Did you enjoy your Stay at Marriott or Sheraton in last 4 years - Now, here is some bad news - Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data. the attackers may have had access to the systems for at least FOUR YEARS BEFORE BEING DISCOVERED.

Another  Example for "Prevention is Ideal but Detection is a MUST".

The hotel company said in a statement on its website that hackers gained access to the Starwood reservation database. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.


Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of these guests.

https://threatpost.com/2014-marriott-data-breach-exposed-500m-guests-impacted/139507/

Have you observed that sometimes (with some online app ) your perfectly valid password will fail and you have to contact their support to reset it. Here is one reason.

The computer maker reported yesterday meaning , 20 days later (No wonder GDPR  mandates less than72 hours for notification)  that it detected and disrupted unauthorized activity on Dell.com on Nov. 9. Dell, automatcially  reset the passwords WITHOUT INFORMING THE POTENTIAL VICTIMS.

This might sound good but we know people reuse the same login information over several sites so, breach notification should have gone out immediately.

“This incomprehensible action of mass password reset may damage Dell’s reputation of a vendor who cares about information security and privacy. Preventive password reset can certainly be helpful; however, it should be properly accompanied with assuring explanations and transparent next steps,”

https://www.scmagazine.com/home/security-news/dells-belated-data-breach-notification-angers-cybersecurity-industry-exec/

2018 - Year of Data Leak + Data Breach - The sad part is "Data Leak" can be easily avoided if we can overcome SIS (Security Ignorance Syndrome)

ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.

The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named “Yellow Pages,” which reportedly held an additional 25,917,820 records, which appeared to be business entries.

Overprivileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges

https://www.scmagazine.com/home/security-news/elasticsearch-server-exposed-data-of-nearly-57m-u-s-residents/

Apparently, IT Security folks may be estimating the value of the data wrongly - Some datasets like R&D data, pricing models, source code, M&A documents and signed employment agreements are worth substantially more to organizations that other assets such as product manufacturing and engineering workflows, signed customer contracts, budget and accounting data and network design documents.

The survey also showed that data value — for certain types of data — decreases over time because of a decline in relevancy. For instance, R&D documents in the manufacturing function that are less than one year old are valued at more than $873,380. The value of the same data declines to about $492,700 if it is older than a year

Similarly, fresh legal documents that are less than a year old are valued at some $508,640 and those that are older than one year at $120,911.

Similarly, the cost associated with a data leak involving R&D documents, at $661,400, is substantially higher than the costs of a breach that involves product-manufacturing workflows ($106,520)

The data shows that organizations need to manage data as an asset and not just as a liability, Abbott says. 

IT security groups need to be thinking about assigning values to data types based on factors like business use, age, how much it would cost to reproduce, how much it would cost if lost or in the wrong hands, Abbott says.

https://www.darkreading.com/vulnerabilities---threats/incorrect-assessments-of-data-value-putting-organizations-at-risk/d/d-id/1333362

Inconvenient Truth about awareness training , Enterprise and Employees - Despite an increased focus on cybersecurity awareness in the workplace, employees’ poor cybersecurity habits are getting worse.

• 75% of respondents admitted to reusing passwords across accounts, including work and personal.
• 49% of respondents would actually blame the IT department for a cyberattack if one occurred as a result of an employee being hacked.
• Survey findings points to a workforce who are less committed to security best practices. 
• (48%) of respondents are currently using or planning to use chatbots and artificial intelligence personal assistants, with more than one tenth (13%) already using these in their organization to increase their work efficiency.
• Over half (55%) of survey respondents stated their IT department can be a source of inconvenience in their organization
• 31% who admitted that they have deployed software without IT’s help (i.e. ‘shadow IT’).
  13% of employees admitted they would not immediately notify their IT department if they thought they had been hacked.
• Enterprises are increasingly adopting software bots powered by robotic process automation (RPA), and granting them access to mission-critical applications and data, like their human counterparts.

https://www.helpnetsecurity.com/2018/11/14/poor-security-habits-are-getting-worse

Do you own a Sennheiser's HeadSet - Here is an interesting story (like the Adware Scandal that made Lenova pay $7.3m for installing adware in 750,000 laptops) - Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks.

When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store.  To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.

While these certificate files are deleted when a user uninstalls the HeadSetup software, the trusted root certificate was not removed. This would allow an attacker who had the right private key to continue to perform attacks even when the software was no longer installed on the computer

Microsoft has also released the security advisory ADV180029, titled "Inadvertently Disclosed Digital Certificates Could Allow Spoofing", that explains that Microsoft has released an updated Certificate Trust List that removes trust for these certificates.

https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/

Resurrection of the Worm - Fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives. It looks like Malwares (old and new) are going to behave like worm. Is it time to disable removable media and monitor Powershell?. It also time to revisit old school best practices like Segmentation and endpoint isolation.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” the blog post concludes. “Users and especially businesses that still use removable media in the workplace should practice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like PowerShell


https://www.scmagazine.com/home/security-news/cybercrime/malicious-developer-creates-wormable-fileless-variant-of-njrat/

L0rdix - A New malware with lethal combination of data stealing, cryptomining, and snooping capabilities. You can buy it for 4000Ruble ($60.96)

L0rdix also infects removable drives on the PC and maps itself to their icons while the original drive files and directories stay hidden

The malware allows attackers to get full information about the targeted PC. After receiving the required information, the attackers can execute commands, upload files, and perform other malicious activities including uploading mining modules

The primary objective behind designing this malware is to mine for cryptocurrency without getting detected

https://www.hackread.com/l0rdix-dark-web-malware-steals-data-mines-crypto-botnet/

Most airports, hotels and coffee shops offer free WiFi. How do you know which ones are NOT safe? - Use this Free software/tool to detect Unsafe WiFi. (Note - The URL is free to use but, the app is owned by Symantec and it needs your corporate email address for activation ).

Use the following URL:

https://maps.skycure.com/

Are you fine with Microsoft collecting your personal data without your permission (and important, you can't stop it) 0

A Data Protection Impact Assessment (DPIA) conducted by Privacy Company for the Dutch Ministry of Security and Justice has found that Microsoft has been collecting vast amounts of personal data. Recommends that IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them.

Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded

https://blog.knowbe4.com/dutch-audit-finds-microsoft-office-leaks-confidential-data

Security Tips for Smart TVs:

1. Turn off the WiFi.
2. Review the privacy settings
3. Keep software/firmware updated
4. Cover the camera when not in use
5. Mind the microphone.

For More check Here:
https://www.wombatsecurity.com/blog/5-security-tips-for-smart-tvs

IoT - There were 8.4 Billion devices in 2017 and could increase to 20+ Billion by 2020. how can we secure them?. Check this infographic for more details

GET IT HERE:

https://www.wombatsecurity.com/blog/infographic-iot-security-qa-and-checklist

Watch out Instagram users - A security flaw in Instagram’s recently released “Download Your Data” tool could have exposed user passwords

Despite the need for greater security, “many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties,” said Campagna. “Unless organizations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”

https://www.darkreading.com/application-security/instagram-privacy-tool-exposed-passwords/d/d-id/1333300

Beware Skype users - A flaw in Skype for Business enables hackers to launch a DoS attack against the platform by sending large numbers of emojis on the instant messaging client. (btw, latest patch/ proper privacy settings can fix this)

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends


Any lack of control over users (such as allowing anyone to sign up for the service, rather than specifically authorising each applicant) opens up the messaging system to a range of what are effectively ‘insider’ vulnerabilities."

https://www.scmagazineuk.com/emoji-tsunami-dos-skype-business/article/1518921

Strange Fact - Japan's new cyber-security minister has dumbfounded his country by saying he has never used a computer

"Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer in my life," he said, according to a translation by the Kyodo news agency.

His duties include overseeing cyber-defence preparations for the 2020 Olympic Games in Tokyo.

https://www.bbc.com/news/technology-46222026

First we hear "Poorly Secured", which we IGNORE then, we hear "Data Breach" then, we are surprised. As long as we suffer from SIS ("Security Ignorance syndrome"), we will continue to have Data Leakage (FYI, no hacking skills needed)

Leaky database, owned by communications firm Vovox which lacked password protection, contained tens of millions of SMS messages, two-factor codes, shipping alerts, and other user data.

https://www.darkreading.com/cloud/26m-texts-exposed-in-poorly-secured-vovox-database/d/d-id/1333292

cybersecurity policy is not enough, why?,cybercrime-as-a-service is steadily growing but Cybersecurity? - 47% of employees don't pay much attention to their employers' cybersecurity policies. and 95% of organizations admit that their current cybersecurity environments are far below expectation

. Bottomline,you will also need Companywide communication and careful training.

• 42% say their companies don't have a cybersecurity culture management plan or policy.
• 67% of employees access shared documents using their devices, many of which may lack the protection needed to shut out hackers and other Internet intruders.

https://www.darkreading.com/vulnerabilities---threats/95--of-organizations-have-cultural-issues-around-cybersecurity/a/d-id/1333290

Watch out - iPhone bug allows access to deleted pics by tricking iOS into letting them at content that shouldn’t have been accessible.

Solution -
In the list of Albums, you’ll find one called Recently Deleted, permanently deleting them from tit  puts them beyond recovery.

https://nakedsecurity.sophos.com/2018/11/15/thought-you-deleted-your-iphone-photos-hackers-find-a-way-to-get-them-back/

Ever heard of SB 327 law? - It is California's new law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." More important, default passwords are not allowed.

Connected Device includes IoT , reasonable security, that's a bit vague


More Here:

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

Wake up Call - Data Breach getting Worse (2018)

• 3,676 breaches and a staggering 3.6 billion records compromised
• Insiders posed the biggest threat - accounted for nearly 36% of the records compromised.
• Email addresses, passwords, names, and, addresses were the most commonly exposed data types.
• Only 13% were discovered internally.
• 7 of the breaches  exposed 100 million or more records
• Organizations took an average 47 days to publicly disclose an event

https://www.darkreading.com/vulnerabilities---threats/2018-on-track-to-be-one-of-the-worst-ever-for-data-breaches/d/d-id/1333252

New "unsend" feature in Facebook - It lets you delete the messages within ten minutes of sending them through the Messenger app.

More Info Here:

https://www.hackread.com/facebook-messenger-to-offer-unsend-feature-to-delete-sent-messages/

Note for those working on GDPR Compliance - A WordPress plug-in that’s supposed to help with GDPR compliance contains a dangerous privilege escalation vulnerability that attackers have been actively exploiting to compromise websites

Known as the WP GDPR Compliance plug-in, the software module helps ensure compliance with Europe’s General Data Protection Regulation by providing tools through which site visitors can permit use of their personal data or request data stored by the website’s database.

The bug specifically exists within the plug-in’s “wp-admin/admin-ajax.php” functionality. When exploited, the vulnerability “allows unauthenticated users to execute any action and to update any database value.”

Sucuri reports that website owners hit by the redirection attack can fix the unauthorized URL setting change by manually editing the site’s database table wp_options. A less desirable workaround is to define some constants within the w–config.php file.

https://www.scmagazine.com/home/security-news/attackers-exploit-gdpr-compliance-plug-in-for-wordpress/

There is a reason why some features have a "Security" tag - If you don't use them then you won't get security - For Example: A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.

Interesting bit - U.S. leads the rest of the world in the total amount of compromised EMV payment cards by a massive 37.3 million records

75 percent, or 45.8 million, were records stolen from in-person transactions (“card-present” in the industry parlance). These were likely compromised through card-skimming malware and point-of-sale (POS) breaches at establishments like retailers, hotels and restaurants.

“There are numerous merchant locations that are still asking their customers to swipe rather than use the chip-insert method, thus completely neglecting the EMV security features,”

https://threatpost.com/u-s-chip-cards-are-being-compromised-in-the-millions/139028/

Vendor Blunder - Cisco “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software.

The code was used internally by Cisco in validation scripts to be included in shipping software images – it was used to ensure that Cisco’s software is protected against known exploits. However, there was a failure in the final QA validation step of the software, and as a result someone from Cisco forgot to remove the code before release

https://threatpost.com/cisco-accidentally-released-dirty-cow-exploit-code-in-software/138888/

Another incident to remind us that our vendor/contractor's security practices are part of our security - One of American Express (India) subcontractor missed to encrypt 700,000 customer records , exposing names, email addresses, phone numbers and card type.

The bulk of the data – more than 2.3 million records – it housed was encrypted, requiring an encryption key but the nearly 700,000 customer records were in plaintext, exposing names, email addresses, phone numbers and card types.
the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation.

Sensitive information is left publicly available in a data repository due to poor developer practices

https://www.scmagazine.com/home/security-news/leaky-mongodb-server-exposes-personal-info-on-700k-amex-india-customers/

Why you will be needing both technology and "awareness training" to prevent BEC and Phishing Attacks

Valimail research, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didn't. Out of 11 emails, those who received the training identified 4.98 and those who didn't spotted 4.97.

"By taking on a more defense-in-depth approach, the burden on the humans is less, so there's a better chance that when emails do get through, the users will be able to detect them because they won't be overwhelmed.

"One of the big problems is that people tend to reuse passwords," Jacoby says.

https://www.darkreading.com/operations/identity-and-access-management/why-password-management-and-security-strategies-fall-short/d/d-id/1333221

Common sense says "Encryption" means that you will need a "KEY" to decrypt it - when the researchers tested self-encrypting SSDs from Samsung and Crucial — they found fundamental vulnerabilities in many models that make it possible for someone to bypass the encryption entirely

The flaws allow anyone with the requisite know-how and physical access to the drives to recover encrypted data without the need for any passwords or decryption keys.

One fundamental flaw  was a failure to properly bind the disk encryption key (DEK) to a password.

The full disk hardware encryption available on some widely used storage devices is so poorly implemented there may as well not be any encryption on them at all,


Another fundamental flaw the researchers discovered allows for a disk encryption key to be recovered from an SSD even after a user sets a new master password for it. In this case, the vulnerability is tied to a property of flash memory in SSDs called "wear leveling,"


https://www.darkreading.com/vulnerabilities---threats/critical-encryption-bypass-flaws-in-popular-ssds-compromise-data-security/d/d-id/1333207

Financial Fraud - I am talking about us (not corporations) More than 16 million Americans were victims of fraud last year, resulting in almost $17 billion of losses. So, what can we do?

Solution (other than MFA) - Simple, Be super skeptical of any email that arrives asking for any personal information,” he says. “Even if it’s claiming that your account has been hacked or your bank account is overdrawn.”

“As soon as they ask you for your pin or your password, that’s a bad guy,” he says.


http://time.com/money/5439185/bank-fraud-protection-tips

New PenTest Poster from SANS

Get it Here


https://blogs.sans.org/pen-testing/files/2018/10/PEN-PR-BGP_v1_1018_WEB_FINAL_11052018.pdf

Don't become a victim to Phishing or pretexting attack

Phishing and pretexting are among the top ten causes of all data breaches. The strange part is that they are not highly-technical attacks. They are so effective that even the most sophisticated attackers use them.
(Simple Solution = UAT - User Awareness Training)


What is pretexting?
A targeted, social engineering-based attack in which attackers use continuous dialogue to build a sense of trust with the victim. By creating a fabricated scenario and posing as a senior employee or a trusted vendor, attackers manipulate victims into willingly giving up sensitive information, granting access to systems, or even transferring money.

https://blog.knowbe4.com/successful-pretexting-attacks-have-nearly-tripled-since-2017?utm_content=79276052&utm_medium=social&utm_source=twitter