Ransomware rises a few complex questions - When a company pays a Ransom - Shouldn't it start the breach notification process (as the crooks have our data)? OR Should it wait for the cyber-crooks to expose our data or, what happens if there is a recurring demand for ransom?. I guess, "Prevention is better than cure" makes sense here.

https://hotforsecurity.bitdefender.com/blog/california-it-service-provider-pays-ransom-to-escape-sodinokibis-stronghold-21976.html

Want to keep track of your child with GPS enabled smartwatches? , good idea but, remember the same device may also help others to track OUR kid. Welcome to the (gadget hungry) world filled with insecure toys

This year alone, researchers have found several vulnerabilities in a number of child-tracking smartwatches. But new findings out today show that nearly all were harboring a far greater, more damaging flaw in a common shared cloud platform used to power millions of cellular-enabled smartwatches.

The cloud platform is developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices. The platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data. Not only does Thinkrace sell its own child-tracking watches to parents who want to keep tabs on their children, the electronics maker also sells its tracking devices to third-party businesses, which then repackage and relabel the devices with their own branding to be sold on to consumers.

https://techcrunch.com/2019/12/18/cloud-flaws-millions-child-watch-trackers/

We can see 3 three security mistakes in this statement - "The data was stored on unencrypted hard drives in payroll worker’s computer equipment placed in the worker’s vehicle

1.  No encryption (obvious) 
2. Sensitive data was stored on hard drive (why?) ;
3. No DLP (security budget cut?).

So, where is Facebook spending its security budget? (on products and people producing fancy dashboards?)

https://www.hackread.com/unencrypted-hard-drives-facebook-employees-stolen/

WOW !!! - Breached data collecting database itself was exposed - 1 billion passwords in plain-text (really???) less concern if, you have MFA ; 2.7 billion email addresses; 1.5 TB of data

https://www.hackread.com/billion-email-addresses-plain-text-passwords-exposed-online/

Mega Breaches (in TB) when IGNORANT SaaS vendors store our data in Cloud

- In this instance  the organizations exposed  include California Courts, CenturyLink and Nasdaq and Xerox.  The bucket also contained directories with other files relevant to clients – including internal public-relations strategy documents.

https://threatpost.com/ge-dunkin-forever21-internal-doc-leak/150920/

End of "AWS S3 security" excuse (when there is a data breach) - We have a new feature in AWS - AWS Identity & Access Management Access Analyzer

- It Monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access,"

https://businessinsights.bitdefender.com/amazon-battles-leaky-s3-buckets-with-a-new-security-tool

End of "S3 security is complex" Excuse leading to data breach - Use the new feature - AWS Identity & Access Management Access Analyzer

It Monitors S3 bucket access policies and provides alerts if you have a cloud-storage bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access," 

https://businessinsights.bitdefender.com/amazon-battles-leaky-s3-buckets-with-a-new-security-tool

Your Cyber Insurance provider can deny your claim under "Act Of War" (Are they learning from Health Insurance Providers?)

After the Ransomware attack Merck was stunned when most of its 30 insurers and reinsurers denied coverage because the policies specifically excluded another class of risk called "an act of war"

https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war

Fact is stranger than fiction - 5mb Hard Drive in 1956. Now, A box of that size could probably contain a mini data-center. Today, Both the drive and the Airlines have vanished.

Can a zero-trust approach help us to reduce 3rd Party Risk ("Elephant in the room") which is becoming the 2nd common reason for data breaches (The first one being misconfiguration in the cloud) .

- Palo Alto Networks confirmed to Business Insider that the personal details of seven current and former employees had been "inadvertently" published online by a "third-party vendor" in February.

https://businessinsights.bitdefender.com/palo-alto-networks-employee-data-breach-highlights-risks-posed-by-third-party-vendors

Google want to know everything about you - Now, it looks like , Microsoft wants to know what Google knows about you or , Is it the good old Embrace, Extend and Extinguish Strategy.

After a quick setup process, you simply link a Google Account to an Outlook.com account, and Gmail, Drive documents, and Google Calendar will all be automatically displayed inside Outlook.com on the web.

It looks very similar to how Outlook for iOS and Android work, with separate inboxes and side-by-side integration in the calendar.

https://www.theverge.com/2019/11/20/20973889/microsoft-outlook-web-gmail-google-drive-calendar-integration-support-features

New equation = Ransomware Infection = Data Breach. (should I call it Ransom-Breach?) Now on, it is Pay-up or we expose your data. . So, back to basics - Data Backup and Awareness training.

After a deadline was missed for receiving a ransom payment, the group behind Maze Ransomware has published almost 700 MB worth of data and files stolen from a security staffing firm

https://blog.knowbe4.com/heads-up.-this-is-ugly-after-refusing-the-maze-ransomware-payment-their-stolen-data-was-leaked?

Exciting(/scary) feature(/bug) in Android - Secretly take pictures or record video -- even if your device is locked.

Google is strict when it comes to mobile applications obtaining access to sensitive information from camera, microphone, or location services. As a result, users must accept permission requests, but in Checkmarx's attack scenario, these requirements are bypassed.


https://www.zdnet.com/article/android-vulnerability-lets-rogue-apps-take-photos-record-video-even-if-your-phone-is-locked/

Thanks Giving to Christmas is Vacation season - So, here is a simple security Tip from Sophos

Disney launched a new streaming service and in a matter of few hours, user accounts were hacked/stolen and put up for sale on hacking forums

. Prices vary from $3 per account to as much as $11 (strangely, that's more than Disney's $7 offer)

https://www.zdnet.com/article/thousands-of-hacked-disney-accounts-are-already-for-sale-on-hacking-forums

Why you need to take Microsoft Patch Seriously - Microsoft has shipped out a fix for a critical flaw in Internet Explorer (IE) that is being exploited in the wild. Tracked as CVE-2019-1429.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,”

Importantly, there’s a possible attack vector – and it doesn’t even require you to use IE

https://www.welivesecurity.com/2019/11/14/microsoft-patch-internet-explorer-zero-day

Insider Threat - Any/Every organization can be affected. It time that we take "Zero Trust" security model seriously - Trend Micro saw about 100,000 of its consumer customers have their account information stolen

The cybersecurity company said in a statement today the first inkling something was wrong came in August 2019 when some customers complained of receiving scam phone calls from people purportedly from Trend Micro. The information the callers disclosed to their targets during the conversations led the company to believe it had to have come from an insider.

The company said it never calls customers unannounced.

By late October the company was able to fully determine the attack was an inside job. An employee used fraudulent means to gain access to customer support databases, retrieve the data and sell it.

“Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said.

https://www.scmagazine.com/home/security-news/insider-threats/trend-micro-hit-with-insider-attack/

Can this headline be true?? - ( Actually it is worse than what is states) When the “Disable all macros without notification” feature is enabled, the XLM macros are actually automatically executed without any warning or prompts being shown to the user.

Some good news:
Fully patched versions of Office 2016 and Office 2019 for Mac reportedly do correctly report the presence of XLM macros inside SYLK files.

https://hotforsecurity.bitdefender.com/blog/mac-users-warned-that-disabling-all-office-macros-doesnt-actually-disable-all-office-macros-21744.html

Check if you are vulnerable to CVE-2019-13720 & CVE-2019-13721 in your Chrome Browser

Use the following URL

https://appcheck-ng.com/new-chrome-zero-day/?utm_source=Twitter&utm_medium=Security&utm_campaign=Chrome%20Zero%20Day

"Smart Spies" in your "smart speakers" (Alexa, Google) - They could perform eavesdropping and voice-phishing, or using people’s voice cues to determine passwords

The vulnerability lies in small apps created by developers for the devices to extend their capability called Skills for Alexa and second app called Actions on Google Home, according to a report by Security Research Labs (SRLabs). These apps “can be abused to listen in on users or vish (voice phish) their passwords,” researchers said.

https://threatpost.com/new-way-found-to-use-alexa-google-to-voice-phish-and-eavesdrop-on-users/149352/

Apparently, If you don't use the right screen protector - Any fingerprint can unlock your Samsung Galaxy S10.

Ultrasonic fingerprint scanners can have problems with some screen protectors, as they may register the sound of a “fingerprint” which is bounced back off the screen protector rather than the actual fingerprint’s ridges.

In short, the phone has “registered” a fingerprint which may look like any finger pressing through the screen protector.

In other words – a fingerprint was not reliably registered in the first place.

https://www.grahamcluley.com/about-that-any-fingerprint-can-unlock-your-samsung-galaxy-s10-report/

Did you know that you can BLOCK unknown callers in iOS 13

This is a great way to get rid of nuisance and spam callers.

To enable this feature, go to Settings > Phone > and toggle to Silence Unknown Callers.


https://www.zdnet.com/article/ios-13-security-and-privacy-settings-you-need-to-tweak-and-check/

Be aware that your CyberInsurance may not cover "stolen funds" - Example - AIG

Hackers fleeced SS&C out of $5.9 million in 2016 by emailing company employees from spoofed email addresses, and requesting monetary transfers. AIG says its policy stipulates that the insurer will not cover losses stemming from criminal activity.



https://www.cyberscoop.com/aig-cyber-insurance-lawsuit-bec/

We hear that Cybersecurity is a hot field, did you know that - 60% of IT Security Professionals are looking to leave current Job

• 53% - [An] unhealthy work environment ; 
• 46% - lack of IT security prioritization from C-level or upper management ; 
• 37% - unclear job expectations; 
• 30% -  lack of mentorship

In the workforce, it might look like this:
Situation -> Anger -> Action -> Unemployment and the cycle regenerates back to even more anger

https://www.hackread.com/information-security-professional-degeneration/

One common (forgotten) security issue that exists in our home - Vulnerabilities that will NEVER be patched because the system in unsupported (EOL) (Router, TV, IoT, or anything that can connect to internet).

For Example - The security researchers disclosed their findings to D-Link on September 22. Within 24 hours the hardware vendor had confirmed the vulnerability, and three days later, D-Link said that as the products are at End of Life (EOL) support, no patch will be released.

https://www.zdnet.com/article/d-link-routers-contain-remote-code-execution-vulnerability/

MFA - We constantly hear about two-step verification failure so, please remember this - All Authenticators Are Vulnerable but NOT all authenticators equally vulnerable.

Here’s a list of common credential types with an assessment of vulnerabilities (excluding coercion)

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/All-your-creds-are-belong-to-us/ba-p/855124

Free Cyber Security Awareness Resource Kit - From SANS

Get it here


https://www.sans.org/security-awareness-training/resources/ncsam-toolkit?utm_medium=Email&utm_source=Houselist+Ouch&utm_campaign=STH+Ouch!&utm_content=NCSAM+Toolkit

Free Cyber Security Awareness Resource Kit - From KnowB4

Get it here

https://www.knowbe4.com/ncsam-resource-kit

You know/have Cyber Insurance , do you have Cyber Catalysts

These are Services the Cyber Insurers consider effective in reducing cyber risk. Here is a list from Marsh.
I am not happy that they are recommending products. I wish they had just recommended threat categories (but, it is a good start). Hopefully, customers will not treat this as a check list to get discounts.


https://www.claimsjournal.com/news/national/2019/09/25/293273.htm

NEW SANS OUCH Newsletter - Just in time for CyberSecurity Month

Get it here

https://www.sans.org/sites/default/files/2019-09/201910-OUCH-October-English.pdf

Smart people (you) setup Google Alerts , Smarter people (Hackers) use your alerts to hook victims into scams or push malware.

When the alert is clicked in the email, or even if the malicious page is clicked in a Google search, the target is taken to a malicious site.

“The best way to protect yourself from these types of low quality and malicious sites, is to specify you only want the “best results” when creating the alert. This can be configured under the alert options at the top of the Google Alerts page,” Abrams suggested


https://www.scmagazine.com/home/email-security/scammers-using-google-alerts-to-spread-malware-fraud-2/

Smart Homes needs [Cyber-] Smart owners

 A Google Nest system was hacked into by cyber criminals who turned the  heat in a house up to a sweltering 32°C.

(Now, it gets scary,) Despite initially putting it down to a glitch, a terrifying voice soon started emitting from the camera, as well as some less-than-savoury music

https://www.ladbible.com/news/technology-google-nest-hackers-turn-familys-heat-up-and-blast-rude-music-20190923

Does it matter if our TV is tracking us - Analysis of 81 devices including ones from Samsung, LG and Roku - 72 of the devices sent data to a destination that was not the device manufacturer itself Moreover, data firms use TV IP addresses to link what people are watching to what they do and see on smartphones, tablets and laptops, he said. “It’s like your TV is following you around,”

The Princeton report discovered that information being sent from devices also originates with channels being viewed through the use of trackers, which are predominantly managed by Google and Facebook. Eighty-nine percent of Amazon Fire TV channels and 69 percent of Roku channels contained trackers collecting information about viewing habits and preferences, researchers found.

These trackers also feature information that can uniquely identify the device and where it’s being used, including device serial numbers and IDs; Wi-Fi network names; and Wi-Fi identifiers known as MAC addresses.

https://threatpost.com/smart-tvs-leak-data/148482/

OWASP now has a new Top 10 list of API Security

As always five of them are Authentication, Authorization, Injection, Misconfiguration and Insufficient Logging+Monitoring (The last 2 are easily avoidable)

A1	Broken Object Level Authorization	APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
A2	Broken Authentication	Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising system's ability to identify the client/user, compromises API security overall.
A3	Excessive Data Exposure	Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user. Without controlling the client's state, servers receive more-and-more filters which can be abused to gain access to sensitive data.
A4	Lack of Resources & Rate Limiting	Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
A5	Broken Function Level Authorization	Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
A6	Mass Assignment	Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
A7	Security Misconfiguration	Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
A8	Injection	Injection flaws, such as SQL, NoSQL, Command Injection, etc. occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A9	Improper Assets Management	APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
A10	Insufficient Logging & Monitoring	Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

https://www.owasp.org/index.php/OWASP_API_Security_Project

"SimJacker" vulnerability - Allows remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The vulnerability resides in a particular piece of software, called the S@T Browser (a dynamic SIM toolkit), embedded on most SIM cards that is widely being used by mobile operators in at least 30 countries and can be exploited regardless of which handsets victims are using.

https://thehackernews.com/2019/09/simjacker-mobile-hacking.html

"Security is Only as Strong as the Weakest Link" - cyberattack last month ripped off $4.2 million after one employee’s email account was compromised

The incident, which occurred Aug. 26, affected the Oklahoma Law Enforcement Retirement System, or OLERS, which supports retired state troopers, park rangers and campus police at public universities.


https://statescoop.com/hackers-took-4-2-million-pension-fund-oklahoma-troopers/

Are you scrutinizing your vendor's scurity practices properly - A member of a popular Russian-language cybercrime forum offered to sell access to the internal network of a U.S. government IT contractor that does business with more than 20 federal agencies, including several branches of the military.

In an interview with KrebsOnSecurity, Miracle Systems CEO Sandesh Sharda confirmed that the auction concerned credentials and databases were managed by his company, and that an investigating agent from the Secret Service was in his firm’s offices at that very moment looking into the matter.

Wisconsin-based security firm Hold Security, which alerted KrebsOnSecurity to this incident, indicating that at least eight of its internal systems had been compromised on three separate occasions between November 2018 and July 2019 by Emotet, a malware strain usually distributed via malware-laced email attachments that typically is used to deploy other malicious software.


https://krebsonsecurity.com/2019/09/secret-service-investigates-breach-at-u-s-govt-it-contractor/

Own one of these - SonicWall firewall, Xerox Printer or Trend Micro IPS? - You may want to check this out. Two billion critical infrastructure devices at risk of hacking (could lead to a WannaCry-like situation says SCMagazine).

Affected IoT from vendors
ABB
Avaya
Belden Industrial Devices
Dräger
ExtremeNetworks
GE Healthcare
NetApp
Philips
Rockwell Automation
Schneider Electric
Siemens
Sonicwall Firewalls
TrendMicro IPS
Woodward
Xerox Printers



https://www.armis.com/urgent11/

Phishing Ver 2.0 - Welcome to Multi-stage attack

1. Attacker sends an email to a victim, asking them to verify their PayPal or Amazon account. If the victim clicks the link in the email, they’ll be taken to a benign first-stage website, which is able to pass through email security filters undetected. 
2. This website redirects the victim to a second-stage site, which checks that the victim is a real person, and not a security scanner or associated with law enforcement.
3. Next, the victim will be taken to the actual phishing site, where they’ll be asked to enter their email credentials, credit card details, and other sensitive information. This data is steganographically hidden in an image file and sent to the attacker’s email address. Once the information is sent, the victim loses access to the phishing page

https://blog.knowbe4.com/multistage-phishing-attacks-target-financial-information

Congrats Firefox - Firefox 69 now, blocks third-party cookies and cryptominers.

“Enhanced Tracking Protection works behind-the-scenes to keep a company from forming a profile of you based on their tracking of your browsing behavior across websites — often without your knowledge or consent,” said Marissa Wood with Mozilla on Tuesday. “Those profiles and the information they contain may then be sold and used for purposes you never knew or intended.”

Firefox users can see if Enhanced Tracking Protection is working when they visit a website and see a purple shield icon on their address bar. To see which companies Mozilla blocks, Firefox users can also click on that icon, go to the Content Blocking section, then click Cookies, where they can see Blocking Tracking Cookies.

https://threatpost.com/firefox-69-tracking-cookies-flash-support/147931/

iOS - Simply visiting a compromised website can lead to your iPhone being hacked silently by some unknown party.

 Once  compromised encryption can be entirely undone.  The malware will have access to almost all of the personal information available on the device, which it will  able to upload, unencrypted, to the attacker's server."

The implant would also enable hackers to snoop on Gmail and Google Hangouts, contacts and photos. The hackers could also watch where users were going with a live GPS location tracker. And the malware stole the "keychain" where passwords, such as those for all remembered Wi-Fi points, are stored.


https://www.forbes.com/sites/thomasbrewster/2019/08/30/whatsapp-encryption-undone-and-location-leaked--why-the-latest-iphone-hack-is-terrifying/#454619bc6d2e

Hostinger STUNG by Hackers - August 23rd breach has put the records of up to 14 million Hostinger users at risk.

Hostinger does not currently offer its customer two-factor authentication as an additional layer of security

Data exposed in the security breach includes clients’ usernames, email addresses, hashed passwords, first names, and IP addresses.

https://www.grahamcluley.com/hostinger-resets-passwords-following-security-breach/

"find my iPhone app" helps only if you are smarter than the scammer. Hopefully this Blog should help you and there is some good advice at the end.

https://www.kaspersky.com/blog/how-they-stole-my-iphone-episode-2/27961

3rd Party RIsk? - Texas Holdem (for Ransom) -Texas officials say the 23 attacks are all connected and carried out by a single threat.

The threat actor deployed the ransomware through the software from the managed service provider (MSP) used by the administration for technical support.

MSPs have started to be a frequent target for ransomware operators as a successful compromise offers access to multiple clients.

https://www.bleepingcomputer.com/news/security/hackers-want-25-million-ransom-for-texas-ransomware-attacks/

Bad news Apple fans - In iOS 12.4 Apple "accidentally unpatched" an old vulnerability (CVE-2019-8605) patched previously in iOS 12.3.

Dubbed "unc0ver 3.5.0," the jailbreak works with the updated iPhones, iPads and iPod Touches by leveraging a vulnerability that Apple previously patched in iOS 12.3 but accidentally reintroduced in the latest iOS version 12.4.


An anonymous researcher who goes by the online alias "Pwn20wnd" has released a free jailbreak for iOS 12.4 on GitHub that exploits a use-after-free vulnerability in iOS kernel responsibly reported to Apple earlier this year by Ned Williamson, a researcher working with Google Project Zero.

The vulnerability, tracked as CVE-2019-8605, allows an application to execute arbitrary code with system privileges on a target Apple device, which can not only be used to jailbreak them but also leaves users vulnerable to hackers.

https://thehackernews.com/2019/08/ios-iphone-jailbreak.html

Free Password Checkup extension for Chrome

It automatically takes the encrypted login credentials that we enter and verifies if they may have been compromised by cross-checking from a central database.

The tool developed with the help of Stanford cryptography researchers is available through a Password checkup extension on Chrome Web Store and notifies users whenever it finds that the user has entered username or password that has been leaked before in a data breach.

https://www.hackread.com/dodging-bad-passwords-with-googles-new-tool/

KNOB (Key Negotiation Of Bluetooth) - Weakness in the Bluetooth wireless standard that could allow hackers to intercept keystrokes, address books, and other sensitive data

The attack forces two or more devices to choose an encryption key just a single byte in length before establishing a Bluetooth connection. Attackers within radio range can then use commodity hardware to quickly crack the key

KNOB doesn't require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment.

https://news.hitb.org/content/new-attack-exploiting-serious-bluetooth-weakness-can-intercept-sensitive-data

Malware watches Porn - I mean, it records screen activity while you are watching Porn

Its prime target is Windows-based computers where once the device is infected it steals login credentials, financial details, and recording screen activities while its victim “enjoys” x-rated content.
Question - How does it know that you are watching PORN?
and
I guess there will be a new version that adds another feature  that  records you while you are watching PORN so that you can be blackmailed later"

https://www.hackread.com/malware-records-screen-activity-victim-watches-porn/

This is a bad - 20-year-old unpatched high-severity vulnerability affecting all versions of Microsoft Windows.

It  allow a low privileged application to read and write data to a higher privileged application.


If exploited, the weakness in CTF protocol could allow attackers to easily bypass User Interface Privilege Isolation (UIPI), letting even an unprivileged process to:

•    read sensitive text from any window of other applications, including passwords out of dialog boxes,
•     gain SYSTEM privileges,
•     take control of the UAC consent dialog,
•     send commands to the administrator's console session, or
•     escape IL/AppContainer sandboxes by sending input to unsandboxed windows.

The researcher has also released a custom open-source "CTF Exploration Tool" on Github that he developed and used to discover many critical security issues in the Windows CTF protocol.



Ormandy responsibly reported his findings to Microsoft in mid-May this year and released the details to the public today after Microsoft failed to address the issue within 90 days of being notified.

https://thehackernews.com/2019/08/ctfmon-windows-vulnerabilities.html

We have quickly from "Technocracy" to "Techno-Crazy" and the price we are paying is that there is no such thing as "Anonymized Data" . 99.98% of Americans could be re-identified from an otherwise anonymized dataset, if it included 15 demographic attributes.

In a 2000 paper, Latanya Sweeney  estimated that 87% of US citizens could be identified using just three pieces of information: their 5-digit zip code, gender, and data of birth.
The removal of names is simply not enough to properly de-identify a person. We'll need to ensure that all personally identifiable information is anonymized in order to remove the risk of re-identification of individuals

https://www.darkreading.com/endpoint/privacy/companies-anonymized-data-may-violate-gdpr-privacy-regs/d/d-id/1335361

Found this on twitter , Cyber criminal's axiom - "Give a man a fish and he eats for a day, teach a man to phish and he’ll live like a king"

Some Ransomware authors are very clear about their objective. They not only are willing to provide evidence to prove that they have the decryption key they also clearly state that “The core of this criminal business is to give back your valuable data in the original form (for ransom of course).”

Sad but True - When Check Point researcher informed Microsoft of a flaw in its RDP client he was told his finding "is valid but does not meet our bar for servicing", so it didn't warrant a patch.

But, fixed it one they realized the same flaw could be used to target its Hyper-V virtualization software in Windows 10 and Azure.

The patch came after Itkin discovered an attacker could use the flaw in Microsoft's RDP client for a sandbox escape or a "guest-to-host" virtual machine (VM) escape in Microsoft's Hyper-V Manager


Microsoft security software engineer Dana Baril and Itkin detail the connection between the RDP client and Hyper-V in an aptly titled presentation at Black Hat on Wednesday, called 'He Said, She Said – Poisoned RDP Offense and Defense'.

https://www.zdnet.com/article/windows-10-security-microsoft-dismissed-rdp-flaw-until-it-saw-hyper-v-was-affected/

Need another good reason to apply 07/18 Windows Patches? - SWAPGS Vulnerability

It could allow attackers to steal any type of information that is stored in the memory, including chat messages, emails, login credentials, payment information, passwords, encryption keys, tokens, or access credentials.

What it comes down to, is that no information can be kept secret.

In order to increase performance in CPUs, a feature called speculative execution will execute instructions before it knows if they are needed or not. Vulnerabilities that target this feature are called side-channel attacks.

In a new side-channel attack discovered by Bitdefender, attackers "break the memory isolation provided by the CPU, allowing an unprivileged attacker to access privileged, kernel memory."


https://www.bleepingcomputer.com/news/security/swapgs-vulnerability-in-modern-cpus-fixed-in-windows-linux-chromeos/

Oh no! another Harwdare bug? - Flaw in Qualcomm chipsets called QualPwn allow hackers to compromise Android devices remotely simply by sending malicious packets over-the-air – no user interaction required.

The prerequisite for the attack is that both the attacker and targeted Android device must be active on the same shared Wi-Fi network.

One of the vulnerabilities allows attackers to compromise the WLAN and modem, over-the-air. The other allows attackers to compromise the Android kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android kernel over-the-air in some circumstances

https://threatpost.com/android-phones-qualpwn/146989/

Most common problem in IT Security are People ( phishing,misconfiguration) , 3rd party risk (too many, complex,visibility issues issues) and IoT. I thought IoT should be comparatively easier but, it seems we are still ignoring it.

Although things like smartphones and desktop computers are often top of mind when it comes to security, it’s often the printer, camera, or decoder that leaves a door open for a hacker to exploit.

In multiple cases, Microsoft saw Fancy Bear get access to targeted networks because the IoT devices were deployed with default passwords. In another case, the latest security update was not applied. Using those devices as a starting point, the hackers established a beachhead and looked for further access.

https://www.technologyreview.com/f/614062/russian-hackers-fancy-bear-strontium-infiltrate-iot-networks-microsoft-report/

Insider Threat - Money talks BS Walks - In this case - AT&T employees took bribes to unlock millions of smartphones, and to install malware and unauthorized hardware (rogue Wireless Access points) on the company's network.More than $1 million in bribes were paid to several AT&T employees.

The bribery scheme lasted from at least April 2012 until September 2017

Fahd bribed AT&T employees to install malware on AT&T's network at the Bothell call center.

In November 2014, as Fahd began having problems controlling this malware, the DOJ said he also bribed AT&T employees to install rogue wireless access points inside AT&T's Bothell call center. These devices helped Fahd with gaining access to AT&T internal apps and network, and continue the rogue phone unlocking scheme.

The DOJ claims Fahd and Jiwani paid more than $1 million in bribes to AT&T employees, and successfully unlocked more than two million devices, most of which were expensive iPhones. One AT&T employee received more than $428,500 in bribes over a five year period,

https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/

“The Equifax settlement is laughable,” Senator Ron Wyden - - “With just $31 million to be divided up by all the Americans who filed to receive their $125 check, Americans have the choice of receiving pennies for having their credit details spilled out online, or receiving virtually worthless credit monitoring,”

As part of the $575 million settlement, up to $425 million was set aside to compensate those who could clearly prove they were victims of identity theft as a result of the breach.

For those unable to prove clear financial harm (most of us), the settlement offered users either free credit reporting for ten years, or a $125 one time cash payout. But because the FTC only set aside $31 million to pay for these payouts, it quickly ran out of cash and is now falsely telling consumers the free credit reporting is a “much better value.”

https://www.vice.com/en_us/article/d3agv7/the-equifax-settlement-is-a-cruel-joke

Unexpected freebie from Google that you might NOT like - A secret (hidden) microphone in home alarm product. Google says it goofed by keeping the microphone secret

    “The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part.”

It went on to explain to Business Insider that it’s not unusual for security systems to have built-in microphones:

    “The microphone has never been on and is only activated when users specifically enable the option.”

https://hotforsecurity.bitdefender.com/blog/google-in-hot-water-after-not-revealing-it-had-hidden-a-secret-microphone-in-home-alarm-product-20863.html

Capital One needed a Skilled engineer for 100M hack, Honda only needed a dumb admin to expose 134M rows of sensitive data

 The data was on an unsecured Elasticsearch database that was freely accessible to anyone who came across it, and contained in-depth information about the company’s security systems and network.

This includes technical details of each individual computer, including IP addresses, operating systems, unique network identifiers and security solutions and patches.


As a result, the data would provide any malicious actors with an exhaustive map of the company’s systems, including all the soft spots that would provide easy access to the network. Any skilled – or even relatively unskilled – hacker could use this information to perform a successful and potentially devastating cyberattack on Honda, such as highly targeted attacks on high value employees

https://www.verdict.co.uk/honda-database-exposure/

Apple iPhone/iPad users - Upgrade you iOS to 12.4 - Apple has fully patched five of six critical flaws including CVE-2019-8624 and CVE-2019-8646, which allow an attacker to read files off an iOS device remotely, without any interaction from the victim. The code to exploit these vulnerabilities is publicly available.

Only 9.6 percent of devices have been updated to iOS 12.4, as of August 1 – 10 days after the patch was released on July 22 and three days after the vulnerability was disclosed to the public on July 29.

“The exploit initiates a dump of the victim’s iMessage database and compromises the iOS sandbox, putting files on the device at risk,” explained Cuddeford, in a post on Thursday. “This vulnerability calls into question the integrity of iOS sandboxing, which is one of the most significant fundamentals of the entire iOS security model. This iMessage exploit has similar implications to a jailbreak in that the weakness in iMessage exposes the file space on the device.”


https://threatpost.com/90-enterprise-iphone-users-imessage-spy-attack/146899/

Capital One, 100M customer info stolen - All it took was a misconfigured firewall and an experienced software engineer.

Misconfiguration is something that  in any security system/application because Vulnerabilities are easier to find compared to misconfiguration.

Approximately 100 million of the affected customers are in the US, with the remaining six million in Canada

The Capital One breach was discovered on 19 July 2019. The hack took place on 22 and 23 March.

On Monday, the FBI arrested the person allegedly responsible: Paige Thompson, a 33-year-old former systems engineer

https://www.verdict.co.uk/capital-one-breach/

After Google it is Apple - Apple contractors 'regularly hear confidential details' on Siri recordings

Apple Watch and the HomePod smart speaker as the most frequent sources of mistaken recordings.

Sometimes, “you can definitely hear a doctor and patient, talking about the medical history of the patient.

A whistleblower , who asked to remain anonymous, expressed concerns about this lack of disclosure, particularly given the frequency with which accidental activation pick up extremely sensitive personal information.

The contractor said staff were encouraged to report accidental activation “but only as a technical problem”, with no specific procedures to deal with sensitive recordings

“There’s not much vetting of who works there, and the amount of data that we’re free to look through seems quite broad. It wouldn’t be difficult to identify the person that you’re listening to, especially with accidental triggers – addresses, names and so on.

https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings

Equifax Data Breach - Find out if you are affected and file a claim - a one-time $125 payout, or 10 years of free credit reporting

Follow this link


https://www.vice.com/en_us/article/evyye7/equifax-owes-you-money-for-failing-to-protect-your-privacy-heres-how-to-get-it

Logic Bomb incident (Real and Not funny) - David Tinley was indicted in May 2019 and just last week pledged guilty to one count of intentional damage to a protected computer. He is now facing up to 10 years imprisonment along with a fine of up to $ 250,000

Tinley intentionally and without the company's knowledge or authorization inserted "logic bombs" into computer programs that caused glitches in the spreadsheet after the expiration of a certain date.

Tinley would just fix the issue by resetting the clock, invoice for his time, and then wait for the program to go wrong again, Law360 reports.

https://thehackernews.com/2019/07/siemens-logic-bomb.html

(From Twitter)For Infosec Pros who blame users -

Users: you gave us USB ports, but told us not to plug anything into them.

You tell us "Don't open links." But let's be real: if it was easy to spot a malicious link, you'd have already blocked it.

You tell us "don't open attachments" but it's something we HAVE to do for our jobs. Again, if spotting the malicious attachment was easy, why did you, the professionals, let it get to my inbox?

We watch TV , ever wonder what could happen if if TV is watching us

Guy finds  a video of himself and his wife on an X-rated website.Later , “cybersecurity experts” discovered that a hacker had hijacked control of the camera in his smart TV and captured footage of him as he “canoodled” with his wife on the sofa.

https://www.grahamcluley.com/did-a-hacked-smart-tv-upload-footage-of-couple-having-sofa-sex-to-a-porn-website/

Spearphone Attack - New Attack Lets Android Apps Capture Loudspeaker Data Without Any Permission

A separate team of cybersecurity researchers has successfully demonstrated a new side-channel attack that could allow malicious apps to eavesdrop on the voice coming out of your smartphone's loudspeakers without requiring any device permission.

Dubbed Spearphone, the newly demonstrated attack takes advantage of a hardware-based motion sensor, called an accelerometer, which comes built into most Android devices and can be unrestrictedly accessed by any app installed on a device even with zero permissions.


https://thehackernews.com/2019/07/android-side-channel-attacks.html

Insider Threat - Forget DLP, how many of us block USB or Cloud Storage?

- A newly unsealed federal indictment charges a software engineer for stealing proprietary information from his workplace and bringing it to China,
Within two weeks of his hiring date, Yao downloaded more than 3,000 files containing proprietary and trade secret data related to the system that runs the company's locomotives. Over the following six months he continued to download electronic files containing technical documents and software source code.


https://www.darkreading.com/risk/software-engineer-charged-for-taking-stolen-trade-secrets-to-china/d/d-id/1335224

Attention please !! - Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

Dubbed "Media File Jacking," the attack leverages an already known fact that any app installed on a device can access and rewrite files saved in the external storage, including files saved by other apps installed on the same device.

Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could allow malicious actors to spread fake news or scam users into sending payments to wrong accounts.

https://thehackernews.com/2019/07/media-files-whatsapp-telegram.html

Wipro Supply Chain attack (Update-3) - This is similar to Cognizant (last year)

 Maritz Holdings Inc., sued Cognizant saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards.

https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/

Wipro Supply Chain attack (Update) - Wipro's response is NOT SATISFACTORY

Wipro’s public response so far:

• Ignore reporter’s questions for days and then pick nits in his story during a public investor conference call.
• Question the stated timing of breach, but refuse to provide an alternative timeline.
• Downplay the severity of the incident and characterize it as handled, even when they’ve only just hired an outside forensics firm.
• Say the intruders deployed a “zero-day attack,” and then refuse to discuss details of said zero-day.
• Claim the IoCs you’re sharing with affected clients were discovered by you when they weren’t.

The source said a subsequent phishing campaign between March 16 and 19 netted 22 additional Wipro employees, and that the vendor investigating the incident has so far discovered more than 100 Wipro endpoints that were seeded with ScreenConnect, a legitimate remote access tool sold by Connectwise.com.

Additionally, investigators found at least one of the compromised endpoints was attacked with Mimikatz

The source also said the vendor is still discovering newly-hacked systems.

https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/

A chain is no stronger than its weakest link , What happens when the chain ,in this case the "supply chain" itself is weak? - "Supply Chain Attack"

Wipro Ltd. has confirmed that its network was hacked and used for mounting attacks on its customers.

“[Victims] traced malicious and suspicious network reconnaissance activity back to partner systems that were communicating directly with Wipro’s network,” according to the sources. 

The incident is emblematic of the new era of highly targeted supply-chain attacks that have begun to accelerate.

https://threatpost.com/wipro-confirms-hack/143826/

Watchout Instagram users - Don't fall far this Phising Attack

https://nakedsecurity.sophos.com/2019/04/16/watch-out-dont-fall-for-the-instagram-nasty-list-phishing-attack/

Everyone is preparing for AI but, how many of us are thinking about AI Malware?

• The baseline for defending against these attacks will lie in ensuring all parts of the organization are visible and continually monitored.  
• A couple promising areas for implementing defensive AI include threat intelligence mining and autonomous response.

https://www.securityweek.com/get-ready-first-wave-ai-malware

REMEMBER - When "Identity is the new perimeter" , MFA combined with Employee awareness can be a good Firewall. There are now upward of 1.5 billion credentials floating in the wild ready for use by malicious miscreants at an exposed service near your data. Akamai saw more than 115 million attempts to use stolen credentials per day, and three times during the year the attacks spiked to more than 250 million attempts per day.

In March, for example, the FBI warned management-software firm Citrix that attackers had breached the company's network using a low-volume credential-stuffing attack

"Nation states actors typically target MSP (managed service providers) and companies like Citrix due to their client base and intellectual property," he said. "Other than espionage or financial profit, MSPs can also be targeted and leveraged in supply chain attacks that are used as a staging point to distribute additional malware."


https://www.darkreading.com/threat-intelligence/credential-stuffing-attacks-behind-30-billion-login-attempts-in-2018/d/d-id/1334371

SCARY - A Malware can actually alter your CT/MRI Scan to show fake Tumor - A team from Israel developed the malicious software to show how easy it is to do that.

The program was able to convincingly add fake malignant growths to images of lungs taken by MRI and CT scanning machines.
How? -  Because the files were generally not digitally signed or encrypted. This means any changes would be hard to spot.

The images targeted were scans of lungs but the malware could be tuned to produce other fake conditions such as brain tumors, blood clots, fractures or spinal problems

While hospitals were careful about sharing sensitive data beyond their boundaries, they took much less care when handling data internally, said one of the researchers.

https://www.bbc.com/news/technology-47812475

Fact is stranger than fiction - Who do you think is the is the most common target. for "Phishing" attacks.

Top three targeted sectors - 

1. Pharma 
2. Construction
3. Real estate 

Welcome news - Finally one company (Kaspersky) has decided to flag stalkerware as malware. Thanks to Eva Galperin, the head of cybersecurity at the Electronic Frontier Foundation for persuading them. Motherboard. Galperin has studied stalkerware and helped domestic abuse victims and human rights activists for years.

She'll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn't allow antivirus apps into its App Store. 

Finally, and perhaps most drastically, she says she'll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges.

https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/

Two apps that use Facebook data expose millions of Facebook users. Reminds me of "Show Me Your Friends and I’ll Show You Your Future" because, our business associate's risk is also our risk

Facebook apps essentially knit themselves into the Facebook ecosystem for free, almost instantly enjoying the imprimatur and reach of the world’s biggest social networking company.

These breaches happened through plain old carelessness – databases hosted in the cloud and apparently almost casually left open to the world.


That’s like running your own servers in your own server room, but leaving the server room door unlocked with a big sign on it saying, “Free admission. Please don’t be naughty.”

In fact, it’s like copying critical data from your own servers onto a whole boxful of unencrypted USB drives and walking round a Dark Web convention handing them out to all and sundry.

https://nakedsecurity.sophos.com/2019/04/04/facebook-apps-expose-millions-of-users-facebook-data/

"Threat Landscape" , we security folks get it , what about "Trust Landscape"?. This is an interesting phrase highly relevant to this "everything is connected" world and has a big impact on how we manage risk.

In the digital world, 3rd through Nth party risk is far greater than first party risk. It's like when you trust your home to your teenage kids, it's the friends of their friends you should worry about the most.

https://www.rsa.com/en-us/blog/2019-03/the-trust-landscape

Someone forgot the importance of API and cryptographic keys - NCSU academics scanned GitHub accounts for a period of nearly six months and found 575,456 API and cryptographic keys, of which 201,642 were unique, all spread over more than 100,000 GitHub project. 81% of the secrets were not removed," researchers said. "It is likely that the developers for this 81% either do not know the secrets are being committed or are underestimating the risk of compromise."

In one case, we found what we believe to be AWS credentials for a major website relied upon by millions of college applicants in the United States, possibly leaked by a contractor

They also found AWS credentials for the website of a major government agency in a Western European country. In that case, we were able to verify the validity of the account, and even the specific developer who committed the secrets. This developer claims in their online presence to have nearly 10 years of development experience

Last, but not least, researchers also found 7,280 RSA keys inside OpenVPN config files. By looking at the other settings found inside these configuration files, researchers said that the vast majority of the users had disabled password authentication and were relying solely on the RSA keys for authentication, meaning anyone who found these keys could have gained accessed to thousands of private networks.

https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

Fastest hacker in the world

https://twitter.com/i/status/1110164673112887297

"Supply Chain Attack" - I am afraid we are going to here this more often. The good news is that it is not prevalent (which could change anytime) , the bad news is most of us are totally unprepared for this.

https://thehackernews.com/2019/03/asus-computer-hacking.html

MFA is a MUST, here is another story to support it - Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees


https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

It is time to update our employee training messages - Blackmail, primarily sextortion, accounts for 1 in 10 spear-phishing message. The attacks are likely under reported because of the sensitive nature of the threat.

Gift cards have become a common way for scammers to cash out

Barracuda Networks found that 83% of targeted phishing attacks, also known as spear-phishing, appear as a message from an administrator at a popular service, asking for the user to log in.

For victims of BEC scams, text messaging presents additional dangers. The attacker now has the target's mobile number, which allows them to potentially punish non-compliant victims with spam



https://www.darkreading.com/threat-intelligence/stealing-corporate-funds-still-top-goal-of-messaging-attacks/d/d-id/1334194

Security technology or product will NOT help us unless, we understand how to IMPLEMENT them securely. Don't take my word, here is what the hacker (behind more than 840 million account records appearing for sale on the Dark Web) told ZDnet , he obtained these records just last month, and that they all lacked strong encryption for their passwords.

With this latest credential dump, a total of 38 companies have found their users’ account data up for sale on the underground at the hands of Gnosticplayers. The six companies impacted this time are an eclectic bunch, comprising the GameSalad developer platform, a Brazilian Amazon-equivalent called Estante Virtual, project-management apps Coubic and LifeBear, and two Indonesian companies: The Bukalapak e-commerce giant and a student career site, YouthManual.

https://threatpost.com/fourth-credential-spill-dreammarket/142901/

2FA is a MUST but combining 2FA with Awareness training is the way-to-go - Hackers have been refining their password-stealing schemes to also nab the one-time passcode. So-called "phishing kits" steal a victim's password and two-factor authentication passcode as they type it into deceptive email and login pages, and then quickly break into the affected account within the 30-SECOND time limit.

OR
Use hardware-based solution like USB security keys (which introduce a different problem, support and maintenance)

https://in.pcmag.com/google-titan-security-key-bundle/129100/google-phishing-attacks-that-can-beat-two-factor-are-on-the

Software Supply Chain Attack - When modern software applications, such as websites or mobile phone apps, are built using complex supply chains of third party libraries or open source components which are COMPROMISED.

No wonder, #9 in OWASP top 10 is "Using Components with Known Vulnerabilities".

In supply chain attacks, attackers leverage trusted third party vendors to deliver malware to unsuspecting customers by inserting malware into third-party code

Through the supply chain threat actors can reach a wide range of organizations due to third party code that is used by so many software engineers across all industries.

Furthermore, there is no good way to partition third party libraries or code from your organization’s in-house built code. As a result, it all runs within the same privilege.

https://blog.checkpoint.com/2019/03/13/mobile-supply-chain-attacks-are-more-than-just-an-annoyance/

Great news for windows 10 users - Microsoft will automatically uninstall buggy software updates installed on your system if Windows 10 detects a startup failure, which could be due to incompatibility or issues in new software.

For Windows 10 users who believe that the updates in question should not have been uninstalled, Microsoft allows them to manually install driver or quality updates.

https://thehackernews.com/2019/03/windows-buggy-updates.html

Serverless computing is popular. How about the associated Security Risks? - Let's start with a dozen.

A new guide from the Cloud Security Alliance offers mitigations, best practices, and a comparison between traditional applications and their serverless counterparts.

https://www.darkreading.com/cloud/the-12-worst-serverless-security-risks/a/d-id/1334079

Looks like Voice Phishing (VISHING) popularity is on the rise - taxpayer voice phishing scams are up nearly 20x. Since January 2018, the FTC says, it’s received more than 63,000 reports of this scam. Reported losses totaling $16.6 million, with a median loss of $1,484.

The FTC asks us all to remember these things:

• Your Social Security Number is not about to be suspended. Your bank account is not about to be seized.
• The real SSA will never call to threaten your benefits or tell you to wire money, send cash, or put money on gift cards.
• You can’t believe the numbers on your caller ID. Scammers can easily fake those. But if you’re worried, call the real SSA at 1-800-772-1213. You can trust that number if you dial it yourself – just not on your caller ID.
• Never give your SSN, credit card or bank account number to anyone who contacts you. Ever.

https://nakedsecurity.sophos.com/2019/03/11/ftc-says-taxpayer-voice-phishing-scams-are-up-nearly-20x/

Docker vulnerability + exposed remote Docker API = Fully compromised host. Researchers found 3,822 Docker hosts with the remote API open for public, and after attempting to connect to IPs via port 2735 to list Docker images, a total of 400 IPs were accessible. These could be compromised for the purposes of illicit cryptocurrency mining.

It is possible to interact with Docker via terminals or remote application programming interfaces (APIs). However, if these control mechanisms are exposed, this can lead to the compromise of the container and potentially the applications contained within.

A vulnerability, CVE-2019-5736, was publicly reported in February which can be used to secure host root access from a Docker container, and as Imperva researchers note, "the combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host."

https://www.zdnet.com/article/exposed-docker-hosts-can-be-used-in-cryptocurrency-mining/

[Risk Assessment Failure] Comcast did not protect its mobile accounts with a unique PIN. It used "0000" and the consequence was - Someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with his credit card—and went to the Apple Store in Atlanta and bought a computer.

To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim's Comcast account number could easily port the victim's phone number to another carrie


https://arstechnica.com/information-technology/2019/03/a-comcast-security-flub-helped-attackers-steal-mobile-phone-numbers/

BACKSTORY - A cloud-based enterprise-level threat analytics platform from Chronicle (Google company). Sounds interesting so, The most important question is , Are you ready to store your security logs on Google cloud platform?

Backstory converts log data—such as DNS traffic, NetFlow, endpoint logs, proxy logs—into meaningful, quickly searchable and actionable information to help companies gain insights into digital threats and attacks on their networks, but at scale to offer a more complete picture of the threat landscape.

Backstory also compares data against "threat intelligence" signals collected from a variety of partners and other sources, including the Alphabet-owned VirusTotal, Avast, Proofpoint and Carbon Black.

It also continuously compares any new piece of information against your company's historical activity, to notify you of any historical access to known-bad web domains, malware-infected files, and other threats

https://thehackernews.com/2019/03/backstory-cybersecurity-software.html

Here is a nice CyberSecurity AD (without stuff like hoodies, hackers and computers) with a clean message.- https://www.youtube.com/watch?v=DeCL4TAI0CE

https://www.youtube.com/watch?v=DeCL4TAI0CE

Some useful stats to help Software developers: 22,022 security vulnerabilities were disclosed in 2018 and 27% had no known or available fixes

• 47.9% - Web Related
• 27.5% - Access, Authentication
• 67.7% - Improper input validation 
• 33% - severity rating of 7 or above. Nearly one-third of them had public exploits available and more than half were remotely exploitable.

https://www.darkreading.com/vulnerabilities---threats/more-than-22000-vulns-were-disclosed-in-2018-27--without-fixes/d/d-id/1333998

USB port is a wonderful invention but, also serves as a good attack vector - Security researchers have discovered a new class of security vulnerabilities (Thunderclap) that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks.

In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected - check whether your laptop supports Thunderbolt.

Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity.

Additionally, researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.

https://thehackernews.com/2019/02/thunderbolt-peripheral-dma-attacks.html

You MUST watch this. - Rep Katie Porter traps Equifax CEO with his own answer

Asks him to provide his SSN and birth date in public hearing
he declines, stating potential for harm

She then asks “Why are Equifax’s lawyers arguing in court that there was no harm” from data breach?

https://twitter.com/i/status/1100459600824815617

Time to patch WINRAR (to version 5.70 beta 1) - A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.

If a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim’s startup folder and malware could then be quickly planted on the system.

https://threatpost.com/critical-winrar-flaw-found-actively-being-exploited/142204/

After a ransomware incident , here is what one company said - “We paid the ransom, and it sucked”.

(This company did not the meaning for the element "A" in CIA Triad?

“When they encrypt the data, that happens really fast,”, “When they gave us the keys to decrypt it, things didn’t go quite as cleanly”.

Smart people learn from other's mistakes. Are you ready to learn from these guys.

Experts say attacks like the one against Apex HCM are playing out across the world every day, and have turned into a billion-dollar business for cyber thieves. The biggest group of victims are professional services firms

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.



https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/

Just, be aware that every time you turn ON location service/GPS setting on your smartphone, let's say for using Uber app or Google Maps, Facebook (app) will start tracking your location.

Because, installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location.

Users can manually turn Facebook's Location History option OFF from the app settings

Unfortunately, disabling Location History would also break some Facebook features that rely on location data like checking into a nearby location, tagging locations in an uploaded photo

https://thehackernews.com/2019/02/facebook-location-tracking.html

As long as we spend more money on security tech and less on people , we will continue to see more breaches and security incidents. Technology CANNOT think so, to adapt to the ever changing threat landscape we need intelligent people (do not confuse them with "power point" experts or "Yes-men") to protect our organization.

Indeed, the number of attacks are on the rise, taking longer to address than ever before. It's estimated that the average cost of a data breach in 2018 was up 6.4% over the previous year to $3.86 million. This is why companies cannot afford to simply rely on preventative technologies, which often lull them into a false sense of security.

Security teams understand they need to think like hackers. And they understand that it's not computers attacking their companies. Rather, it's the people behind them — people with real-life experience and intuition.

https://www.darkreading.com/threat-intelligence/to-mitigate-advanced-threats-put-people-ahead-of-tech/a/d-id/1333913

"Security Culture" can help you to avoid embarrassment. Example - A patient who Googled their name was able view their medical file.

 (Because,) someone misconfigured a website server belonging to University of Washington and it was searchable on the internet from December 4-26 containing the data on 974,000 patients.


UW did not discover the problem,the patient reported this finding to them.


https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/

MITM Attacker Found

Joke of the day - A man called Jay Brodsky is bringing a class action against Apple in California, complaining that two-factor authentication (2FA) on an iPhone or Mac takes too much time.

In his class action suit, Brodsky alleges:

• Apple enabled 2FA on his account without his explicit consent. Which seems very odd, as my experience has been that Apple only offers 2FA on an opt-in basis.
• 2FA is too inconvenient to actually set up - requiring several steps on several devices.
• 2FA is just too darn inconvenient to use… because it requires to both remember a password *and* have access to a trusted device. Umm, isn’t this exactly how 2FA is supposed to work? Helping to stop hackers simply needing your password to break into your accounts.
• Apple doesn’t let you disable 2FA after it has been enabled for two weeks straight. This appears to be true. It looks like Apple gives you 14 days’ grace to deactivate 2FA if you wish, but after that… you’re 2FA-secured. Of course, this could be argued to be a good thing security-wise.
• 2FA is required every time an Apple device is turned on. Really? Can’t say I’ve noticed.
• 2FA takes between two to five minutes to complete. Hmm. When AppleInsider got its stopwatch out, it reckoned the 2FA process took them in total about 22 seconds to complete.

https://www.grahamcluley.com/apple-sued-two-factor-authentication/

Most common lie - "“We take your privacy and security seriously.”. About one-third of 285 data breach notifications had some variation of the same line.

So, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen

Most of the breaches today are the result of shoddy security over years or sometimes decades, coming back to haunt them

companies would rather just pay the fines.

• - Target paid $18.5 million for a data breach that ensnared 41 million credit cards, compared to full-year revenues of $72 billion. 
• - Anthem paid $115 million in fines after a data breach put 79 million insurance holders’ data at risk, on revenues that year of $79 billion. 
• - Remember Equifax? The biggest breach of 2017 led to all talk but no action.

https://techcrunch.com/2019/02/17/we-take-your-privacy-and-security-seriously/

Phishing attack bent on stealing Facebook credentials - A bad actor was able to design a very realistic-looking social login popup prompt in HTML. When a victim visits a malicious website (which an attacker could somehow convince them to visit, using social engineering tactics or otherwise), they would be prompted to log into their Facebook account via a false login prompt Once they fill out their username and password, that information is sent to the attacker.

Once they fill out their username and password, that information is sent to the attacker.

“The only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in,” he said. “If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”

In general, as a precaution users should always drag popups away from their initial position to spot for abnormal behavior.

https://threatpost.com/sneaky-phishing-scam-facebook/141869/

Equifax Breach - Strange twist in the story. The stolen data has NEVER been FOUND and the investigators have two interesting theories.

First, the foreign government is probably combining this information with other stolen data, then analyzing it using artificial intelligence or machine learning to figure out who's likely to be — or to become — a spy for the U.S. government. 

Second, credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government.

https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html

Who's watching the watchers?, Luckily, SEC was - On more than one occasion, Gene Levoff, senior director of corporate law and corporate secretary (responsible for Apple's compliance with securities laws) disobeyed the company's "blackout" period for stock transactions, selling or buying stock worth tens of "millions of dollars", according to the SEC

Gene Levoff, senior director of corporate law and corporate secretary until September, "traded on material nonpublic information about Apple's earnings three times during 2015 and 2016," according to the SEC.

Before his termination in September, Levoff was "responsible for Apple's compliance with securities laws," the SEC complaint says.

https://www.cnbc.com/2019/02/13/sec-files-insider-trading-lawsuit-against-former-apple-lawyer.html

Attention WordPress admins - A critical vulnerability in popular WordPress plugin Simple Social Buttons enables non-admin users to modify WordPress installation options – and ultimately take over websites.

Update Simple Social Buttons to version 2.0.22


https://threatpost.com/wordpress-plugin-flaw-website-takeover/141746/

Time to PATCH (again) - Attackers can escape Linux CONTAINERS and obtain unauthorized, root-level access to the host operating system.

• Docker users should check the Docker release notes for version 18.09.2.
• Kubernetes users should consult the Kubernetes blog article entitled Runc and CVE-2019-5736, 
• Any containerization product that uses runc is probably vulnerable – if you have a version numbered runc 1.0-rc6 or earlier, you need to take action

• Patch runc if you’re using it yourself.
• Stop guest containers running as root if you can.
• Ask your provider if they’re using runc on your behalf. 

CVE-2019-5736 - This bug means that a program run with root privileges inside a guest container can make changes with root privilege outside that container.

https://nakedsecurity.sophos.com/2019/02/12/linux-container-bug-could-eat-your-server-from-the-inside-patch-now/

A "security policy" may be ineffective without a "security culture" - (Evidence) According to Ponemon’s 2019 State of Password and Authentication Security Behaviors Report, extremely poor password management habits by those in IT are making a hacker’s job much easier.

51% reuse the same password across an average of five business and/or personal accounts. It seems "Eating your own dog food" does not apply to IT


This is in line with LastPass’s 2018 findings where 50% of users use the same passwords for work and personal accounts


https://blog.knowbe4.com/a-hackers-dream-half-of-it-admins-reuse-passwords-across-multiple-accounts

Do you know how many employees in your organization use TeamViewer. More importantly, are you sure they are NOT USING a malicious version of TeamViewer?

Trend Micro researchers have discovered a Trojan spyware disguising as TeamViewer to collect and steal user data

https://www.hackread.com/hackers-using-malicious-teamviewer-tool-to-spread-malware

Watchout - Another cryptographic attack that can break encrypted TLS traffic (including 1.3). It's a variation of the original Bleichenbacher oracle attack.

Good news is is that an updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper

The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations


The reason for all these attack variations is because the authors of the TLS encryption protocol decided to add countermeasures to make attempts to guess the RSA decryption key harder, instead of replacing the insecure RSA algorithm.


https://www.zdnet.com/article/new-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3/

Vendor Risk Management - Remember their security practices will affect your security posture. An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP

The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand

In this case, the executable was Gandcrab, a widely distributed ransomware tool that has been used in numerous previous attacks. All customer systems that the MSP was managing via the Kaseya RMM tool were encrypted simultaneously, locking users out of them.

Attacks on MSPs are a growing concern. Recently, threat actors, some sponsored by nation states, have begun targeting MSPs in an attempt to get to the networks of their clients.

https://www.darkreading.com/attacks-breaches/ransomware-attack-via-msp-locks-customers-out-of-systems/d/d-id/1333825

If you absolutely have to have Alexa or Google Assistant in your home, heed the following advice:

DO NOT put a digital assistant in a child's room.

1. Change the Default Password on Your Wi-Fi Router
2. Set the Voice Lock
3. Decide Whether You Want to Shop By Voice
4. Understand that Privacy Rights in the US Are on the Way – but Are Not Law Yet
5. Be Smart About Where you Locate Your Devices
6. Be Aware that Smart TVs Come With Digital Assistants


Make sure to set the voice lock for just the adults in the home.

Make sure you receive follow-up emails confirming your purchases, and check your credit card statements to make sure fraudsters aren't running up charges on your account

When the TV gets old and you pass it along to a friend or take it to the dump, find out how to erase all the data. 

https://www.darkreading.com/vulnerabilities---threats/6-security-tips-before-you-put-a-digital-assistant-to-work/d/d-id/1333783

Interesting Security Extension for Google Chrome - Google has released a new add-on for the Chrome browser that automatically and securely checks website credentials against known password breaches.

The Chrome browser extension, called Password Checkup, is available today. It securely checks credentials used to log in to websites—whether they're manually entered or stored in Chrome's password manager—against hashed credentials stored in an encrypted database of billions of compromised accounts maintained by Google.

https://arstechnica.com/information-technology/2019/02/google-releases-chrome-extension-that-alerts-to-breached-passwords/

Another Good news if you are a Firefox user - Firefox 67, which is planned to be released in May 2019, will have a few exciting features

1. Block cryptocurrency miners
2. Block fingerprinting
3. Mute videos autoplaying.

Cryptominers not only use the CPU’s resources to mine for cryptocurrency but also affects the computer’s performance in the long run. The entire system becomes slow and operations get delayed

Fingerprinting is a technique that can create user profiles for tracking purposes using the information that the connecting device, scripts (if permitted), and browser provide.

https://www.hackread.com/firefox-offers-fingerprinting-cryptomining-protection/

Interesting Headline - Japanese government plans to hack into citizens' IoT devices

The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.

The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.


https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

Cyber attack against US - Different countries , different intentions (apart from meddling with upcoming 2020 election)

• China, has the capacity and desire to go after American targets for not only diplomatic and military information, but also for attacks on infrastructure and private-sector business.
• Russia, for example, will likely continue to go after critical infrastructure and focus on stealing intel from NATO
• Iran, meanwhile, is likely to focus on social media campaigns to help boost its public image and sway opinions in its favor.
• North Korea will look to boost its coffers with financial hacks. 

https://www.theregister.co.uk/2019/01/30/us_election_meddling/

If your phone starts listening BEFORE you answer, will that be considered a BUG or Feature (AI may be). Apparently, FaceTime has this problem and Apple is scrambling to fix this embarrassingly dangerous “snooping” bug in FaceTime app.

The bug goes like this:

1. Call someone from your contacts using FaceTime.
2. Their phone will ring.
3. Use the “Add Person” option to include a new participant in the chat, namely yourself. 

…and you can immediately hear the audio feed from the person who hasn’t answered the call yet.

https://nakedsecurity.sophos.com/2019/01/29/apple-facetime-eavesdropping-bug/

Need a reason to move to Firefox 65? - New Content Blocking controls!!

1. Users can block known trackers in Private Browsing Mode. In the future, this setting will also block third-party tracking cookies
2. Users can also pick from a “strict” setting that blocks all known trackers by Firefox in all windows;  or a “custom” setting that enables users to pick and choose which trackers and cookies they would like to block.
3. A new “Security/ Anti-Tracking policy”

https://threatpost.com/mozilla-firefox-65-anti-tracking/141281/

Beware of "WhatsApp Gold" scam - this hoax involves sending WhatsApp messages to users regarding downloading an update for WhatsApp. However, in reality, it isn’t an update but malware.

WhatsApp has confirmed that it is a new hoax that’s being spread by scammers to trap users by convincing them that by clicking on the link they will be able to receive an updated version of the messaging app.

Preview of the Scam Message Below:

https://www.hackread.com/whatsapp-gold-scam-with-malware-payload

AI in cybersecurity - The term has quickly evolved in the industry from FUD factor to buzzword. Believing AI is the silver bullet that can address all cybersecurity challenges is as dangerous.AI still needs humans to provide reliable data.

 A lack of quality data leads to poor results. Even with quality data, trained AI tends to produce false positives and is not very good at explaining how it arrived at a certain conclusion, as it lacks the ability to understand context.

For this reason, humans remain a critical part of the equation. They are still needed to fine-tune AI systems and to investigate the alerts, validate and stratify the severity of threats, and determine the best way to remediate an attack.


https://www.scmagazine.com/home/opinion/balancing-ai-with-human-intelligence-in-cybersecurity/

Attention, PHP users - It appears that anyone downloading and installing an updated edition from PEAR (PHP Extension and Application Repository, a framework and distribution system for reusable PHP component) in the last half-year could have been compromised.

The administrators of the PEAR package manager website have taken the site offline, having discovered that hackers breached the site, and apparently planted malicious code into the software.

https://www.grahamcluley.com/poisoned-pear-php-extension-repository-download-infected-for-up-to-six-months/

OWASP IoT TOP 10 (2018)

Why is it that bad guy seem to be more innovative in the Security Space - New technique to detect Sandbox

 malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices. If the apps fail to detect any movement (which is - of course - unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.
If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis

https://www.grahamcluley.com/android-malware-motion-sensor/

Sign up for notification on "haveibeenpwned.com" (if you have not already done so) to receive alerts when your email account is involved in a Breach

Why? - Yesterday, I received an automatic email notification that one of my email has been compromised by "Collection #1" breach on 01/07/19.
“Collection #1 data breach” is made up of data stolen from numerous different data breaches. In all there are 1.16 billion unique combinations of email addresses and passwords in the data set, totaling 772,904,991 different unique email addresses.


https://www.grahamcluley.com/the-collection-1-data-breach-what-you-need-to-do-about-it/

ThinkPHP vulnerability -actively exploited. All it takes is a single line of code to scan and then exploited with attacks involving simple cut-and-paste code that is widely available.

ThinkPHP is popular in Asia-Pacific region however, the researcher says that attackers are actively scanning systems across the globe, including Europe and the US. "I'm seeing about 600 scans a day for it," he explains. "They're scanning across all verticals, software companies, car rentals, and others."

https://www.darkreading.com/vulnerabilities-and-threats/new-attacks-target-recent-php-framework-vulnerability/d/d-id/1333676