It is Tax season and there will be a new wave of spam/phishing attacks. The IRS suggests the following steps to avoid becoming a victim of phishing:

• Be Vigilant – Employers and businesses providing tax services can best protect themselves from phishing attacks by educating employees with Security Awareness Training. Employees are trained on phishing tactics in order to heightened their sense of security, making it easier to spot a malicious email and avoid becoming a victim.
• Use Security Software – the use of email, web, and DNS scanning solutions can reduce the number of potentially malicious messages that reach an Inbox.
• Use strong passwords – the emphasis is on using unique passwords for each account used.
• Use Multi-Factor Authentication – when available, use MFA to better secure access to online applications, websites, and data.

Emails impersonating the IRS can be forwarded to phishing@irs.gov.

As we move to the Cloud based business model we should also consider changing our Security Model closer to "Zero Trust".

Zero Trust - assume everything is on the open internet.

Here is the first (in the multi-part series) blog on the same subject from Microsoft - Identity and access management.

BTW, do you remember the statement "identity is the new perimeter", more and more people are beginning to agree with it

https://cloudblogs.microsoft.com/microsoftsecure/2018/12/17/zero-trust-part-1-identity-and-access-management

Attention Internet Explorer Users - Microsoft has released a patch for a new vulnerability - CVE-2018-8653 - An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Another reason why regular users should not have local admin privileges (Best Practice)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

VPN is safe , not if you are using free HolaVPN.

1. It could provide a gateway into the enterprise network for malicious software of many varieties
2. It Uses customer computers and devices as exit points for spam and  phishing message.
3. The software for HolaVPN failed to provide encryption for users depending on the service to protect their data from theft
4. 85% of the HolaVPN traffic they analyzed was concerned with mobile ads and other mobile-related domains and software.

https://www.darkreading.com/network-and-perimeter-security/trend-micro-finds-major-flaws-in-holavpn/d/d-id/1333515

Backup is important but, can be dangerous when we cannot track and delete old data. This is where "Cryptographic Erasure" can be useful. It is a simple process, you encrypt the data and when it is time to delete it, DELETE THE ENCRYPTION KEY INSTEAD . Data is as good as deleted.

It has two important advantages:
1. We do not need to restrict ourselves to using a single key that encrypts an entire drive or data set. Instead, we can have as many unique keys as we need, encrypting data at the granularity that serves our purposes

2. Second,it entirely bypasses the issue of tracking data flows. Whether the data resides in a remote data center, in someone else's cloud, is irrelevant. It is sufficient to know where our keys and delete them.

https://www.darkreading.com/endpoint/cryptographic-erasure-moving-beyond-hard-drive-destruction/a/d-id/1333492

True or False - Larg companies have greater resources,skilled security teams, are better defended against cyberattacks. FALSE, they may have more resources but, also have many more devices connected to the Net and a greater attack surface area.

Here are some stats to back it: 
1. An average Fortune 500 firm had approximately 500 servers and devices connected to the Internet, with five- to 10 systems exposing Windows file-sharing or Telnet services (yest telnet)

2.  Fifteen out of the 21 industry sectors had at lease one member allowing public access to a Windows file-sharing service.

3. One company in each of the aerospace & defense, chemical, and retail industries had more than 20,000 systems accessible through the Internet

https://www.darkreading.com/perimeter/lax-controls-leave-fortune-500-overexposed-on-the-net/d/d-id/1333497

Google Home Smart speaker is a nice gadget to show to our friends. Here is some not-so good news. Remember Magellan (not the explorer) SQLite vulnerability, your gadget is also affected by it. Meaning, it could lead to remote code execution, leaking program memory or it can cause program crashes.

The good news is there is no evidence of it being used in the wild (but,it could change anytime)

https://www.scmagazine.com/home/security-news/remote-code-execution-flaw-found-in-google-home-smart-speaker/

Do you use SQLite in your organization ? - (No, check again) Magellan - the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

It is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of other software.

SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices


https://thehackernews.com/2018/12/sqlite-vulnerability.html

How to hack an email with two-factor authentication. Easy, present the target with two fake pages, one for credentials and the other for the (2FA) one time code. - Don't believe me? - Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers called "Charming Kitten" using this technique

As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password


Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society


https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/

If you use "Logitech Options desktop app" then, you MUST read this. Logitech has finally issued a patched for a bug that could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app.

Previously, a malicious actor could use a rogue website to send a range of commands to the Options app and change a user’s settings. In addition, a malicious actor could send arbitrary keystrokes by changing some simple configuration settings. That in turn would allow a hacker to access all manner of information and even take over a targeted machine

https://threatpost.com/logitech-keystroke-injection-flaw/139928/

Most of us post pics on Facebook so, thought you should know this.

Facebook on Friday disclosed a bug in its platform that it said enabled third-party apps (1,500 apps built by 876 developers) to access unpublished photos of 6.8 million users.

https://threatpost.com/facebook-photos-exposed/139940/

Another SIS (Security Ignorance Syndrome) related Data Leak - Exposed S3 bucket compromises 120 million Brazilian citizens

The treasure trove of Brazilian citizens information included banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.

First, someone had renamed the index.html” to “index.html_bkp,” revealing the directory’s content next and then did not prohibit access through .htaccess configuration

https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/

CLOUD adoption is a good decision provided we bake in security (else, get ready for data loss/breach) - By default, pods in a Kubernetes cluster can receive traffic from any source – a setting 46% of businesses leave in place, exposing pods to network attacks. Further, 15% don't use identity and access management roles for access to Kubernetes clusters.

25% of organizations use popular managed container services such as Amazon Elastic Container Service for Kubernetes and Azure Kubernetes Service.

Common misconception - There's a lack of belief they're necessarily going to be targeted or an unwillingness to make an investment.
The motivation to secure arrives after an incident.

Other Stats:
27%  allow root user activities.
Over 40% of API access keys have not been rotated in a 90-day period.


https://www.darkreading.com/perimeter/49--of-cloud-databases-left-unencrypted/d/d-id/1333462

You don't need Big Brother to track you, All you need is a few apps on your (dumb)smartphone

Analysis of the mobile data of a user, a resident of upstate New York, revealed that her location was recorded over 8,600 times and on average once after every 21 minutes.

In some cases, the data was updated over 14,000 times in a single day. 

The companies who buy this data use it to sell, analyze or use the data for advertising purposes as well as provide it to retail outlets to obtain insights about consumer behavior.

About 75 companies receive location data of nearly 200 million US citizens


https://www.hackread.com/apps-on-your-phone-selling-sharing-location-data/

Windows patching , most do. Patching all apps, almost no one does and this MUST change. "LUCKY" (no kidding, this is the name) malware can exploit ten different vulnerabilities in Windows and Linux server which includes, Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all

https://www.darkreading.com/threat-intelligence/satan-ransomware-variant-exploits-10-server-side-flaws/d/d-id/1333448

Windows 10 Security Question - Good for recovery but, could be bad for security as this could be used to setup a backdoor - Unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions,".

The implications for someone abusing this without the account holder's knowledge are huge.

security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future


https://www.darkreading.com/endpoint/windows-10-security-questions-prove-easy-for-attackers-to-exploit/d/d-id/1333404

You might not be losing weight but, your wallet might become light weight - “Fitness Balance app” and “Calories Tracker app” appears to trick unsuspecting users into approving payments of over US $100.

Upon start-up of the apps, users are requested to scan their fingerprint in order to “view their personalized calorie tracker and diet recommendations.”

However, quick as a flash the app pops-up an in-app payment dialog asking for you to approve a payment of US $99, US $119.99, €139.99

https://www.grahamcluley.com/fitness-tracking-apps-caught-misusing-touch-id-to-steal-money-from-iphone-users/

Remember "He Went to Jared" Commercial - Here is an add-on "And he could access other orders by changing a link in his confirmation email".

A  bug was discovered and reported by a Jared customer who learned he could access other shoppers' orders by altering a link in his confirmation email and pasting the link into his browser. It was a small change, the report states, but it led him to orders containing peoples' names, billing and shipping addresses, phone numbers, email addresses, items and amount purchased, delivery date, tracking link, and the last four digits of the credit card used

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”

https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/

Did you enjoy your Stay at Marriott or Sheraton in last 4 years - Now, here is some bad news - Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data. the attackers may have had access to the systems for at least FOUR YEARS BEFORE BEING DISCOVERED.

Another  Example for "Prevention is Ideal but Detection is a MUST".

The hotel company said in a statement on its website that hackers gained access to the Starwood reservation database. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.


Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of these guests.

https://threatpost.com/2014-marriott-data-breach-exposed-500m-guests-impacted/139507/

Have you observed that sometimes (with some online app ) your perfectly valid password will fail and you have to contact their support to reset it. Here is one reason.

The computer maker reported yesterday meaning , 20 days later (No wonder GDPR  mandates less than72 hours for notification)  that it detected and disrupted unauthorized activity on Dell.com on Nov. 9. Dell, automatcially  reset the passwords WITHOUT INFORMING THE POTENTIAL VICTIMS.

This might sound good but we know people reuse the same login information over several sites so, breach notification should have gone out immediately.

“This incomprehensible action of mass password reset may damage Dell’s reputation of a vendor who cares about information security and privacy. Preventive password reset can certainly be helpful; however, it should be properly accompanied with assuring explanations and transparent next steps,”

https://www.scmagazine.com/home/security-news/dells-belated-data-breach-notification-angers-cybersecurity-industry-exec/

2018 - Year of Data Leak + Data Breach - The sad part is "Data Leak" can be easily avoided if we can overcome SIS (Security Ignorance Syndrome)

ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.

The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named “Yellow Pages,” which reportedly held an additional 25,917,820 records, which appeared to be business entries.

Overprivileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges

https://www.scmagazine.com/home/security-news/elasticsearch-server-exposed-data-of-nearly-57m-u-s-residents/

Apparently, IT Security folks may be estimating the value of the data wrongly - Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520)

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. 

IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

https://www.darkreading.com/vulnerabilities---threats/incorrect-assessments-of-data-value-putting-organizations-at-risk/d/d-id/1333362

Inconvenient Truth about awareness training , Enterprise and Employees - Despite an increased focus on cybersecurity awareness in the workplace, employees’ poor cybersecurity habits are getting worse.

• 75% of respondents admitted to reusing passwords across accounts, including work and personal.
• 49% of respondents would actually blame the IT department for a cyberattack if one occurred as a result of an employee being hacked.
• Survey findings points to a workforce who are less committed to security best practices. 
• (48%) of respondents are currently using or planning to use chatbots and artificial intelligence personal assistants, with more than one tenth (13%) already using these in their organization to increase their work efficiency.
• Over half (55%) of survey respondents stated their IT department can be a source of inconvenience in their organization
• 31% who admitted that they have deployed software without IT’s help (i.e. ‘shadow IT’).
  13% of employees admitted they would not immediately notify their IT department if they thought they had been hacked.
• Enterprises are increasingly adopting software bots powered by robotic process automation (RPA), and granting them access to mission-critical applications and data, like their human counterparts.

https://www.helpnetsecurity.com/2018/11/14/poor-security-habits-are-getting-worse

Do you own a Sennheiser's HeadSet - Here is an interesting story (like the Adware Scandal that made Lenova pay $7.3m for installing adware in 750,000 laptops) - Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks.

When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store.  To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.

While these certificate files are deleted when a user uninstalls the HeadSetup software, the trusted root certificate was not removed. This would allow an attacker who had the right private key to continue to perform attacks even when the software was no longer installed on the computer

Microsoft has also released the security advisory ADV180029, titled "Inadvertently Disclosed Digital Certificates Could Allow Spoofing", that explains that Microsoft has released an updated Certificate Trust List that removes trust for these certificates.

https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/

Resurrection of the Worm - Fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives. It looks like Malwares (old and new) are going to behave like worm. Is it time to disable removable media and monitor Powershell?. It also time to revisit old school best practices like Segmentation and endpoint isolation.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” the blog post concludes. “Users and especially businesses that still use removable media in the workplace should practice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like PowerShell


https://www.scmagazine.com/home/security-news/cybercrime/malicious-developer-creates-wormable-fileless-variant-of-njrat/

L0rdix - A New malware with lethal combination of data stealing, cryptomining, and snooping capabilities. You can buy it for 4000Ruble ($60.96)

L0rdix also infects removable drives on the PC and maps itself to their icons while the original drive files and directories stay hidden

The malware allows attackers to get full information about the targeted PC. After receiving the required information, the attackers can execute commands, upload files, and perform other malicious activities including uploading mining modules

The primary objective behind designing this malware is to mine for cryptocurrency without getting detected

https://www.hackread.com/l0rdix-dark-web-malware-steals-data-mines-crypto-botnet/

Most airports, hotels and coffee shops offer free WiFi. How do you know which ones are NOT safe? - Use this Free software/tool to detect Unsafe WiFi. (Note - The URL is free to use but, the app is owned by Symantec and it needs your corporate email address for activation ).

Use the following URL:

https://maps.skycure.com/

Are you fine with Microsoft collecting your personal data without your permission (and important, you can't stop it) 0

A Data Protection Impact Assessment (DPIA) conducted by Privacy Company for the Dutch Ministry of Security and Justice has found that Microsoft has been collecting vast amounts of personal data. Recommends that IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them.

Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded

https://blog.knowbe4.com/dutch-audit-finds-microsoft-office-leaks-confidential-data

Security Tips for Smart TVs:

1. Turn off the WiFi.
2. Review the privacy settings
3. Keep software/firmware updated
4. Cover the camera when not in use
5. Mind the microphone.

For More check Here:
https://www.wombatsecurity.com/blog/5-security-tips-for-smart-tvs

IoT - There were 8.4 Billion devices in 2017 and could increase to 20+ Billion by 2020. how can we secure them?. Check this infographic for more details

GET IT HERE:

https://www.wombatsecurity.com/blog/infographic-iot-security-qa-and-checklist

Watch out Instagram users - A security flaw in Instagram’s recently released “Download Your Data” tool could have exposed user passwords

Despite the need for greater security, “many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties,” said Campagna. “Unless organizations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”

https://www.darkreading.com/application-security/instagram-privacy-tool-exposed-passwords/d/d-id/1333300

Beware Skype users - A flaw in Skype for Business enables hackers to launch a DoS attack against the platform by sending large numbers of emojis on the instant messaging client. (btw, latest patch/ proper privacy settings can fix this)

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends


Any lack of control over users (such as allowing anyone to sign up for the service, rather than specifically authorising each applicant) opens up the messaging system to a range of what are effectively ‘insider’ vulnerabilities."

https://www.scmagazineuk.com/emoji-tsunami-dos-skype-business/article/1518921

Strange Fact - Japan's new cyber-security minister has dumbfounded his country by saying he has never used a computer

"Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer in my life," he said, according to a translation by the Kyodo news agency.

His duties include overseeing cyber-defence preparations for the 2020 Olympic Games in Tokyo.

https://www.bbc.com/news/technology-46222026

First we hear "Poorly Secured", which we IGNORE then, we hear "Data Breach" then, we are surprised. As long as we suffer from SIS ("Security Ignorance syndrome"), we will continue to have Data Leakage (FYI, no hacking skills needed)

Leaky database, owned by communications firm Vovox which lacked password protection, contained tens of millions of SMS messages, two-factor codes, shipping alerts, and other user data.

https://www.darkreading.com/cloud/26m-texts-exposed-in-poorly-secured-vovox-database/d/d-id/1333292

cybersecurity policy is not enough, why?,cybercrime-as-a-service is steadily growing but Cybersecurity? - 47% of employees don't pay much attention to their employers' cybersecurity policies. and 95% of organizations admit that their current cybersecurity environments are far below expectation

. Bottomline,you will also need Companywide communication and careful training.

• 42% say their companies don't have a cybersecurity culture management plan or policy.
• 67% of employees access shared documents using their devices, many of which may lack the protection needed to shut out hackers and other Internet intruders.

https://www.darkreading.com/vulnerabilities---threats/95--of-organizations-have-cultural-issues-around-cybersecurity/a/d-id/1333290

Watch out - iPhone bug allows access to deleted pics by tricking iOS into letting them at content that shouldn’t have been accessible.

Solution -
In the list of Albums, you’ll find one called Recently Deleted, permanently deleting them from tit  puts them beyond recovery.

https://nakedsecurity.sophos.com/2018/11/15/thought-you-deleted-your-iphone-photos-hackers-find-a-way-to-get-them-back/

Ever heard of SB 327 law? - It is California's new law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." More important, default passwords are not allowed.

Connected Device includes IoT , reasonable security, that's a bit vague


More Here:

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

Wake up Call - Data Breach getting Worse (2018)

• 3,676 breaches and a staggering 3.6 billion records compromised
• Insiders posed the biggest threat - accounted for nearly 36% of the records compromised.
• Email addresses, passwords, names, and, addresses were the most commonly exposed data types.
• Only 13% were discovered internally.
• 7 of the breaches  exposed 100 million or more records
• Organizations took an average 47 days to publicly disclose an event

https://www.darkreading.com/vulnerabilities---threats/2018-on-track-to-be-one-of-the-worst-ever-for-data-breaches/d/d-id/1333252

New "unsend" feature in Facebook - It lets you delete the messages within ten minutes of sending them through the Messenger app.

More Info Here:

https://www.hackread.com/facebook-messenger-to-offer-unsend-feature-to-delete-sent-messages/

Note for those working on GDPR Compliance - A WordPress plug-in that’s supposed to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites

Known as the WP GDPR Compliance plug-in, the software module helps ensure compliance with Europe’s General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website’s database.

The bug specifically exists within the plug-in’s “wp-admin/admin-ajax.php” functionality. When exploited, the vulnerability “allows unauthenticated users to execute any action and to update any database value.”

Sucuri reports that website owners hit by the redirection attack can fix the unauthorized URL setting change by manually editing the site’s database table wp_options. A less desirable workaround is to define some constants within the w–config.php file.

https://www.scmagazine.com/home/security-news/attackers-exploit-gdpr-compliance-plug-in-for-wordpress/

There is a reason why some features have a "Security" tag - If you don't use them then you won't get security - For Example: A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.

Interesting bit - U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records

75 percent, or 45.8 million, were records stolen from in-person transactions (“card-present” in the industry parlance). These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants.

“There are numerous merchant locations that are still asking their customers to swipe rather than use the chip-insert method, thus completely neglecting the EMV security features,”

https://threatpost.com/u-s-chip-cards-are-being-compromised-in-the-millions/139028/

Vendor Blunder - Cisco “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software.

The code was used internally by Cisco in validation scripts to be included in shipping software images – it was used to ensure that Cisco’s software is protected against known exploits. However, there was a failure in the final QA validation step of the software, and as a result someone from Cisco forgot to remove the code before release

https://threatpost.com/cisco-accidentally-released-dirty-cow-exploit-code-in-software/138888/

Another incident to remind us that our vendor/contractor's security practices are part of our security - One of American Express (India) subcontractor missed to encrypt 700,000 customer records , exposing names, email addresses, phone numbers and card type.

The bulk of the data – more than 2.3 million records – it housed was encrypted, requiring an encryption key but the nearly 700,000 customer records were in plaintext, exposing names, email addresses, phone numbers and card types.
the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation.

Sensitive information is left publicly available in a data repository due to poor developer practices

https://www.scmagazine.com/home/security-news/leaky-mongodb-server-exposes-personal-info-on-700k-amex-india-customers/

Why you will be needing both technology and "awareness training" to prevent BEC and Phishing Attacks

Valimail research, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didn't. Out of 11 emails, those who received the training identified 4.98 and those who didn't spotted 4.97.

"By taking on a more defense-in-depth approach, the burden on the humans is less, so there's a better chance that when emails do get through, the users will be able to detect them because they won't be overwhelmed.

"One of the big problems is that people tend to reuse passwords," Jacoby says.

https://www.darkreading.com/operations/identity-and-access-management/why-password-management-and-security-strategies-fall-short/d/d-id/1333221

Common sense says "Encryption" means that you will need a "KEY" to decrypt it - when the researchers tested self-encrypting SSDs from Samsung and Crucial — they found fundamental vulnerabilities in many models that make it possible for someone to bypass the encryption entirely

The flaws allow anyone with the requisite know-how and physical access to the drives to recover encrypted data without the need for any passwords or decryption keys.

One fundamental flaw  was a failure to properly bind the disk encryption key (DEK) to a password.

The full disk hardware encryption available on some widely used storage devices is so poorly implemented there may as well not be any encryption on them at all,


Another fundamental flaw the researchers discovered allows for a disk encryption key to be recovered from an SSD even after a user sets a new master password for it. In this case, the vulnerability is tied to a property of flash memory in SSDs called "wear leveling,"


https://www.darkreading.com/vulnerabilities---threats/critical-encryption-bypass-flaws-in-popular-ssds-compromise-data-security/d/d-id/1333207

Financial Fraud - I am talking about us (not corporations) More than 16 million Americans were victims of fraud last year, resulting in almost $17 billion of losses. So, what can we do?

Solution (other than MFA) - Simple, Be super skeptical of any email that arrives asking for any personal information,” he says. “Even if it’s claiming that your account has been hacked or your bank account is overdrawn.”

“As soon as they ask you for your pin or your password, that’s a bad guy,” he says.


http://time.com/money/5439185/bank-fraud-protection-tips

New PenTest Poster from SANS

Get it Here


https://blogs.sans.org/pen-testing/files/2018/10/PEN-PR-BGP_v1_1018_WEB_FINAL_11052018.pdf

Don't become a victim to Phishing or pretexting attack

Phishing and pretexting are among the top ten causes of all data breaches. The strange part is that they are not highly-technical attacks. They are so effective that even the most sophisticated attackers use them.
(Simple Solution = UAT - User Awareness Training)


What is pretexting?
A targeted, social engineering-based attack in which attackers use continuous dialogue to build a sense of trust with the victim. By creating a fabricated scenario and posing as a senior employee or a trusted vendor, attackers manipulate victims into willingly giving up sensitive information, granting access to systems, or even transferring money.

https://blog.knowbe4.com/successful-pretexting-attacks-have-nearly-tripled-since-2017?utm_content=79276052&utm_medium=social&utm_source=twitter

Malvertisement evolution - Perform three checks before forwarding the victim to a malicious website.

1. The user agent must be mobile-specific - Sites being targeted by the malware are all optimized to be viewed primarily via mobile device.
2. Battery level must be between 20 and 76 percent - To avoid detection from scanners
3. HTTP referrer must be specified - avoid detection by known security vendors

https://www.scmagazine.com/home/security-news/assault-and-battery-malvertising-campaign-checks-user-device-charge-as-anti-detection-technique/

Do you have a process to decom your old apps/websites? - Don't worry, even some Fortune 500 companies forget it. Here are some scary stats.

• 70% of FT Global 500 firms have access to a portion of their websites being sold on the internet black market. 
• 92% of external web applications have exploitable security flaws or weaknesses.
• 19% percent of the companies examined have external unprotected cloud storage.
• 27%of the U.S. companies have at least one external cloud storage (e.g. AWS S3 bucket) accessible without any authentication from the internet.
• WordPress- 94% have a default admin location (on /wp-admin URL) not protected by any additional means.

https://threatpost.com/threatlist-dead-web-apps-haunt-70-percent-of-ft-500-firms/138659/

MISCONFIGURATION (in the cloud) - Leads to "data breach" That was yesterday's news, today, Threat actors have exploited misconfigured Docker containers to deliver cryptomining malware

The attacks weren’t the result of the Docker engine being compromised or problems within Docker’s enterprise platform but instead were the result of misconfiguration set up at the administrator level

The attackers often exploited the misconfigurations to create Docker containers    through exposed API ports and then installing a wget package using system package manager, using wget to download an auto-deployment script, converting the script from DOS to Unix format, setting the executable permissions for the script, and running the script.

In order to prevent similar attacks researchers recommend organizations: harden their security posture; ensure that container images are authenticated, signed, and from a trusted registry; enforce the principle of least privilege; properly configure how much resources containers are allowed to use; and enable Docker’s built-in security features to help defend against threats.

https://www.scmagazine.com/home/security-news/cybercriminals-exploit-misconfigured-container-to-deliver-cryptominer/

Why is "Security in the cloud" (your responsibility) important? (Don't confuse it with "security of the cloud", which is the vendor's responsibility)

Nearly half – 46 percent – of 37,000 Twitter users polled by Armor over a 13-week period said they’ve put sensitive data in the cloud, while 41 percent said they’d do so in the next two years.

In addition, 47 percent did not understand what shared responsibility means in the realm of cloud security.

https://www.scmagazine.com/home/security-news/armoru-poll-finds-46-of-37k-twitter-users-have-put-sensitive-data-in-cloud/

Is it time to move away from "AppSec" to "Software Security"?

If , you agree with the following statements are true:

1. Software is the umbrella for anything written in code; an application is a component of software and just as vulnerable.
2. Applications allow a user to perform a task or activity while software executes that task or activity.
3. Application security came about as initial security testing focused on testing a running application, much like quality assurance testing, and ignored the back-end software components.
4. If something is written in a coding language, then it needs to be tested to ensure it is secure. All software is written in a coding language.
5. Software is the ecosystem of technology while applications are the entry point into that ecosystem.

These four priorities are a good place to start:

1. Organizations need to move beyond the barriers and limitations of traditional gated security approaches and move to a new era of full visibility and control over their software exposure at any stage of the development life cycle.
2. Proper and consistent training should be funded and provided across entire organizations.
3. Remediation efforts need to be made into actionable insights that address vulnerabilities within the entire SDLC.
4. Everyone that touches software and participates in the security of it needs to be forward thinking, forgetting the typical nuances of the past.

https://www.darkreading.com/attacks-breaches/appsec-is-dead-but-software-security-is-alive-and-well/a/d-id/1333096

Good News for windows 10 users - Microsoft has built Windows Defender to run in a sandboxed environment.

With Windows Defender running in a restrictive process execution environment, attackers who break in are stuck inside the isolated environment and can't affect the rest of the system.

The feature is now available to Windows Insiders to test in upcoming versions of Windows 10. If you are not in the program and can't wait for Microsoft to release it in full, you can force-enable Windows Defender to run in a sandbox on Windows 10 version 1703 and later.

Windows Defender runs with high privileges to scan systems for malicious content; because of this, it's already a prime target for cyberattacks. If someone successfully exploits a bug in Windows Defender, an entire system can be taken over.



https://www.darkreading.com/analytics/windows-defender-first-full-antivirus-tool-to-run-in-a-sandbox/d/d-id/1333141

Can you rely on that little "green lock" in your browser - Not any more if the following is true.

By the end of 2016, less than 1% of phishing attacks leveraged Web certificates, he continues. By the end of 2017, that number had spiked to 30%. 
"We expect by the end of this year more than half of attacks are [going to be] done using Web certificates," 

Web certificates provide a low-cost means for attackers to convince victims their malicious sites are legitimate, explains Alejandro Correa


https://www.darkreading.com/attacks-breaches/deepphish-simulating-malicious-ai-to-act-like-an-adversary/d/d-id/1333135

Third party apps may be reading our Gmail. If this message does not bother you then,ignore this message.

Third-party developers often reading a Gmail message content, once relevant authorization is available to them.

To increase your privacy, use Security Checkup

To get access to this tool, you will need to sign in to your Google Account (Myaccount.google.com) and manage specific settings.
(There is one feature to be noted above the others as it shows the number of applications having access to the data)
In order to proceed, click the squares at the right upper corner, and choose Account in the drop-down list. Continue with finding Security Checkup tab. This option enables viewing the number of devices used for signing in your Account. It also informs whether any security issues have occurred over recent 28 days.

https://www.hackread.com/third-party-apps-may-read-your-email-learn-how-to-protect/

When was the last time you verified your file backups? - There is a new Windows zero-day flaw that could help attackers delete your files

When was the last time you verified your file backups? - There is a new Windows zero-day flaw that affects Microsoft Data Sharing on All versions of Windows 10, including the most recent update,in addition to Server 2016 and Server 2019

The PoC shows once they have that access, an attacker would be able to eliminate files that typically require administrative privilege to delete.

https://www.darkreading.com/vulnerabilities---threats/twitter-user-discloses-second-microsoft-zero-day/d/d-id/1333115

Malware evolution - New (sLoad) downloaders can perform reconnaissance and then determine what malware to install

 The new SLoad Banking Trojan downloader gathers information about the infected system, including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. It will also take screenshots of the target machine.


Current targets are banks in Canada, the UK and Italy (this can expand)

https://threatpost.com/sload-banking-trojan-downloader-displays-sophisticated-recon-and-targeting/138542/

Here is something to consider during your next security awareness training

Top-Clicked Phishing Email Subjects for Q3 2018 

Holiday (Active scam/Phishing) Season - Time for Awareness re-training. Here is another useful article from Europol that you could use

TIPS

• Your bank  (or most organizations for that matter) will never ask you for sensitive information such as your online account credentials over the phone or email.
• If an offer sounds too good to be true, it’s almost always a scam.
• Check your online accounts regularly.
• Check your bank account regularly and report any suspicious activity to your bank.
• Perform online payments only on secure websites (check the URL bar for the padlock and https) and using secure connections (choose a mobile network instead of public Wi-Fi).
• Keep your personal information safe and secure.
• Be very careful about how much personal information you share on social network sites. Fraudsters can use your information and pictures to create a fake identity or to target you with a scam.
• If you think that you have provided your account details to a scammer, contact your bank immediately.
• Always report any suspected fraud attempt to the police, even if you did not fall victim to the scam.

https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/take-control-of-your-digital-life-don’t-be-victim-of-cyber-scams

It is the start of holiday season which also means, we will see an increase in SCAMS and Phishing attacks. It is time to re-educate all employees (mock phishing, awareness training). The link has an useful SANS "ouch" newsletter that you could circulate to your staff.

Get it Here:
https://www.sans.org/security-awareness-training/resources/shopping-online-securely

iPhone and cryptomining Malware infection!! - Nearly 400% rise in iPhone attacks has been recorded in only the last two weeks of September

Surprised , why? - After all smartphones are also computers (and probably, a good attack surface)

Cybercriminals are using the Coinhive mining malware for attacking iPhones.

According to Check Point’s latest Global Threat Index, the company is being targeted more frequently in cryptomining malware attacks.

The inclusion of Safari browser raises concerns that this may not be an iPhone related phenomenon only and could very well be a mining script. The report also mentions Coinhive, which further intensifies these concerns.

These attacks definitely serve as a reminder to all that mobile devices are quite vulnerable to attack but are often ignored by organizations as probable attack surface. It is therefore imperative that mobile devices are comprehensively protected with a reliable threat prevention solution.

https://www.hackread.com/hackers-hit-iphones-with-cryptomining-malware/

Do you know how cybercriminals steal your personal info? - Here are five common — but unexpected —ways that cybercriminals try to get this information from you, and how to stop them.

1.  Surveys and Games - if you give this information to unknown sites or post it publicly on social media, you’re actually sharing some of your answers to typical security questions used by banks (for example). 
2.  Old Devices - When you get rid of or give away outdated equipment, make sure you delete all your personal information first by wiping it clean. 
3.  Fake Job Postings
4.  Social Media and Dating Sites - Beware of “friend” requests from people you don’t know.
5.  Offline Shenanigans - shoulder surfing, listening, access your mailbox

https://www.getcybersafe.gc.ca/cnt/blg/pst-20181016-en.aspx

FreeRTOS riddled with severe vulnerabilities - Why care, becuase, there is a high possibility that you own one of the IoT Devices (includes those from Amazon) that is running this OS.

The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over.


FreeRTOS and SafeRTOS, for their part, “have been used in a wide variety of industries: IoT, Aerospace, Medical, Automotive, and more,” according to the company’s post. “Due to the high risk nature of devices in some of these industries, zLabs decided to take a look at the connectivity components that are paired with these OS’s. Clearly, devices that have connectivity to the outside world are at a higher degree of risk of being attacked.”


https://threatpost.com/aws-freertos-bugs-allow-compromise-of-iot-devices/138455/

Medical Marijuana - The Infographic might surprise you

https://informationisbeautiful.net/visualizations/snake-oil-cannabis-the-scientific-evidence-for-medical-marijuana/

Collaboration is good but, are you aware of some of the risks these integrations bring?

Here are 7 of them

1. API - APIs are the programming glue that holds collaboration systems together in cohesive architectures for specific groups and applications. The trouble is, history shows that this glue can develop cracks that allow hackers to attack the components at the point where they're joined. Consider a zero-trust architecture in which every component and API must authenticate at each transaction. 
2. Encrpytion Errors - A zero-trust architecture requires encryption within the collaboration application, rather than simply around the application. And the storage systems where data from the collaboration system are stored should be encrypted if that data is at all sensitive to the organization.
3. Mobile Apps - Even when the software is legitimate, the actions of the user may not be. Phishing, smishing (credential-hunting via SMS), and whishing (the same, via WhatsApp) are all threats that can hit companies that have taken care with all of the app-based vulnerabilities of their mobile devices. While these may not directly use the collaboration system, once credentials are compromised through one of the "-ishing" methods, the credentials for the collaboration system should be considered compromised, as well.
4. Privilege Escalation -  Users inherit their privilege level from the AD, LDAP, or other directory system in use by the organization. That works well in many situations, but the nature of projects and collaboration means there can be privilege mismatch. Worse, a privilege escalation attack on one side of the application/OS equation can mean an increased vulnerability on the other side, as well.
5. 3rd Party vulnerability - Every third-party integration comes access to the vulnerabilities that may exist within those third-party tools. The issue for the IT department may well be creating rules for expansion that cover ad-hoc employee experiments and conditions for their safe deployment.
6. Voice Control -  voice assistants are always listening, which means they are always vulnerable to exploits that let unauthorized listeners hear privileged conversations.
7. Web - Where there are Web browsers there are Web applications, and where there are Web applications there are vulnerabilities. 

https://www.darkreading.com/application-security/7-ways-a-collaboration-system-could-wreck-your-it-security/d/d-id/1333064?image_number=1

20 Ways to block Mobile attacksc

Could be useful since, we are spending more and more time with our mobile phones

https://www.knowbe4.com/hubfs/NCSAM2018/RedFlags.pdf

Time to update whatsapp? - WhatsApp has patched a vulnerability it its smartphone code that could have been exploited by miscreants to crash victims' chat app simply by placing a call.

"This issue can occur when a WhatsApp user accepts a call from a malicious peer," Silvanovich explained. "It affects both the Android and iPhone clients."

The bad news –  is that Google unsealed the bug details before the 90 days were up because it thought a patch was readily available.

https://www.theregister.co.uk/2018/10/09/whatsapp_patches_security_bug/

Chinese spy chips are found in hardware used by Apple, Amazon? - Both vendors say "NO"

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.

Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China


https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

What do you do when you are a victim of Identity Theft?

Do you know www.identitytheft.gov can help you report and recover from identity theft.


 https://www.identitytheft.gov/

Apple iOS 12 - An attacker with physical access to a user’s device could partially unlock the person’s content as long as Siri is enabled and Face ID is either disabled or physically covered.(Luckily, it is a complex process and involves more than 30 steps)

Those who fear their device may be vulnerable to this and other attacks can increase their security by disabling Siri from the lock screen by going into Settings/Touch ID & Passcode, scrolling down to the “Allow access when locked” section and ensuring that Siri is disabled.


https://www.scmagazine.com/home/news/apple-ios-12-passcode-bypass-allows-unauthenticated-access-to-iphone-features/

Be vigilant - Voice phishing scams are becoming harder to differentiate. However, old school best practices still help. Never, give out your PIN or any security information over the Phone

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

Beware - The FBI and DHS issued a joint warning to consumers and businesses on the increasing use of the Remote Desktop Protocol (RDP) administration tool as an attack vector.

The two law enforcement agencies said CrySIS, CryptON and SamSam ransomware have all been spread through RDP attacks. CrySiS has mainly been used against U.S. businesses that have computers with open RDP ports. Here attackers use brute-force and dictionary attacks to gain unauthorized remote access and then CrySiS is dropped onto the device and a ransom is demanded.


Recommendations to protect a system included:

• Enable strong passwords and account lockout policies to defend against brute-force attacks.
• Apply two-factor authentication, where possible.
• Apply system and software updates regularly.
• Maintain a good back-up strategy.
• Disable the service if unneeded or install available patches.
• Enable logging and ensure logging mechanisms capture RDP logins.
• Minimize network exposure for all control system devices. Where possible, critical devices should not have RDP enabled.

https://www.scmagazine.com/home/news/rdp-attacks-on-the-rise-warns-fbi-dhs/

FYI - Facebook has been using contact information that users explicitly provided for security purposes—or that users never provided at all—for targeted advertising.

(and)
Facebook is also grabbing your contact information from your friends
This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends’ phone books

https://www.eff.org/deeplinks/2018/09/you-gave-facebook-your-number-security-they-used-it-ads

Data security - Boring idea but,data have become a new form and flow of currency. How much have we adapted to this idea?

Customer data, market data, intellectual property, resource consumption data, productivity data, and dozens of other categories are a new form and flow of currency in the data-driven enterprise. However, as data flow has achieved parity with cash flow, the CISO or the CSO has not achieved parity with the CFO.

• Rather than using application names or table or column names, group data at the lowest level into buckets like "high-sensitivity personally identifiable information" or "customer payment information."
• 
  
• Too often companies focus on the relationship between users and application access. This is important, but it doesn't take into account which applications have access to what data, and therefore ignores the direct relationship between users and data
• 
  
• Through new technologies like blockchain, data flows can be recorded directly as they happen, making the resulting audit trail immutable and virtually impossible for the record to be manipulated.

https://www.darkreading.com/analytics/managing-data-the-way-we-manage-money/a/d-id/1332896

If you are using KODI media player then you should know that it could be used as a malware distribution platform for cybercriminals.

Researchers from ESET said that malware can spread through Kodi in three different ways. 

1. They could add the URL of a malicious repository to their Kodi installation, which would download add-ons whenever they update their Kodi installations 
2. They could install a ready-made Kodi build that includes the URL of a malicious repository. 
3. Users could install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates.

“Cybercriminals are increasingly abusing add-ons and scripting functionalities in response to the tightening of security measures for operating systems

The top five countries affected by the threat, according to ESET’s telemetry, are the United States, Israel, Greece, the United Kingdom and the Netherlands.

https://threatpost.com/cybercriminals-target-kodi-media-player-for-malware-distribution/137670/

Say "NO" to Free VPN because organizations are intentionally setting them up as a way to gather user data.

While many VPN service providers would want you to believe that they have charitable aims in offering VPN access for free, the reality is that most free VPN services are glorified data farms.

Hotspot Shield, in particular, is a major culprit.
Hotspot Shield hijacks and redirects user traffic from top e-commerce websites to that of its affiliate partners and also uses more than five different third-party tracking libraries to enable it serve targeted ads to its users

Very few of the users know that Hotspot Shield intentionally allows third parties to gather data from users of their VPN service.

Here’s it straight from their privacy policy page: “Our ad partners may also receive information independently from you or your device.” Data Hotspot Shield’s “ad partners” are allowed to gather may include your device’s advertising ID, IMEI, MAC address, and wireless carrier information

HOLA - A team of researchers even set up a website to expose some of the flaws in Hola — including serving as an exit node and allowing code to be executed on computers using the Hola software

Betternet - Does this by allowing its advertisers the kind of access that makes it possible for them to gather data from devices of their users



VPN services have been set up solely for the purpose of acquiring and trading with user data. How else would you explain the fact that a big data company, Talking Data, is behind some of the popular VPN apps in the Google Play store including GO VPN and Eagle VPN 

Those who do not gather these data directly give advertisers freewill to do it in order to deflect responsibility, but that is much worse. Even worse, some of the data gathered are transmitted over insecure data connections, compromising user privacy


https://www.hackread.com/almost-every-major-free-vpn-service-is-a-glorified-data-farm/

How to freeze your (more importantly, you children's) credit for free (in USA)

Everything you need in a single BLOG

Get it here:
https://www.techsupportalert.com/content/how-freeze-your-credit-free.htm

Can you rely on video surveillance recording if it could be remotely tampered by a Hacker?

Hundreds of thousands of security cameras are believed to be vulnerable (dubbed "PeekaBoo") to a zero-day vulnerability that could allow hackers to spy on feeds and even tamper with video surveillance recordings.



The vulnerability, dubbed “Peekaboo”, exists in NUUO’s Network Video Recorder software and aside from allowing remote hackers to snoop on and even alter CCTV footage, can even be abused to steal data such as credentials for all connected security cameras, IP addresses, and other data related to the devices.

First, NUUO is a leading member of the video surveillance industry.
According to some estimates there might be anything between 180,000 and 800,000 CCTV cameras in public usage that are vulnerable to “Peekaboo”

Secondly, hackers could exploit the root access they gain on vulnerable devices to disconnect live video feeds, or even tamper with security footage.

The good news is that NUUO is believed to be working on a patch. The bad news is that each camera is likely to need to be updated manually once a patch is made available.

https://www.bitdefender.com/box/blog/iot-news/peekaboo-zero-day-lets-hackers-view-alter-surveillance-camera-footage/

Welcome to the new generation of All-In-One Malware "XBash" which includes Ransomware,Bot and a worm.

It can infect both Linux and Windows. It deletes databases and creates ‘PLEASE_READ_ME_XYZ.’ .

As usual we have two choices,we can buy an expensive gadget  that has an flashy dashboard or you could simply patch your systems.

Readers are instructed to deposit 0.02 bitcoin to the address mentioned by the attacker to recover the lost data otherwise the contents will be leaked on the internet. But this is a false promise because the data simply cannot be recovered by the malware



https://www.hackread.com/linux-windows-disk-wiper-ransomware-cryptomining-xbash-malware/

How can you be sure that you are not looking at a fake login page - Safari and MS Edge browsers can preserve the address bar and load the content from the spoofed page. This vulnerability would allow an attacker to create fake login screens or other forms that could harvest usernames, passwords and other data from users who thought they were on a real landing page

Rafay Baloch spotted the vulnerability that could allow JavaScript to update the address bar while the page was still loading effectively causing the browser to display the intended address while loading content from the spoofed page.

Microsoft has already taken action and patched  the vulnerability (CVE-2018-8383) in its Edge browser (this will help only if you are patching regularly)  but Safari remains vulnerable as Apple has yet to patch

https://www.scmagazine.com/home/news/apples-safari-and-microsofts-edge-browsers-contain-spoofing-bug/

Simple and the most effective Security solution - It is time for Patch,patch,patch Tuesday

• Microsoft has fixed an actively exploited vulnerability.
• Adobe has patches for seven critical vulnerabilities  From now on it will be your fault for not applying them 

https://www.helpnetsecurity.com/2018/09/12/september-2018-patch-tuesday/

https://www.scmagazine.com/home/news/september-patch-tuesday-adobe-patches-seven-critical-vulnerabilities/

If you concerned about Identity Theft and credit history of all your family members, you should read this.

 You can "credit freeze" (restricting access to your credit file, making it far more difficult for identity thieves to open new accounts in your name) for FREE.

 Identity thieves can and often do target minors, but this type of fraud usually isn’t discovered until the affected individual tries to apply for credit for the first time, at which point it can be a long and expensive road to undo the mess.

According to the U.S. Federal Trade Commission, when the new law takes effect on September 21, Equifax, Experian and TransUnion must each set up a webpage for requesting fraud alerts and credit freezes.

The law also provides additional ID theft protections to minors. Currently, some state laws allow you to freeze a child’s credit file, while others do not. Starting Sept. 21, no matter where you live you’ll be able to get a free credit freeze for kids under 16 years old.


Under the new law, fraud alerts last for one year, but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval if you have a fraud alert on your file, they’re not legally required to do this.

https://krebsonsecurity.com/2018/09/in-a-few-days-credit-freezes-will-be-fee-free/

Windows Security folks - Take a look at the list of websites and services that a Windows PC connects to after a clean install.

Check Here:

https://mspoweruser.com/these-are-the-websites-your-clean-install-windows-pc-connects-to-by-itself/

Do you know your windows 10 PC can be set to auto-lock when you step away - All you need is a Bluetooth enabled device (your phone maybe)

Steps given below:

https://www.cnet.com/how-to/windows-10-dynamic-lock-bluetooth-range/

We know free apps make money by selling your info, how about one (Adware Doctor) that is paid to protect you actually, pilfers data secretly to a server in China (bypassing App store sandbox restrictions).

Adware Doctor
The app sidesteps Apple's sandbox and covertly collects users' browser histories and then transfers it to a server in China—which is blatant violations of Apple's developer guidelines.

Adware Doctor collects sensitive users' data—primarily any website you've visited or searched for—from all the popular web browsers including Chrome, Firefox, and Safari, and then sends that data to Chinese server at hxxp://yelabapp.com/ run by the app's makers

What's more? Adware Doctor originally was named "Adware Medic," which was clearly designed to mimic a different AdwareMedic app acquired and rebranded by MalwareBytes in 2015

Wardle contacted Apple weeks ago about the issue, but the company did nothing about it

https://thehackernews.com/2018/09/mac-adware-removal-tool.html

Recently, we have heard multiple stories revolving around "AWS S3 bucket Leaks", How can we avoid this? Here is a checklist of things you should configure to ensure your critical data is secure.

what seemed to be an obvious configuration mistake, two primary reasons surfaced:

1. Too Much Flexibility (Too Many Options) Turns into Easy Mistakes
There are five different ways to configure and manage access to S3 buckets.
The more ways to configure implies more flexibility but also means that higher chances of making a mistake. The other challenge is that there are two separate policies one for buckets and one for the objects within the bucket which make things more complex.

2. A “User” in AWS is Different from a “User” in your Traditional Datacenter
On an AWS account, the “Everyone” group includes all users (literally anyone on the internet) and “AWS Authenticated User” means any user with an AWS account


S3 Security Checklist

• Audit for Open Buckets Regularly
• Encrypt the Data
• Encrypt the Data in Transit
• Enable Bucket Versioning
• Enable MFA Delete
• Enable Logging
• Monitor all S3 Policy Changes
• Track Applications Accessing S3
• Limit Access to S3 Buckets
• Close Buckets in Real time

http://infosecisland.com/blogview/25056-Avoiding-Holes-in-Your-AWS-Buckets.html

BEWARE - cybercriminals have figured out a new way to steal funds from people’s credit cards

The malefactors use a legit remote access tool for mobile devices called AirDroid. They try to dupe as many people as possible into installing the app and authenticating with credentials provided by the attackers. The main target audience is 25 year-olds and up. The idea is to transfer money from a card by sending a specific text message to a short number on behalf of the victim. While this service number varies for different banks, regular Google search helps find it in the blink of an eye.

https://www.tripwire.com/state-of-security/featured/crooks-drain-your-credit-card-account/

Did you know: 60 percent of the business email compromise (BEC) attack are hard to detect because they don’t involve a malicious link.

• They are intended to start a conversation with the recipient — and eventually persuade the target to authorize a wire transfer or send sensitive information.
• 46.9 percent of attacks tried to initiate a wire transfer, while 40.1 percent pushed victims to click on a malicious link
• (Big surprise) Almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions. 

https://threatpost.com/threatlist-60-of-bec-attacks-fly-under-the-radar/137156/

Is your "Security Awareness" Program going well? if not , may be you should read this.

6 Reasons Security Awareness Programs Go Wrong

1. Security Pros Get Too Technical with Top Management

2. Companies Don't Spend Enough Time Training Execs With Financial Responsibilities

3. Managers Across the Business Aren't Encouraged to Participate

4. Companies Don't Recruit Natural Leaders

5. Companies Don’t Sell the Personal Benefits of Security Awareness Programs

6. Companies Don't Plan Properly or Test Thoroughly Enough

https://www.darkreading.com/threat-intelligence/6-reasons-security-awareness-programs-go-wrong/d/d-id/1332644

Master card not only makes money WHEN you buy, they also make money by selling your info on WHAT you buy (to Google who wants track you even when you are OFFLINE).

More Here:


https://thehackernews.com/2018/09/google-mastercard-advertising.html

If you ever want to spy on your family members , make sure you do not accidentally expose their information to public (which could be worse than what you intended). I mean , the company you deal with may be good at spying but bad at securing the collected info.

MSPY   has leaked millions of sensitive records online, including passwords, call logs, text messages (Whatsapp, Facebook), contacts, notes and location data secretly collected from phones running the stealthy spyware. The database included the Apple iCloud username and authentication token of mobile devices running mSpy. 

https://krebsonsecurity.com/2018/09/for-2nd-time-in-3-years-mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records/

Fact is stranger than fiction - Can you remotely spy on the content on a Screen with a Mic?

 Remote surveillance dubbed "Synesthesia": a side-channel attack that can reveal the contents of a remote screen, providing access to potentially sensitive information based solely on "content-dependent acoustic leakage from LCD screens."

https://arstechnica.com/information-technology/2018/08/researchers-find-way-to-spy-on-remote-screens-through-the-webcam-mic/

OWA Admins should take note of this -Enterprises running Exchange Server using two-factor authentication on Outlook Web Access (OWA) could be hacked due to a design flaw

The principal problem is that Outlook Web Access and Exchange Web Services run on the same web server and are both enabled by default, and often enterprises ignore it.

It appears that Outlook portals that are being protected by two-factor authentication might not be covering all of the authentication protocols to Microsoft Exchange

securityaffairs.co/wordpress/53147/hacking/outlook-web-access.html

CyberEdge 2018 Cyberthreat Defense Threat Report - Scary Stats: (Check the infographic for the top 3 major issues)

• Five million data records lost or stolen every day 
• Cybercrime pulling in a million bucks a minute.
• A full  77.2% of respondents  report that their company had been successfully breached at least once in 2017.
• with 27.4% reportedly breached more than six times. 
• More than 62% say they expect to be breached this year

Despite increasing security budgets and investing in the best cybersecurity tools, organizations today are subject to more successful breaches than ever before.

https://blog.knowbe4.com/infographic-the-problem-more-data-breaches-despite-increasing-security-budgets

Good News - Securing Wireless Infusion Pumps - NIST has a Special Publication for IoMT (Internet of Medical Things) - 1800-8:

NCCoE  developed this  by using standards-based, commercially available technologies and industry best practices to help healthcare delivers strengthen the security of the wireless infusion pump ecosystem within health care facilities.

https://csrc.nist.gov/publications/detail/sp/1800-8/final

Free - Gartner Guide to Deploying a SIEM

Get it here:

https://logrhythm.com/gartner-how-to-deploy-a-siem-successfully-analyst-report

Free Educational platform for Security Researchers - Bugcrowd University (BCU)

There are currently five webinars available.



https://www.welivesecurity.com/2018/08/24/bugcrowd-university-free-educational-security-researchers/

https://www.bugcrowd.com/university/

Watch Out - New Windows Zero Day Vulnerability (ALPC Bug) - If exploited, could allow local users to obtain elevated (SYSTEM) privileges. NO work around or patches yet.

The zero-day flaw has been confirmed working on a "fully-patched 64-bit Windows 10 system."

The vulnerability is a privilege escalation issue which resides in the Windows' task scheduler program and occured due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft is likely to patch the vulnerability in its next month's security Patch Tuesday, which is scheduled for September 11.

https://thehackernews.com/2018/08/windows-zero-day-exploit.html

Server without a password? particulary, one that contains voter records !!!

voter records containing personal information on millions of Texas residents has been found online because, A single file containing an estimated 14.8 million records — was left on an "unsecured server without a password"


https://techcrunch.com/2018/08/23/millions-of-texas-voter-records-exposed-online/

Security Awareness training is important why?

 The 2018 Verizon Data Breach Investigations Report found that

• Phishing and financial pretexting represented 93 percent of all breaches investigated by Verizon.
• Email being the main entry point (96%).
• Ransomware accounts for 85 percent of the malware in healthcare
• Often phishing is the way attackers deploy ransomware.

Government backed phishing attack ? - This warning comes from Google.

Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries

If you receive a warning in Gmail, be sure to take prompt action. Get two-factor authentication on your account. And consider enrolling in the Advanced Protection Program.

https://security.googleblog.com/2018/08/a-reminder-about-government-backed.html

"Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

It turns out that cookies and tokens can be used outside of the original TLS context in all sorts of malicious ways. It could be hijacked session cookies or leaked access tokens, or sophisticated MiTM. This is why the IETF OAuth 2 Security Best Current Practice draft recommends token binding,


Normally  tokens are “bearer” tokens, meaning that whoever possesses the token can exchange the token for resources, but token binding improves on this pattern, by layering in a confirmation mechanism to test cryptographic material collected at time of token issuance against cryptographic material collected at the time of token use. Only the right client, using the right TLS channel, will pass the test. This process of forcing the entity presenting the token to prove itself, is called “proof of possession”.


https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/

Are you sure that the app on your Android device is not a Trojan? - "Triout" spyware when repackaged with a valid version of the Android app keeps the appearance and feel of the original app and function exactly like it.

According to the researcher, Triout can perform many spying operations once it compromises a system, including:

• Recording every phone call, saving it in the form of a media file, and then sending it together with the caller id to a remote C&C server.
• Logging every incoming SMS message to the remote C&C server.
• Sending all call logs (with name, number, date, type, and duration) to the C&C server.
• Sending every picture and video to the attackers whenever the user snaps a photo or record video, either with the front or rear camera.
• Capability to hide itself on the infected device.

https://thehackernews.com/2018/08/android-malware-spyware.html

"Dark Tequila" - Advanced Keylogger that as been targeting customers of several Mexican banking institutions since at least 2013 and was discovered recently

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars

The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services,"

Once executed, a multi-stage payload infects the victim's computer only after certain conditions are met, which includes checking if the infected computer has any antivirus or security suite installed or is running in an analysis environment.

Besides this, "the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine," the researchers say.


https://thehackernews.com/2018/08/mexico-banking-malware.html

Free Book from Microsoft - Designing Distribute Systems

Get it here

https://azure.microsoft.com/en-us/resources/designing-distributed-systems/?wt.mc_id=AID723299_QSG_SCL_266076

Catchy names - "USBHarpoon" and "USB Condom" .You should read this if you are used to borrowing USB charging cables.

 USBHarpoon  - Malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands.

The USBHarpoon / BadUSB cable attack is successful on unlocked machines, where it can launch commands that download and execute a payload. On Windows, the commands can run directly from the Run prompt; on Mac and Linux it could launch a terminal and work from there.

Solution is "USB Condom" , (I am not joking)- An electronic accessory like this blocks the data pins on a USB cable and allows only power to go through (but, they can be infected too)


https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/

Blockchain - Everyone has heard of it and some of us know something about it. Here is an intro by Mark Russnovich (Microsoft)

Sweet and Simple

https://youtu.be/cYWal114BOw

Defense in-depth in a single picture

It feels good when we can show-off our new Internet enabled home gadgets . Just be aware that sometimes, a misconfigured DIY smart-home hubs for home automation could allow attackers to track owners’ movements, see if smart doors and windows are opened or closed, and even open garage doors.

The servers in question are 49,000 Message Queuing Telemetry Transport (MQTT) servers, which are publicly visible due to misconfigured MQTT protocol, according to research released Thursday from Avast. This includes more than 32,000 servers with no password protection.

“The MQTT protocol is used to interconnect and control smart-home devices, via smart-home hubs,”

While the MQTT protocol itself is secure, a lack of security awareness combined with poor built-in protections can create a number of threat vectors, even when a server is partially protected.

“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” Hron said. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”

https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/

What is Value At Risk (VaR)?

A Model that empowers a decision maker to understand more clearly important things: what threats the product or solution is attempting to mitigate; how often those threats appear on the organization’s landscape; and, the current capability of their organization to recognize, respond to, and mitigate the threats


https://www.infosecurity-magazine.com/opinions/real-security-question

FYI , if you are an Instagram User then, be aware that Instagram has been hit by a widespread hacking campaign that appears to stem from Russia.

According to victims, their account names, profile pictures, passwords, email addresses associated with their Instagram accounts, and even connected Facebook accounts are being changed in the attack

Instagram currently relies on text messages for two-factor authentication, which is believed to be less secure than other app-based 2FA methods, but the Facebook-owned company says it is working on improving its 2FA settings.


For more information, users are recommended to visit the Instagram Help Centre dedicated to hacked accounts, which includes security tips as well as steps they can take to restore their account.

https://thehackernews.com/2018/08/hack-instagram-accounts.html

Attn, windows 10 Cortana users - Here is one good reason why you should be applying the latest MS patches. (Microsoft has fixed this ) A locked PC with Cortana enabled on the lock screen allows an attacker with physical access to the device to launch two kinds of unauthorized exploits simply by querying her, researchers at McAfee said Tuesday.

Attn, windows 10 Cortana users - Here is one good reason why you should be applying the latest MS patches.  (Microsoft has fixed this ) A locked PC with Cortana enabled on the lock screen allows an attacker with physical access to the device to launch two kinds of unauthorized exploits simply by querying her, researchers at McAfee said Tuesday.

In the first case, the attacker can force Microsoft Edge to navigate to an attacker-controlled URL; in the second, the attacker can use a limited version of Internet Explorer 11 using the saved credentials of the victim,” the researchers said in a post.

In the first scenario, a Cortana privilege escalation leads to forced navigation for Microsoft Edge on a lock screen. Essentially, the flaw does not allow an attacker to unlock the device, but it does allow someone with physical access to ask Cortana to use Edge to navigate to a page of the attacker’s choosing, while the device is still locked.
“It is surprising that links are offered and clickable
when the device is locked,” researchers said. “If you start your favorite network sniffer or man-in-the-middle proxy, you will see that the links are visited as soon as the user clicks on them, irrespective of the device’s locked status.”


https://threatpost.com/microsoft-cortana-flaw-allows-web-browsing-on-locked-pcs/136558/

Are you sure that the video captured by Police Body cameras have not been manipulated ? - They are vulnerable to hacking, making several different nightmare scenarios possible: officers themselves could be tracked footage could be doctored/deleted and the cameras could be hijacked to spread ransomware/malware.

“The videos can be as powerful as something like DNA evidence, but if they’re not properly protected there’s the potential that the footage could be modified or replaced,” Mitchell told Wired. “I can connect to the cameras, log in, view media, modify media, make changes to the file structures. Those are big issues.”

“These are full-feature computers walking around on your chest, and they have all of the issues that go along with that,” Mitchell said. One issue that kept reoccurring in his research: a too-easy-to-guess default wifi password, a problem reaching near-ubiquity with IoT devices

Mitchell demonstrated vulnerabilities in cameras made by Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. Cameras from Axon, the largest manufacturer in the US, weren’t examined for vulnerabilities, but Vievu was recently acquired by Axon.

They don’t use cryptographic mechanisms to confirm firmware updates or uploaded videos are legitimate. Mitchell found that the cameras don’t protect uploaded footage with digital signatures to ensure it hasn’t been manipulated. Without this verification, attackers could therefore download, edit, then re-upload footage to cloud storage without a trace. Mitchell also says that the cameras run firmware without verification, meaning a hacker could expose the cameras to malicious code by disguising it as a normal software update. 

https://gizmodo.com/hackers-can-turn-body-cameras-into-malware-spewing-mach-1828306760