what happens when your Spy starts spying on you - JP Morgan security chief "went rogue," collecting data on some of the bank's senior executives and sparking an internal scandal.

With the help of more than 100 engineers from the data mining company Palantir, Peter Cavicchia III collected emails, browser histories and GPS locations from company phones, as well as transcripts from recorded phone conversations. The original surveillance, started in 2009, was sanctioned by the bank as a means to keep tabs on potentially dishonest traders, according to a Bloomberg News report published Thursday.

The extensive data collection, however, came to an abrupt halt after Cavicchia "went rogue," collecting data on some of the bank's senior executives and sparking an internal scandal, the report said. He was forced to resign in 2013.


https://www.cnbc.com/2018/04/19/jp-morgan-reportedly-had-to-oust-a-security-chief-backed-by-palantir.html

Irony - RSA conference is a security conference and their app was leaky (again)

You wouldn’t expect the organisers of a seminar on nuclear physics to hand out conference badges that were contaminated with dangerous levels of radioactivity.

You wouldn’t expect to attend a workplace health and safety training course in a conference centre where the fire exits had been padlocked shut


RSAC was back in the “do as I say not as I do” limelight again in 2014, issuing an official mobile app for the event that hooked into the event database so you could see the schedule of talks, with any last-minute updates or changes automatically shown.

Unfortunately, the database pulled down by the app also included details of all the other conference delegates who had registered to use the app so far – meaning that anyone who installed the app after you would get to see your details, too.

At RSAC 2018, Twitter user @svblxyz found similar security problems to those of 2014 in this year’s conference app.

Amongst other things, the app contained URLs from which database content could be downloaded, apparently including the real names of other mobile app users.


https://nakedsecurity.sophos.com/2018/04/20/rsa-conference-has-a-leaky-app-again/

iPhone fans - Your phoned can be "TrustJack"ed.

Trustjacking attackers would be able to view a victim's device screen essentially in real time by installing the developer image suitable for a particular iPhone's iOS version, and then taking continuous screenshots. And they could steal content such as photos, app data and SMS and iMessage chat history simply by creating an iTunes back-up.

The only action required on the part of the victim is agreeing to "trust" the connected device when responding to an Apple security notification acknowledging the presence of an unknown machine.



Attackers have the power to remotely view victims' mobile screens, exfiltrate valuable content, or even install malicious spy apps disguised in the package of genuine apps.The victim does not even have to enable the iTunes Wi-Fi sync feature

Symantec recommends that iOS users reset their list of trust devices and enable encrypted back-ups in iTunes while implementing a strong password.


https://www.scmagazine.com/trustjacking-exploit-abuses-itunes-feature-to-spy-on-ios-devices/article/759686/

Chrome Users - Check if you have installed any of these FAKE MALICIOUS extensions

• AdRemover for Google Chrome™ (10 million+ users)
• uBlock Plus (8 million+ users)
• [Fake] Adblock Pro (2 million+ users)
• HD for YouTube™ (400,000+ users)
• Webutation (30,000+ users)

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

The malicious extension then receives commands from the remote server, which are executed in the extension 'background page' and can change your browser's behavior in any way.

https://thehackernews.com/2018/04/adblocker-chrome-extention.html

You think you have secured your endpoints with latest and greatest tools. What if the attacker can steal your data without touching your endpoints?

RSAC demo - IoT was  hacked to steal PII. 
In the demo, the IoT device need not be directly connected to the target network device. It doesn't require sophisticated hacking skills — Metasploit tools or the Linux command line will suffice

The attack begins with an exploit of a surveillance camera via the Devil's Ivy vulnerability — a remote code execution vulnerability in an open source gSOAP library that was discovered by the Senrio team last summer. A patch for the vulnerability already exists but was not applied to this camera model — and that's not unusual.

Once the camera is compromised, the attackers then have a bird's-eye view of an employee at his workstation and the items on his desk — which include a router and a network access server (NAS). The attackers can then watch the user's keystrokes when logging in to the NAS.


How can enterprises defend against attacks like these? Carlton takes a deep breath. 

"First, find what [IoT] devices are on your network," she says. "Then we'll talk."  

https://www.darkreading.com/vulnerabilities---threats/first-public-demo-of-data-breach-via-iot-hack-comes-to-rsac/d/d-id/1331588

Do you Monitor Shadow Admin accounts? Cloud shadow admins can be used to compromise the entire cloud infrastructure

Shadow Admin are network accounts with sensitive privileges, typically overlooked because they are not members of a highly privileged Active Directory group. “Instead, shadow admin accounts are granted their privileges through the direct assignment of permissions using access control lists on AD objects"


In a session on Thursday researchers offered nearly a dozen proof-of-concept scenarios where an inside-attacker can silently persist and abuse cloud platforms to escalate user privileges to cause harm or access protected company data.

they can launch a new machine, connect to the machine and assign the machine permissions. Next, they can use those permissions to shut down cloud instances, exfiltrate data from databases or run crypto mining code.

An adversary can maliciously terminate Amazon Elastic Compute Cloud (EC2) instances running within a targeted company

“The terrifying thing is we have discovered ten different examples just like this,” Lazarovitz said. “In each example the attacker only needs one permission to escalate and gain full admin rights.”


https://threatpost.com/cloud-credentials-new-attack-surface-for-old-problem/131304/

Exploit (PoC) is now available for the remote code execution vulnerability (CVE-2018-0886) in MS Windows. Applying 03/2018 Patch is not enough.Using non-privileged accounts is also recommended.

Discovered by researchers at Cybersecurity firm Preempt Security, the issue (CVE-2018-0886) is a logical cryptographic flaw in CredSSP that can be exploited by a man-in-the-middle attacker with Wi-Fi or physical access to the network to steal session authentication data and perform a Remote Procedure Call attack


When a client and server authenticate over RDP and WinRM connection protocols, a man-in-the-middle attacker can execute remote commands to compromise enterprise networks.

Though researchers also warned that patching alone is not sufficient to prevent this attack, IT professionals are also required to make some configuration to apply the patch and be protected.

Blocking the relevant application ports including RDP and DCE/RPC would also thwart the attack, but researchers say this attack could even be implemented in different ways, using different protocols.

It is a good idea to decrease the use of privileged account as much as possible and instead use non-privileged accounts whenever applicable.


https://thehackernews.com/2018/03/credssp-rdp-exploit.html

IoT - is it Internet of Things or "Internet owned Things"? - Cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino

The best way you can protect is to connect only necessary devices to the network and place them behind a firewall.

Also, keep your operating systems and software up-to-date, make use of a good security product that protects all your devices within the network, and most importantly, educate yourself about IoT products.

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

Police can unlock your iPhone with "GrayKey"

Regional police forces, such as the Maryland State Police and Indiana State Police, are procuring a technology called ‘GrayKey’ which can break into iPhones, including the iPhone X running the latest operating system iOS 11.

Grayshift has been shopping its iPhone cracking technology to police forces. The firm, which includes an ex-Apple security engineer on its staff, provided demonstrations to potential customers, according to one email.


The device comes in two versions: a $15,000 one which requires online connectivity and allows 300 unlocks (or $50 per phone), and and an offline, $30,000 version which can crack as many iPhones as the customer wants.


https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police

World Biggest Data breaches (as of 03/04/2018)

Includes US Military and Aadhar-India ( The government called it "fake news"). Each bubble has links to full details

http://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

New updated BLUEPRINT: BUILDING A BETTER PEN TESTER (PDF) from SANS

https://blogs.sans.org/pen-testing/files/2017/12/PENT-PSTR-SANS18-BP-V1_web.pdf

Free Security Policy Templates from SANS

https://www.sans.org/security-resources/policies/?utm_medium=Social&utm_source=Twitter&utm_content=SM_Tw_Central_Policies&utm_campaign=SANS+Security+Policies

New jargon "Patch Gap", "SnoopSnitch" - Clue - they are related to Android phones. Example -Samsung's 2016 J3 claimed to have every Android patch issued in 2017 but lacked 12 of them—two considered as "critical" for the phone's security.

Patch Gap - Gap between patching claims and the actual patches installed on a device.

SnoopSnitch  - App that will let users check their phone's code for the actual state of its security updates.

Researchers found  what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.


Researcher found Android phone vendors tell users their Device's firmware is fully up to date, even while they've secretly skipped patches.Sometimes these guys just change the date without installing any patches

Here is some good news - Hacking Android phones by exploiting their missing patches is far harder than it sounds. Even Android phones that don't have solid patching records still benefit from Android's broader security measures



https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you/

Another Reason to Block SMB Ports on the Firewall - An important vulnerability in Microsoft Outlook allow attackers to steal sensitive information, including users' Windows login credentials, just by convincing victims to preview an email with Microsoft Outlook.

Microsoft  has released an incomplete patch this month—almost 18 months after receiving the responsible disclosure report.


The security patch only prevents Outlook from automatically initiating SMB connections when it previews RTF emails, but the researcher noted that the fix does not prevent all SMB attacks.

"It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above," Dormann said. "For example, if an email message has a UNC-style link that begins with "\\", clicking the link initiates an SMB connection to the specified server."

https://thehackernews.com/2018/04/outlook-smb-vulnerability.html

Identity Theft - Thieves hack your account(ant) - Here is what one accountant did. (funny for us, not so for his clients)

John composed and distributed to his clients a form letter about their rejected returns, and another letter that clients could use to alert the IRS and New Jersey tax authorities of suspected identity fraud.

Despite receiving notice after notice that the IRS had rejected many of his clients’ tax returns because those returns had already been filed by fraudsters, for at least two weeks John does not appear to have suspected that his compromised computer was likely the source of said fraud inflicted on his clients.


Last month, KrebsOnSecurity was alerted by security expert Alex Holden of Hold Security about a malware gang that appears to have focused on CPAs. The crooks in this case were using a Web-based keylogger that recorded every keystroke typed on the target’s machine, and periodically uploaded screenshots of whatever was being displayed on the victim’s computer screen at the time.

The IRS advises taxpayers in this situation to follow the steps outlined in the Taxpayer Guide to Identity Theft. Those unable to file electronically should mail a paper tax return along with Form 14039 (PDF) — the Identity Theft Affidavit — stating they were victims of a tax preparer data breach.


I’ve long dispensed this advice for people in charge of handling payroll accounts for small- to mid-sized businesses. I continue to stand by this advice not because there isn’t malware that can infect Mac or Linux-based systems, but because the vast majority of malicious software out there today still targets Windows computers

https://krebsonsecurity.com/2018/04/when-identity-thieves-hack-your-accountant/

Software service provider [24]7.ai was breached - You might think I, don't know this company so I don't care.NOT IF YOU ARE a Delta, Sears, Best Buy or Kmart customer.

MORAL OF THE STORY - Security practice of our Partners is indirectly a part of our security practice.


Last week software service provider [24]7.ai, a company that provides online chat services for Delta, Sears and other companies, announced that its platform was a victim of a data breach in 2017.

On Wednesday, Delta Air Lines and Sears came forward to announce that they had been impacted – and on Friday, the number of impacted companies expanded to include Best Buy,


“The question needs to be asked, who are our partners, what are their security practices, what data are we sharing, and what systems will they have access to? In this example, [24]7.ai – the software service provider for Sears (and many other large retail and airline brands) – became the source for the breach exposing customer credit card data,”

https://threatpost.com/impact-of-chat-service-breach-expands-to-best-buy-kmart/131062/

Serverless Architectures - We can't add any endpoint protection (firewall,HIPS,EDR) so, what can we do?

No magic bullet here - Serverless computing forces software architects and developers to approach security the way it should've been approached early on — by building security in rather than bolting it on

What are the issues?

• Increased attack surface
• Attack surface complexity
• Overall system complexity
• Inadequate security testing
• Traditional security protections become unsuitable

This last point mandates a drastic paradigm shift in application security for serverless architectures. By definition, in a serverless architecture you only control your application's code, and that's pretty much the only thing you own. This means that if you need to protect your own serverless code, your only option is to make sure that you write secure code and that you bake security into your application

https://www.darkreading.com/cloud/serverless-architectures-a-paradigm-shift-in-application-security/a/d-id/1331418

In a third of all marriages, one or both partners admit to cheating. Good for random blackmails (for bitcoins).

 "When you look at numbers as to how many people cheat… If they send out 10 letters, maybe there are two or three people who are in fact cheating, and they think they can get them to make a payment,”

Like so many other scams, this one preys on fear by utilizing the U.S Postal Service.

The FBI says the details in the extortion letters are just specific enough to make them believable. The agency is now investigating the origin of the letters.


http://newyork.cbslocal.com/2018/04/05/scammers-blackmailing-spouses-over-alleged-extramarital-affairs/

Dots do not matter in Gmail so, what is the Risk? - It Helps scammers. Check this Netflix scam.

The scam fundamentally relies on the Gmail user responding to an email with the assumption that it was sent to their canonical address, and not to some other address from their infinite address set.

Some Gmail power users might claim: “The dots-don’t-matter feature is great. I get ownership of an infinite set of email addresses!” But firstly, no one wants this infinite set of email addresses. Those who really want infinite addresses already have the “plus labelling” feature

Not only do Gmail users not want these extra addresses, most are not even aware that they have these addresses

https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user.html

For Pentesters - Get subdomain info from here - https://findsubdomains.com/

https://findsubdomains.com/

What do you do when your network perimeter is vanishing?

With Mobile devices, IoT and Cloud where is your perimeter?
Nice Article

Protecting your perimeter today means not only protecting your network edge devices, but also a plethora of internet of things (IoT) and mobile devices.

mobile device management software that authenticates the device by the applications on it, hard-coded IDs and other authentication data.

Identity and access management software also can include user provisioning, compliance auditing, role management, directory services, federated identity, and more.

If you have service accounts with business partners such as could services providers (software, backup, managed security services and other as-a-service providers) banks, local utilities, professional services vendors or others, you need to ensure that the system trying to access your network has not been compromised.

If your company is invested in smart devices such as lights, HVAC systems, security systems, or other infrastructure electronics, these devices generally have no way to update, enhance or often to even install any security. It might seem extreme but hackers have manipulated smart devices to enter corporate networks.

IMPORTANT - Make sure your infrastructure network is completely separate from your corporate data network.

Create policies and procedures for devices that are not on the white list.

The best way to ensure that only authorized devices connect to the network is to know which devices are indeed authorized



https://www.scmagazine.com/is-your-perimeter-secure/article/755177/

It looks like Data is anxious to get out (rather than being stolen). Check this 2018 GLOBAL DATA RISK REPORT - from Varonis

• 41% of organizations had at least 1,000 sensitive files 
• 58% of organizations have more than 100,000 folders open to all employees 
• 54% of an organization's data is stale on average 
• 46% of organizations had more than 1,000 users with passwords that never expire 

https://info.varonis.com/hubfs/2018%20Varonis%20Global%20Data%20Risk%20Report.pdf

Did you know - Chrome periodically scans your device to detect potentially unwanted software

“Nobody likes surprises,” Haroon Meer, the founder at security consulting firm Thinkst, told me in an online chat. “When people fear a big brother, and tech behemoths going too far...a browser touching files it has no business to touch is going to set off alarm bells.” 

According to Google, the goal of Chrome Cleanup Tool is to make sure malware doesn’t mess up with Chrome on your computer by installing dangerous extensions, or putting ads where they’re not supposed to be.

The tool only runs weekly, it only has normal user privileges (meaning it can’t go too deep into the system), is “sandboxed” (meaning its code is isolated from other programs), and users have to explicitly click on that box screenshotted above to remove the files and “cleanup.”


https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool

Mobile Apps that control IoT - 80% of the tested apps contained vulnerabilities, with an average of 15 flaws discovered per application.

15% of the vulnerabilities discovered, said the researchers, could lead to a man-in-the-middle (MITM) attack, where a hacker could not only intercept communications sent between an IoT device and its smartphone app – but even potentially send it rogue commands allowing a criminal to hijack control.

https://www.bitdefender.com/box/blog/iot-news/many-iot-smartphone-apps-making-life-easy-online-criminals/

Remember the "Terminator" series - The bad one always come back with better tech. Same goes for malware, the njRAT (2013) is now back with new features like Lime Ransomware , Bitcoin wallet stealer. WORM capability, ARME and Slowloris DDoS attacks

This old time trojan was first spotted in 2013 and has remained one of the most prevalent malware families using multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by security researchers.

The malware also uses dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port

The new RAT variant added ransomware and bitcoin wallet stealing features which appear to contradict each other in practice.

“This is an interesting development, especially the ransomware feature, given that RATs by nature operate in stealth,” Desai said. “Ransomware on the other hand will reveal the infection.”

In addition, the njRAT variant has the capability of performing ARME and Slowloris DDoS attacks

The malware also has a WORM functionality to spread through USB


https://www.scmagazine.com/the-trojan-was-first-spotted-in-2013-and-has-remained-one-of-the-most-prevalent-malware-families-using-multiple-net-obfuscation-tools/article/755647/

For Privacy conscious consumers , Cloudflare launches New DNS Service . It is easy to remember 1.1.1.1

Cloudflare claims "We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours"

The problem is that these DNS services are often slow and not privacy respecting. What many Internet users don't realize is that even if you're visiting a website that is encrypted — has the little green lock in your browser — that doesn't keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you've connected to, and your mobile network provider have a list of every site you've visited while using them.

Network operators have been licking their chops for some time over the idea of taking their users' browsing data and finding a way to monetize it. In the United States, that got easier a year ago when the Senate voted to eliminate rules that restricted ISPs from selling their users' browsing data



https://blog.cloudflare.com/announcing-1111/