It is Tax season and there will be a new wave of spam/phishing attacks. The IRS suggests the following steps to avoid becoming a victim of phishing:

• Be Vigilant – Employers and businesses providing tax services can best protect themselves from phishing attacks by educating employees with Security Awareness Training. Employees are trained on phishing tactics in order to heightened their sense of security, making it easier to spot a malicious email and avoid becoming a victim.
• Use Security Software – the use of email, web, and DNS scanning solutions can reduce the number of potentially malicious messages that reach an Inbox.
• Use strong passwords – the emphasis is on using unique passwords for each account used.
• Use Multi-Factor Authentication – when available, use MFA to better secure access to online applications, websites, and data.

Emails impersonating the IRS can be forwarded to phishing@irs.gov.

As we move to the Cloud based business model we should also consider changing our Security Model closer to "Zero Trust".

Zero Trust - assume everything is on the open internet.

Here is the first (in the multi-part series) blog on the same subject from Microsoft - Identity and access management.

BTW, do you remember the statement "identity is the new perimeter", more and more people are beginning to agree with it

https://cloudblogs.microsoft.com/microsoftsecure/2018/12/17/zero-trust-part-1-identity-and-access-management

Attention Internet Explorer Users - Microsoft has released a patch for a new vulnerability - CVE-2018-8653 - An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Another reason why regular users should not have local admin privileges (Best Practice)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653

VPN is safe , not if you are using free HolaVPN.

1. It could provide a gateway into the enterprise network for malicious software of many varieties
2. It Uses customer computers and devices as exit points for spam and  phishing message.
3. The software for HolaVPN failed to provide encryption for users depending on the service to protect their data from theft
4. 85% of the HolaVPN traffic they analyzed was concerned with mobile ads and other mobile-related domains and software.

https://www.darkreading.com/network-and-perimeter-security/trend-micro-finds-major-flaws-in-holavpn/d/d-id/1333515

Backup is important but, can be dangerous when we cannot track and delete old data. This is where "Cryptographic Erasure" can be useful. It is a simple process, you encrypt the data and when it is time to delete it, DELETE THE ENCRYPTION KEY INSTEAD . Data is as good as deleted.

It has two important advantages:
1. We do not need to restrict ourselves to using a single key that encrypts an entire drive or data set. Instead, we can have as many unique keys as we need, encrypting data at the granularity that serves our purposes

2. Second,it entirely bypasses the issue of tracking data flows. Whether the data resides in a remote data center, in someone else's cloud, is irrelevant. It is sufficient to know where our keys and delete them.

https://www.darkreading.com/endpoint/cryptographic-erasure-moving-beyond-hard-drive-destruction/a/d-id/1333492

True or False - Larg companies have greater resources,skilled security teams, are better defended against cyberattacks. FALSE, they may have more resources but, also have many more devices connected to the Net and a greater attack surface area.

Here are some stats to back it: 
1. An average Fortune 500 firm had approximately 500 servers and devices connected to the Internet, with five- to 10 systems exposing Windows file-sharing or Telnet services (yest telnet)

2.  Fifteen out of the 21 industry sectors had at lease one member allowing public access to a Windows file-sharing service.

3. One company in each of the aerospace & defense, chemical, and retail industries had more than 20,000 systems accessible through the Internet

https://www.darkreading.com/perimeter/lax-controls-leave-fortune-500-overexposed-on-the-net/d/d-id/1333497

Google Home Smart speaker is a nice gadget to show to our friends. Here is some not-so good news. Remember Magellan (not the explorer) SQLite vulnerability, your gadget is also affected by it. Meaning, it could lead to remote code execution, leaking program memory or it can cause program crashes.

The good news is there is no evidence of it being used in the wild (but,it could change anytime)

https://www.scmagazine.com/home/security-news/remote-code-execution-flaw-found-in-google-home-smart-speaker/

Do you use SQLite in your organization ? - (No, check again) Magellan - the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

It is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft and a bunch of other software.

SQLite is the most widely deployed database engine in the world today, which is being used by millions of applications with literally billions of deployments, including IoT devices


https://thehackernews.com/2018/12/sqlite-vulnerability.html

How to hack an email with two-factor authentication. Easy, present the target with two fake pages, one for credentials and the other for the (2FA) one time code. - Don't believe me? - Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers called "Charming Kitten" using this technique

As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password


Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society


https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/

If you use "Logitech Options desktop app" then, you MUST read this. Logitech has finally issued a patched for a bug that could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app.

Previously, a malicious actor could use a rogue website to send a range of commands to the Options app and change a user’s settings. In addition, a malicious actor could send arbitrary keystrokes by changing some simple configuration settings. That in turn would allow a hacker to access all manner of information and even take over a targeted machine

https://threatpost.com/logitech-keystroke-injection-flaw/139928/

Most of us post pics on Facebook so, thought you should know this.

Facebook on Friday disclosed a bug in its platform that it said enabled third-party apps (1,500 apps built by 876 developers) to access unpublished photos of 6.8 million users.

https://threatpost.com/facebook-photos-exposed/139940/

Another SIS (Security Ignorance Syndrome) related Data Leak - Exposed S3 bucket compromises 120 million Brazilian citizens

The treasure trove of Brazilian citizens information included banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.

First, someone had renamed the index.html” to “index.html_bkp,” revealing the directory’s content next and then did not prohibit access through .htaccess configuration

https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/

CLOUD adoption is a good decision provided we bake in security (else, get ready for data loss/breach) - By default, pods in a Kubernetes cluster can receive traffic from any source – a setting 46% of businesses leave in place, exposing pods to network attacks. Further, 15% don't use identity and access management roles for access to Kubernetes clusters.

25% of organizations use popular managed container services such as Amazon Elastic Container Service for Kubernetes and Azure Kubernetes Service.

Common misconception - There's a lack of belief they're necessarily going to be targeted or an unwillingness to make an investment.
The motivation to secure arrives after an incident.

Other Stats:
27%  allow root user activities.
Over 40% of API access keys have not been rotated in a 90-day period.


https://www.darkreading.com/perimeter/49--of-cloud-databases-left-unencrypted/d/d-id/1333462

You don't need Big Brother to track you, All you need is a few apps on your (dumb)smartphone

Analysis of the mobile data of a user, a resident of upstate New York, revealed that her location was recorded over 8,600 times and on average once after every 21 minutes.

In some cases, the data was updated over 14,000 times in a single day. 

The companies who buy this data use it to sell, analyze or use the data for advertising purposes as well as provide it to retail outlets to obtain insights about consumer behavior.

About 75 companies receive location data of nearly 200 million US citizens


https://www.hackread.com/apps-on-your-phone-selling-sharing-location-data/

Windows patching , most do. Patching all apps, almost no one does and this MUST change. "LUCKY" (no kidding, this is the name) malware can exploit ten different vulnerabilities in Windows and Linux server which includes, Windows SMB, JBoss, WebLogic, Tomcat, Apache Struts 2, and Spring Data Commons.

Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all

https://www.darkreading.com/threat-intelligence/satan-ransomware-variant-exploits-10-server-side-flaws/d/d-id/1333448

Windows 10 Security Question - Good for recovery but, could be bad for security as this could be used to setup a backdoor - Unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions,".

The implications for someone abusing this without the account holder's knowledge are huge.

security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future


https://www.darkreading.com/endpoint/windows-10-security-questions-prove-easy-for-attackers-to-exploit/d/d-id/1333404

You might not be losing weight but, your wallet might become light weight - “Fitness Balance app” and “Calories Tracker app” appears to trick unsuspecting users into approving payments of over US $100.

Upon start-up of the apps, users are requested to scan their fingerprint in order to “view their personalized calorie tracker and diet recommendations.”

However, quick as a flash the app pops-up an in-app payment dialog asking for you to approve a payment of US $99, US $119.99, €139.99

https://www.grahamcluley.com/fitness-tracking-apps-caught-misusing-touch-id-to-steal-money-from-iphone-users/

Remember "He Went to Jared" Commercial - Here is an add-on "And he could access other orders by changing a link in his confirmation email".

A  bug was discovered and reported by a Jared customer who learned he could access other shoppers' orders by altering a link in his confirmation email and pasting the link into his browser. It was a small change, the report states, but it led him to orders containing peoples' names, billing and shipping addresses, phone numbers, email addresses, items and amount purchased, delivery date, tracking link, and the last four digits of the credit card used

“Being a Web developer, the only thing I can chalk this up to is complete incompetence, and being very lazy and indifferent to your customers’ data,” he said. “This isn’t novel stuff, it’s basic Web site security.”

https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/