AWS Security Tools - Listed in a single page

Get it here

https://blyx.com/2018/07/18/my-arsenal-of-aws-security-tools/

In a world of connected cars (providing several remote management functions) , Do you remember to revoke "remote management access (which include lock/unlock) " to the previous owner?. You may have the rights but, you may not be able to do it.

Here is a lesson we can learn from one buyer - In a resale scenario, a previous owner could continue to have access to the online account – with all the new owner’s information stored within.

The problem is that once a vehicle has been linked to that online account and app, the previous owner must specifically disconnect his or her access to the account in order for a new owner to link up to it


Matt Watts, data strategist and director of technology at NetApp, discovered after buying a used car that a previous owner could access a range of his personal information via the app that connects with the vehicle

“When trying to link the vehicle to my account, the website informed me that the vehicle was currently linked to another users account,” Watts said. From there, he contacted the dealer and the manufacturer, who were unable to help him, saying that “We are not in a position to remove owner without their permission, previous owners would normally disconnect before they sell the car or if we took in part-ex we would have their written authority to remove from system.” The dealer then suggested tracking down the previous owner to ask them to disconnect from the account.

Watts noted that the implications are significant: “The previous owner of my car has control over it, they can unlock it, they can remotely set the climate control without me knowing about it, even when the car isn’t running, they potentially can even look at the sat-nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it,” he said. “Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.”


https://threatpost.com/connected-car-apps-open-privacy-hole-for-used-car-buyers/134549/

Wikileaks has internal leaks - Confused ? - An activist has just leaked 11,000 direct messages from a Twitter group used by WikiLeaks, an organization that's been known to publishing others' secret.

More than 11,000 direct messages from a Twitter group used by WikiLeaks and around 10 close supporters have been posted online by journalist and activist Emma Best, exposing private chats between 2015 and 2017.

The leaked chats have been referenced by American media outlets earlier this year, but for the very first time, all 11,000 messages have been published online, allowing anyone to scroll through and read messages themselves.

he leaked DMs of the private Twitter chat group, dubbed "Wikileaks +10" by Best, show WikiLeak's strong Republican favoritism, as some portions of the previously leaked chats already showed WikiLeaks' criticism of Hillary Clinton and support for the GOP.



https://thehackernews.com/2018/07/wikileaks-twitter-chats.html

Identity theft protection firm LifeLock may have exposed user email addresses - How?

 An IT security researcher noted that unsubscribing from LifeLock’s newsletter revealed subscriber’s key.Upon further digging the researcher found out that key number is sequential and with the help of script written by himself he could extract keys and corresponding email addresses of every LifeLock subscribers

This is not the first time that LifeLock has done such a blunder. In 2014, the company pulled its Wallet app from availability and deleted all user data after it was revealed that the app may not be following standard security protocol.

Last year, a vulnerability in LastPass password manager allowed hackers to steal its customers’ login credentials. Moreover, in June 2017, OneLogin password manager suffered a cyber attack in which personal data of millions of users was stolen.



https://www.hackread.com/identity-theft-protection-firm-lifelock-exposed-user-emails/

SMART does not mean SECURE (but, SECURE must be SMART) - Researchers found 20 vulnerabilities in Samsung’s SmartThings Hub, allowing attackers to control smart locks, remotely monitor the home via connected cameras and perform other alarming functions.

SmartThings Hub uses a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave and Bluetooth. SmartThings supports a broad spectrum of third-party products- from Philips Hue smart lightbulbs, to Ring video doorbells, as well dozens more smart home products sold under the brands GE, Bose and Lutron.

The breadth of potentially impacted products means an attacker could hack an array of connected home devices allowing adversaries to disable smart locks, turn off motion detectors, shut down smart plugs, control thermostats or even cause physical damage to appliances.



https://threatpost.com/bugs-in-samsung-iot-hub-leave-smart-home-open-to-attack/134454/

Another FREE Security add-on for Chrome - Malwarebytes Browser extension (BETA). It prevents pop-ups, browser hijackers, and browser lockers from harassing you and interrupting your surfing. It also blocks clickbait links and fake news content, stops in-browser cryptocurrency miners, and gives other malicious content the boot. All this while relying on threat behavior patterns.

This is where Malwarebytes Browser Extension can help you:

• Protection from tech support scammers: Blocks browser hijackers, and browser lockers, which are used by scammers to drive victims to call centers that use scare tactics to sell expensive technical support (that you don’t need).
• Faster web page load times: Popular websites download a lot of unwanted content in the background. By filtering out clickbait and ads, Malwarebytes Browser Extension BETA can speed up your webpage load time, saving your sanity and bandwidth.
• Prevents visits to malicious pages: Protects you from inadvertently visiting bad websites that host malware content, steal your identity (phishing), load Bitcoin miners in the background, which slow down your computer, and a long list of other obnoxious behaviors that can make your online experience less than stellar.
• Keeps your privacy private: Blocks third-party ad trackers that follow you around the Internet and target you with the same ads over and over again.

https://blog.malwarebytes.com/malwarebytes-news/betas/2018/07/introducing-malwarebytes-browser-extension/

Cloud vendor evaluation - The certifications you are looking for are what your vendor achieved, not their vendor. If the vendor states they have a certification and sends you AWS’ certification, that is a BIG RED FLAG. In fact, run!.

Free copy of "Vendor Security Assessment" Questionaire here:
https://www.vendorsecurityalliance.org/questionnaire2018.html


Here is a little trick I use when trying to verify the trust of a vendor without any certifications. I first ask what security/compliance framework they follow. Let’s say they answered PCI then I go down to where I asked them how often they scan for vulnerabilities. If they state annually, then they obviously are not following the PCI framework.

Remember, your job is to assess the risk and relay that back to the business. If the business still wants to move forward with a high-risk vendor then the business owner didn’t understand the risk and you should move the discussion around compensating controls. Once you start down that path, the business owner usually instructs their team to look for other cloud vendors

https://www.alienvault.com/blogs/security-essentials/you-are-doing-cloud-vendor-assessments-wrong

New critical security vulnerability in some implementations of the Bluetooth standard (products from Apple, Broadcom, Intel, and Qualcomm are affected). This vulnerability DOES NOT affect Microsoft Windows

If exploited successfully, this vulnerability could allow attackers to intercept and decrypt all messages exchanged between devices or to enter malicious data within the communication.
Furthermore, the vulnerability also opens door to a man-in-the-middle attack that would let attackers monitor or manipulate traffic.

https://www.hackread.com/new-bluetooth-flaw-lets-attackers-monitor-traffic/

Protect your system from cryptojacking attacks - Try the new Chrome extension from Qualys

BrowserCheck CoinBlocker Extension uses both domain blacklists for cryptocurrency mining sites as well as heuristics features to detect unknown cryptojacking attack types


https://news.hitb.org/content/new-free-chrome-plugin-blocks-cryptojacking-browser-attacks

The Top 10 Most-Clicked General Email Subject Lines Globally for Q2 2018 - The top ones are "password check required" and "Microsoft: Re: Important Email Backup Failed:"

1. Password Check Required Immediately 15%
2. Security Alert 12%
3. Change of Password Required Immediately 11%
4. A Delivery Attempt was made 10%
5. Urgent press release to all employees 10%
6. De-activation of [[email]] in Process 10%
7. Revised Vacation & Sick Time Policy 9%
8. UPS Label Delivery, 1ZBE312TNY00015011 9%
9. Staff Review 2017 7%
10. Company Policies-Updates to our Fraternisation Policy 7%

*Capitalisation and spelling are as they were in the phishing test subject line
**Email subject lines are a combination of both simulated phishing templates created by KnowBe4 for clients, and custom tests designed by KnowBe4 customers



When investigating ‘in-the-wild’ email subject lines, KnowBe4 found the most common for Q2 2018 included:

1. • Microsoft: Re: Important Email Backup Failed 
2. • Microsoft/Office 365: Re: Clutter Highlight
3. • Wells Fargo: Your Wells Fargo contact information has been updated 
4. • Chase: Fraudulent Activity On Your Checking Account – Act Now
5. • Office 365: Change Your Password Immediately 
6. • Amazon: We tried to deliver your package today 
7. • Amazon: Refund - Valid Billing Information Needed 
8. • IT: Ransomware Scan
9. • Docusign: Your Docusign account is suspended
10. • You have a secure message 

https://pressreleases.responsesource.com/news/95983/knowbe4-releases-q2-2018-top-clicked-phishing-report/

Did you know - Humans are predictable when it comes to creating passwords and Malicious actors often find that manual guessing of usernames and passwords to be the most effective method

(Scary stats) Rapid7’s pen testers were able to abuse at least one network misconfiguration in 80% of engagements and one in-production vulnerability in 84% of all engagements. In 53% of all engagements, the testers were able to capture at least one credential

Organizations are more interested in securing their own sensitive data – such as internal communications and financial metrics – than that of their customer and employees. (Anyone surprised?)

The report also revealed the top five security priorities of the participating organizations. When it comes to protecting sensitive information, 21% prioritize sensitive internal data, 20% focus on personally identifiable information (PII). Only 14% of organizations ranked protecting authentication credentials as a top-five priority, 7.8% prioritize payment card data and only 6.5% ranked bank account data.

https://www.infosecurity-magazine.com/news/pen-testers-abuse-configuration

Your vendor/ Partner's security practices has a direct impact on your organization's security - 157 GB of Automaker Secrets Leaked because of insecure backup protocol used by third-party firm.

A total of seven auto companies were impacted by the data leak, including divisions of automakers Chrysler, Ford, GM, Tesla, Toyota and Volkswagen, along with automotive supplier ThyssenKrupp.

One also inadvertently leaked its own internal data, including employee scans of driver’s licenses and passports, along with invoices, contracts, and bank-routing numbers and SWIFT codes

To blame was rsync, which stands for “remote sync,” a common file transfer protocol used to mirror or backup large data sets,

Leaky rsync services are typically a result of permissions set on the rsync server. In the case of Level One, the rsync server was publicly writable.



https://threatpost.com/leaky-backup-spills-157-gb-of-automaker-secrets/134293/

Can you trust your GPS? - if you do , you have NOT heard of "GangWang" Attack.

A proof-of-concept attack that uses realistic fake turn-by-turn navigation directions for in-car GPS systems has managed to fool drivers into following them a full 95 percent of the time in testing.

Fresh experiments from a coalition team consisting of researchers from Virginia Tech, the University of Electronic Science and Technology in China and Microsoft showed that carefully crafting the spoofed GPS inputs (with cheap, readily available hardware) with an eye to the actual physical environment can successfully lead human operators astray most of the time.

The new attack, which the researchers dubbed “GangWang,” spoofs a route that mimics the shape of the route displayed on the map,

To test the idea, the team designed an algorithm based on 600 taxi routes in Manhattan and Boston. The code searches for attacking routes in real-time that would match the targeted victim’s location and remain consistent with the physical road network. On average, it was able to identify 1,547 potential attacking routes for each target trip for a would-be attacker to choose from.

“If the attacker aims to endanger the victim, the algorithm can successfully craft a special attack route that contains wrong-ways for 99.8 percent of the trips,”

https://threatpost.com/gangwang-gps-navigation-attack-leads-unsuspecting-drivers-astray/134172/

Cloud-based human resources company "ComplyRight" (nice name) could not get their "Security Right" (they had a data breach). This might have jeopardized sensitive consumer information — including names, addresses, phone numbers, email addresses and Social Security numbers — from tax forms submitted by 76,000 organizations.

Pompano Beach, Fla-based ComplyRight began mailing breach notification letters to affected consumers late last week, but the form letters are extremely vague about the scope and cause of the breach.

According to ComplyRight’s Web site, some 76,000 organizations — many of them small businesses — use its services to prepare tax forms such as 1099s and W2s on behalf of their employees and/or contractors. While the company didn’t explicitly say which of its cloud services was impacted by the breach, the Web site which handles its tax preparation business is efile4biz.com.

The site also includes a Geotrust security seal intended to reinforce the above statement. While

ComplyRight hasn’t said exactly how this breached happened, the most likely explanation is that i
intruders managed to install malicious code on the efile4biz.com Web site — malware that recorded passwords entered into the site by employers using the service to prepare tax forms.


Translation: Assurances about the security of data in-transit to or from the company’s site do little to stop cyber thieves who have compromised the Web site itself, because there are countless tools bad guys can install on a hacked site that steals usernames, passwords and other sensitive data before the information is even encrypted and transmitted across the wire.


https://krebsonsecurity.com/2018/07/human-resources-firm-complyright-breached/

Real cost of Data Breach

https://www.pcmag.com/news/362543/how-much-does-a-data-breach-cost

I thought CPU meant "Central Processing Unit" , I see that it is now "Critical Patch Update" - Patch today, Oracle has released patches for 334 security vulnerabilities of which 61 are rated critical. Note, 65 percent of the flaws can be exploited remotely without entering credentials

Oracle’s financial services applications received the most patches (56), followed by Fusion middleware (44)

https://threatpost.com/oracle-sets-all-time-record-with-july-critical-patch-update/134089/

pcAnwhere (Remote access software) was installed on Voting Machines?. This makes the results unreliable

The nation's top voting machine maker has admitted  that the company installed remote-access software on election-management systems it sold over a period of six years

The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.


ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company's machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems.

https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states

MDM is good - what happens if the MDM platform is compromised? - Attackers can deploy malicious applications remotely (hard but possible with Social Engineering).

According to the researchers, the attackers behind the campaign used the MDM service to remotely install modified versions of legitimate apps onto target iPhones, which were designed to secretly spy on users, and steal their real-time location, contacts, photos, SMS and private messages from chat applications.

Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.

However, researchers at Cisco's Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.

https://thehackernews.com/2018/07/mobile-device-management-hacking.html

A troubling statistic from a recent MIT study: on Twitter, lies are 70% more likely to be retweeted than facts. What’s more, a false story reaches 1,500 people six times quicker, on average, than a true story.

Information warfare (Listen, Facebook, Twitter and Whatsapp fans) -  An attack on cognitive infrastructure, on people themselves, on society, and on systems of information and belief (Interesting Article)



American Enterprise Institute’s Phillip Lohaus -  “We tend to think of our cyberdefenses as physical barricades, barring access from would-be perpetrators, and of information campaigns as retrograde and ineffective. In other words, we continue to focus on the walls of the castle, while our enemies are devising methods to poison the air.”

There isn’t much out there for dealing with information warfare, and that gap is leaving democratic societies vulnerable.


https://www.justsecurity.org/59152/information-operations-cybersecurity-problem-strategic-paradigm-combat-disinformation/

Security Issues - Lets review them tomorrow

PATCHING - Simplest and the most powerful step in protecting against Malware/hackers Don't forget to Patch your Adobe and Microsoft products.

Adobe -  Overall, 104 vulnerabilities were patched in Adobe Acrobat and Reader PDF products, including 53 critical bugs and 51 vulnerabilities rated important.

Microsoft - (Important) all but two of the “critical” fixes  apply to vulnerabilities in Microsoft’s browsers.

https://threatpost.com/adobe-issues-over-100-patches-for-flash-acrobat-and-reader/133832/

With negligent admins , hackers don't have to work hard - A hacker managed to obtain the sensitive documents (U.S. Military Drone Documents) by gaining access to a Netgear router that was using the default FTP login settings for file sharing.

The authentication vulnerability in Netgear routers that hacker exploits to access the sensitive military data was initially discovered two years ago

After gaining access to the network, "the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU,"

Ironically, a certificate found in the data archive reveals that the captain, whose system was compromised, recently completed the Cyber Awareness Challenge, but he did not set a password for an FTP server hosting sensitive files


https://thehackernews.com/2018/07/dark-web-military-drone_11.html

Fraudsters are purchasing medical records of patients that are already deceased, why?

Medical records are often used in combination with other personal information to conduct  sophisticated fraudulent transactions (other than ID theft and financial transactions).

Besides financial fraud, criminals also use stolen medical information for illegally acquiring medical supplies and obtaining health-insurance. One of the dark web one of our researchers found criminals explaining to a potential customer how they can use a medical ID to get prescribed drugs delivered to them, to order medication and even to book a doctor’s appointment for a check-up.


https://threatpost.com/deceased-patient-data-being-sold-on-dark-web/133871/

Mergers & Acquisition will always impact your organization's "Security Posture". Here are six M&A Security Tips

1. Involve Cybersecurity Early On
2. Develop a Mature Asset Management Program
3. Create a Solid Third-Party Risk Program
4. Practice Good Governance
5. Have the Two Security Staffs Meet
6. Think Through the Acquisition's Impact on Operations

https://www.darkreading.com/application-security/6-manda-security-tips/d/d-id/1332240

Two free Google Search Courses - Everyone uses Google however, performing a well filtered search needs a little extra knowlege.

Try these self paced courses

Power Search with Google
https://coursebuilder.withgoogle.com/sample/course


Advanced Power Search with Google
http://www.powersearchingwithgoogle.com/course/aps

A new malware uses stolen digit certs (to evade AV and whitlisting tools) to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

The first malware, dubbed Plead, is a remotely controlled backdoor designed to steal confidential documents and spy on users.

The second malware is also a related password stealer designed to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

Security researchers from ESET have recently identified two malware families, previously associated with cyberespionage group BlackTech, that have been signed using valid digital certificates belonging to D-Link networking equipment manufacturer and another Taiwanese security company called Changing Information Technology.

most antivirus software fails to check the certificate's validity even when companies revoke the signatures of their certificates, the BlackTech hackers are still using the same certificates to sign their malicious tools.

https://thehackernews.com/2018/07/digital-certificate-malware.html

HNS (Hide aNd Seek) botnet targets IoT (generally a blind spot for IT Security folks. It supports 7 exploiting methods and it adds a cpuminer mining program

It has huge processing power in view of the capacity to scan some vital exploitation.

These might include 

• 23 Telnet
• 8080 http web services
• 80 HTTP Web Service
• 5984 CouchDB 
• 2480 OrientDB 
• 5984 CouchDB

Popularly known as Hide-N-Seek, the Botnet is being deployed by the attackers to target the internet of things computing devices within a short spell of time.

Within less than a year since the experts identified it,HNS was said to have infected many internet of things devices leaving the users in huge confusion.


http://www.ehackingnews.com/2018/07/new-botnet-posing-threat-to-internet.html

Secret Office 365 forensics tool - it does exist.(many individual Microsoft employees appear to have been genuinely unaware of this data’s existence)

Friday, June 8. Out of the blue, an email popped onto the forensics community mailing list. It contained a single link, to an Anonymous video.

Ten days later, CrowdStrike released a beautiful blog post about the unmasked Activities API


Forensic analysts Ali Sawyer and Matt Durrin ran it against an Office 365 test instance set up in LMG’s research laboratory. It contained the granular details that we had only dreamed existed — and more.

In the case of the secret Office 365 tool, the very existence of this evidence was kept hidden by several respected forensics firms, as well as Microsoft itself, for well over a year by several accounts.

Today, most cloud providers have no obligation to collect logs. Even if they do have granular logs, like Microsoft, they have no requirement to make these easily accessible to customers.


http://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

Security Architecture is more important than adding new security technology

Organizations flock to purchase the latest "next-generation" security technology but meanwhile ignore the basic tenants of security. A mature, secure architecture design does not require the most expensive best-of-breed solutions. However, it does involve taking time to think about one's environment and to design a secure architecture accordingly.

If you take the time to learn about your assets, you will be able to layer in multiple prevention and detection solutions and have a highly effective security architecture

The firewall should also be configured to implement internal layers of network segmentation. Controls should not only face the Internet but implemented to secure authorized access from internal assets to internal assets.


Modern challenges also must be overcome. For instance, consider an intrusion detection/prevention device, web proxy, data loss prevention sensor, network antivirus, or any other Layer 7 network inspection solution. These are all crippled by network encryption


https://www.darkreading.com/cloud/creating-a-defensible-security-architecture/a/d-id/1332169

Some Android apps share image and video data with other parties in unexpected ways, without user knowledge or consent

Example: GoPuff records the screen and sends a video of the interaction to a domain owned by the third-party analytics company, Appsee, as soon as the app starts.

Another app used the camera-taking abilities of a mobile beta-testing platform found on Google Play, TestFairy, to record users interactions through screenshots.

“Screen recording, if adopted at scale and/or in apps that handle sensitive data, could expose substantial amounts of users’ PII, especially when the full burden of securing private information is placed on developers,” the researchers said. “Further, we argue that the recording of interactions with an app (without user knowledge) is itself a privacy violation akin to recording audio or video of the user.”

https://threatpost.com/android-app-are-sharing-screenshots-video-recordings-to-third-parties-report-finds/133686/

ExxonMobil - Sends mail with a confusing toll free number and directs customers to a parked page that tries to foist Web browser extensions on visitors.

Looks like, ExxonMobil marketing team did not bother to perform a sanity check with security team


Many people on Twitter who expressed confusion about the mailer said they accidentally added an “e” to the end of “exxonmobil” and ended up getting bounced around to spammy-looking sites with ad redirects and dodgy download offers.

It always amazes me when major companies roll out new marketing initiatives without consulting professionals who help mitigate security and privacy issues for a living. It seems likely that happened in this case because anyone who knows a thing or two about security would strongly advise against instructing customers to visit a parked domain or one that isn’t yet fully under the company’s control.

https://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/

WOW - Malware that can automatically decide to download a cryptominer or to launch a Ransomware or to become a worm.

The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor. If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component.

Researchers identified a new variant of the remote execution downloader that queries the victim's system on a number of factors, from the existence of Bitcoin storage to the presence of certain virtual machine managers, before downloading either an encryption payload or one that begins mining Monero coins


Full details here:
https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/

With machines with over 1TB memory already commonplace, many OLTP workloads can fit entirely in memory - This creates unencrypted "Data in Memory" risk, how can we encrypt this? - EnclaveDB might be one solution

It brings together the security properties of Intel’s SGX enclaves with the Hekaton SQL Server database engine. The result is a secure database environment with impressive runtime performance.

For traditional databases, the entire query processing pipeline is part of the attack surface. With EnclaveDB however, all queries are first compiled to native code and then packaged along with the query engine and the trusted kernel


EnclaveDB assumes an adversary can control everything in the environment bar the code inside enclaves. They can access and tamper with any server-side state in memory, on-disk, or over the network. They can mount replay attacks by shutting down the database and attempting to recover from a stale state, and they can attempt to fork the database and sending requests from different clients to different instances

Whereas existing system require users to associate and manage encryption keys for each column containing sensitive data, EnclaveDB takes advantage of the encryption and integrity protection provided by the SGX memory encryption engine, which kicks in whenever data is evicted from the processor cache. Thus only a single database encryption key is needed. This key is provisioned to a trusted key management service (KMS) along with a policy specifying the enclave that the key can be provisioned to. When an EnclaveDB instance starts it remotely attests with the KMS and receives the key.

Clients connect to EnclaveDB by creating a secure channel with the enclave and establishing a shared session key. The enclave authenticates clients using embedded certificates. All traffic between clients and EnclaveDB is encrypted using the session key.
Once client requests have been validated, the stored procedure executes entirely within the enclave, on tables hosted in the enclave. Return values are encrypted before being written to buffers allocated by the host.


https://blog.acolyer.org/2018/07/05/enclavedb-a-secure-database-using-sgx/

Did you know - Google reportedly is still giving outside app developers the ability to snoop through hundreds of millions of private Gmail messages that flow through the email service on a regular basis.

A new report by the WSJ yesterday highlighted how Gmail's ambiguous app permissions have left your personal emails vulnerable to hundreds of third-party developers who can read nearly every detail from your most sensitive emails, including the recipient's e-mail id, timestamps, the entire email body

This is because Google allows third-party app developers to build services that work with its Gmail platform, like "email-based services," "shopping price comparisons," and "automated travel-itinerary planners," and millions of users who have signed up for any of such services are at risk of having their private messages read by outside app developers and their employees.

Obviously, such apps get consent from users to access their inboxes as part of the opt-in process, but the news that third-party app developers could read your emails, which usually contains sensitive data, may come as a surprise to users who did not understand what they signed up for.


https://thehackernews.com/2018/07/google-gmail-apps.html

Verizon DBIR 2017 Report - This picture could help you with your Security Spending

Insider Threat - They are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or mitigate related negative consequences. The focus is generally on Detection , what about Prevention/ response?

• First, we should ensure all employees understand organizational policies regarding use of information resources and workplace behaviour. Second, any policy violation should result in a quick response by management. The response should match the level of the offense. Further, every employee, without exception, should understand the consequences
• 
  
• Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. Further, termination without prior efforts to resolve issues can result in litigation. It is often better to remediate than quickly terminate.

https://www.hackread.com/managing-insider-threats-with-internal-monitoring/

Cyber security is a matter for the boardroom, not the IT team because, cyber security is firmly a business issue, not a technology one

.



There are many aspects to an effective corporate battle plan to defend against a cyber attack, but success is dependent on direction from the top.

1. The first step is to develop a cyber security policy that the leadership team can understand, take seriously, and enforce through accountable management. 
2. Another step is to begin discussing cyber threats in board meetings, which will allow the business to develop a robust approach to ensuring the organisation’s digital security.
3. Get some qualified people from outside to shoot holes in the plans. Find a firm that will tell the hard and uncomfortable truths that technical staff may not mention
4. Finally, at the heart of the problem is a shortage of skills. We really cannot wait for this to fix itself. Those in senior positions need to educate themselves, and overcome their fear of cyber.

Ultimately, cyber security is firmly a business issue, not a technology one

http://www.cityam.com/288564/cyber-security-matter-boardroom-not-team-executives-must

Samsung phone users reported that their devices are randomly sending camera roll photos to their contacts without permission. (maybe , it is "machine learning" combined with a feature called "machine sending")

One user on Reddit claimed that their Samsung Galaxy S9 Plus sent an entire photo gallery but there was no record of it, and was only able to see a record of it on T-Mobile logs. Meanwhile, another user took to Samsung’s forum to allege “premature sending” on their Galaxy S9 smartphone.

https://threatpost.com/samsung-investigates-claims-of-spontaneous-texting-of-images-to-contacts/133675/

Cheat Sheet - For Malware Reverse engineers using REMNUX

Get it here

https://digital-forensics.sans.org/media/remnux-malware-analysis-tips.pdf

Online "Drake Equation" calculator to calculate the chance of intelligent alien life

Whether you are a optimist or a skeptic, the calculator will still help
Give it a try.

https://informationisbeautiful.net/visualizations/the-drake-equation/

There is no real privacy in this digital world but, you can reduce your digital footprint (if , you are really concerned).

The steps in the article are simple clean-up activities or something that we can adapt in our everyday life.

https://www.infosecurity-magazine.com/magazine-features/top-ten-reduce-digital-footprint

Blockmason’s Credit Protocol - A solution that might be good for consumers and vendors (but, NOT for Credit card companies)

Particulary, when credit card companies are winning Supreme Court battles (by one vote)



Here are three other reasons that the Credit Protocol is superior to the major credit card networks:

1. Data Privacy
2. Lower Fees
3. No Downtime

The Supreme Court’s ruling is a win for American Express and a loss for retailers and consumers. But it shows just how vital the Credit Protocol is. And why, soon enough, blockchain technologies like ours will start to become mainstream.


https://medium.com/@BlockMason/the-us-supreme-courts-latest-ruling-proves-the-need-for-blockmason-s-credit-protocol-de7680b2ad5c

Facebook has admitted that the company gave dozens of tech companies and app developers special access to its users' data - Shocking!! (not really, how can we expect them to make money if their service is free) -

This should not bother GMAIL users who have voluntarily surrendered their (and their friend's) privacy.

During the Cambridge Analytica scandal revealed March this year, Facebook stated that it already cut off third-party access to its users' data and their friends in May 2015 only.

However, in a 747-page long document [PDF] delivered to Congress late Friday, the social networking giant admitted that it continued sharing data with 61 hardware and software makers, as well as app developers after 2015 as well.

The social network shared information about its users with these companies to help them create their own versions of Facebook or Facebook features for their devices, well of course, "under the terms and policies they provide to their users."

https://thehackernews.com/2018/07/facebook-data-privacy.html