security-orchestration-for-an-uncertain-world/

Just in Time - Shopping(Holiday) Season advise from SANS Security Awareness team.

Get the PDF here:
https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201711_en.pdf

Did you know - AV could be tricked to trust a invalid Cert

Simply copying an authenticode signature from a legitimate file to a known malware sample —  results in an invalid signature — can cause antivirus products to stop detecting it.

"This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild,"


More Here
https://www.theregister.co.uk/2017/11/01/digital_cert_abuse/