If your phone starts listening BEFORE you answer, will that be considered a BUG or Feature (AI may be). Apparently, FaceTime has this problem and Apple is scrambling to fix this embarrassingly dangerous “snooping” bug in FaceTime app.

The bug goes like this:

1. Call someone from your contacts using FaceTime.
2. Their phone will ring.
3. Use the “Add Person” option to include a new participant in the chat, namely yourself. 

…and you can immediately hear the audio feed from the person who hasn’t answered the call yet.

https://nakedsecurity.sophos.com/2019/01/29/apple-facetime-eavesdropping-bug/

Need a reason to move to Firefox 65? - New Content Blocking controls!!

1. Users can block known trackers in Private Browsing Mode. In the future, this setting will also block third-party tracking cookies
2. Users can also pick from a “strict” setting that blocks all known trackers by Firefox in all windows;  or a “custom” setting that enables users to pick and choose which trackers and cookies they would like to block.
3. A new “Security/ Anti-Tracking policy”

https://threatpost.com/mozilla-firefox-65-anti-tracking/141281/

Beware of "WhatsApp Gold" scam - this hoax involves sending WhatsApp messages to users regarding downloading an update for WhatsApp. However, in reality, it isn’t an update but malware.

WhatsApp has confirmed that it is a new hoax that’s being spread by scammers to trap users by convincing them that by clicking on the link they will be able to receive an updated version of the messaging app.

Preview of the Scam Message Below:

https://www.hackread.com/whatsapp-gold-scam-with-malware-payload

AI in cybersecurity - The term has quickly evolved in the industry from FUD factor to buzzword. Believing AI is the silver bullet that can address all cybersecurity challenges is as dangerous.AI still needs humans to provide reliable data.

 A lack of quality data leads to poor results. Even with quality data, trained AI tends to produce false positives and is not very good at explaining how it arrived at a certain conclusion, as it lacks the ability to understand context.

For this reason, humans remain a critical part of the equation. They are still needed to fine-tune AI systems and to investigate the alerts, validate and stratify the severity of threats, and determine the best way to remediate an attack.


https://www.scmagazine.com/home/opinion/balancing-ai-with-human-intelligence-in-cybersecurity/

Attention, PHP users - It appears that anyone downloading and installing an updated edition from PEAR (PHP Extension and Application Repository, a framework and distribution system for reusable PHP component) in the last half-year could have been compromised.

The administrators of the PEAR package manager website have taken the site offline, having discovered that hackers breached the site, and apparently planted malicious code into the software.

https://www.grahamcluley.com/poisoned-pear-php-extension-repository-download-infected-for-up-to-six-months/

OWASP IoT TOP 10 (2018)

Why is it that bad guy seem to be more innovative in the Security Space - New technique to detect Sandbox

 malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices. If the apps fail to detect any movement (which is - of course - unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.
If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis

https://www.grahamcluley.com/android-malware-motion-sensor/

Sign up for notification on "haveibeenpwned.com" (if you have not already done so) to receive alerts when your email account is involved in a Breach

Why? - Yesterday, I received an automatic email notification that one of my email has been compromised by "Collection #1" breach on 01/07/19.
“Collection #1 data breach” is made up of data stolen from numerous different data breaches. In all there are 1.16 billion unique combinations of email addresses and passwords in the data set, totaling 772,904,991 different unique email addresses.


https://www.grahamcluley.com/the-collection-1-data-breach-what-you-need-to-do-about-it/

ThinkPHP vulnerability -actively exploited. All it takes is a single line of code to scan and then exploited with attacks involving simple cut-and-paste code that is widely available.

ThinkPHP is popular in Asia-Pacific region however, the researcher says that attackers are actively scanning systems across the globe, including Europe and the US. "I'm seeing about 600 scans a day for it," he explains. "They're scanning across all verticals, software companies, car rentals, and others."

https://www.darkreading.com/vulnerabilities-and-threats/new-attacks-target-recent-php-framework-vulnerability/d/d-id/1333676

Office 365 Admins MUST read this - New Phishing Attack Taking Advantages of Vulnerability in Office 365 to Bypass all (including ATP) of Microsoft’s Security

Researchers discovered a new type of advance phishing attack that taking advantages of office 365 vulnerability to bypass all the Microsoft security even though users implemented the Advanced Threat Protection (ATP).


 Z-WASP vulnerability , a type of Security bypass method which is used by most of the cybercriminals around the world to embedded the obfuscate links within the phishing emails.

It helps attackers to evade the phishing URL from Office 365 Security and Office 365 ATP, also it has the ability to bypass an Office 365’s URL reputation check and Safe Links URL protection.

Even though Z-WASP vulnerability effect is very simple structure, impact of its attack is highly destructive

Z-WASP is a method of hiding special characters in empty space which means that render to spaces of zero-width

Two similar exploits uncovered last year include the baseStriker and ZeroFont attacks


https://gbhackers.com/phishing-attack-office-365-vulnerability/

AML (Adversarial Machine Learning) - If you don't understand this then, buzzwords like Artificial intelligence (AI) machine learning (ML) to deep learning (DL) are not going to help.

AML - A type of malicious interference with AI-based security systems. Adversaries have the ability to manipulate AI data and algorithms to the point where the AI system is defeated. Malware can then pass through undetected, putting vital corporate data, systems, and users at risk.

EXAMPLE-1 - Evasion attacks. In this case, adversaries deluge the system with false negatives (malware disguised as benign code), causing security analysts to completely ignore alerts or de-prioritize them.

EXAMPLE-2 - Poisoning attacks, which inject false data with the intent of poisoning the training data set and creating biases to certain classifications. This can actually change the AI model and significantly impact decisions and outcomes

Vendors and enterprise security teams need to be extra vigilant about continually monitoring AI-based security systems to ensure that they are doing what they are meant to do as they evolve and adapt to the changing threat landscape

https://www.scmagazine.com/home/opinion/artifical-intelligence-in-cybersecurity-is-vulnerable/

Remember the saying "knowledge is power" - It is valuable today because "where there is a computer , there's a vulnerability". The problem is, computers are everywhere and it is important to know how these vulnerabilities affect us.

Example - Schneider Electric car charging stations - One of the vulnerabilities, (patched last month) enables access with maximum privileges to the charging station and could allow an attacker to stop the charging process and switch the device to the reservation mode making it inaccessible to customers until the machine is rebooted.

Two other vulnerabilities found , CVE-2018-7801 and  CVE-2018-7802 allow hackers to gain access to the device with maximum privileges and bypass authorization to gain access to the web interface with full privileges, respectively

The attacker could even unlock the charging cable from the device while it is in the process of charging a vehicle allowing them to steal the entire cable ultimately leading to financial losses for the energy sector and uncharged vehicles for customers.


https://www.scmagazine.com/home/security-news/positive-technologies-researchers-have-released-details-concerning-the-vulnerabilities-patched-last-month-in-the-schneider-electric-car-charging-stations/

Modlishka - A tool that can bypass login protections for accounts protected by two-factor authentication (2FA).

This drives home couple of important points

1. Attacks evolve faster than we can imagine. In December a Iranian group called "Charming Kitten" defeated 2FA and today (less than 40 days) we have a tool that can perform  the same.

2. 2FA is (only) an additional layer of security. It is potent only when it is a part of a comprehensive risk management program.

3. Basic 2FA like OTP via SMS/Email and security questions can be defeated and organizations should be well aware of them.
4. Ultimately, end users are an important layer of defense making awareness training an important part.

https://threatpost.com/2fa-broken-authentication/140776/

Interesting Phishing technique - fake web fonts that evade detection.

Custom web font files are used to install an encrypted font that is in effect a substitution cypher. The source code will look harmless, but a user would instead see a fake landing page designed to steal login credentials
With the letters being substituted, the intended text will be shown in the browser, but will not exist on the page so, evade detection.

To evade detection further, criminals render the bank logo using SVG (scalable vector graphics), so its image and source do not appear in the source code.


https://www.scmagazineuk.com/fake-fonts-used-phishing-attacks-researchers-warn/article/1522178

Who is accountable for cyberattacks in the cloud and how can we reduce this risk? - How much time have we spent on these questions before moving to the cloud? -

 Businesses planning a migration MUST  implement security from the start and in phases throughout the project.
Onapsis studies have found that implementing security in each phase of the migration could save businesses more than five times their implementation costs.

https://www.darkreading.com/vulnerabilities---threats/who-takes-responsibility-for-cyberattacks-in-the-cloud/d/d-id/1333637

Looking for Potential Job seekers - How about free access to 200 million records - A huge MongoDB database containing over 200 million records with resumes from job seekers in China stayed accessible without authentication for at least one week to anyone able to locate it. The size of the cache weighed 854GB.

The version of the exposed MongoDB was 4.0.4, where the default configuration offers protection against online access and would not have allowed the data to be reachable over the internet. However, online exposure is still possible when the server is behind a firewall that has been reset.

https://www.bleepingcomputer.com/news/security/unprotected-mongodb-exposes-over-200-millions-resumes/

Container Security - If we continue to follow the traditional scanning process then we have a problem - Nearly half of all companies know that they're deploying containers with security flaws, according to a new survey. 60% of those surveyed say that their organization suffered a container security breach in the last year.

"The way to address container security is to build security controls into the DevOps process. If you're looking for vulnerabilities or mis-compliance, you want to find them in the build ahead of deployment, and you want to make sure the process will allow them to be fixed before deploying,"

The solution for the container security problem lies in the development cycle, Erlin says. "The way to address container security is to build security controls into the DevOps process. If you're looking for vulnerabilities or mis-compliance, you want to find them in the build ahead of deployment, and you want to make sure the process will allow them to be fixed before deploying," he explains.

Too many companies are using traditional security scanning processes, in which they scan for vulnerabilities when the application is deployed, and then try to fix issues in a DevOps process — and they're finding that it doesn't work, Erlin says. The problem isn't primarily with the tools they're using.

"I don't think this is a technology challenge as much as an adoption challenge. " Erlin says. Looking ahead, though, he sees promise in the form of new employees being hired to work with containers.

https://www.darkreading.com/vulnerabilities-and-threats/container-deployments-bring-security-woes-at-devops-speed/d/d-id/1333622

Remember the line, "Data is the new Currency", it looks like your location data is part of it - T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.

T-Mobile shares location data with an aggregator called Zumigo, which shares information with Microbilt. Microbilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard.

Motherboard’s investigation shows just how exposed mobile networks and the data they generate are, leaving them open to surveillance by ordinary citizens, stalkers, and criminals

https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

2019 Security (Marketing) buzzwords - AI, machine learning, and predictive modeling. Don't rely on them.(today), Cybersecurity is not defined by observed rules – like chess or driving a car. AI is challenged to address the unstructured environment and lack of rules within security to address detection, investigation and response

AI won’t impact security in a big way for years to come, and it will succeed in other areas first, before security.  The issue is security is unstructured and rules are broken by attackers making the application of AI more challenging.

There’s a lot of work to be done before we’ll get an “Alexa” for security. Yes, we can use machine learning to find anomalies in data sets using attributes with variation for specific use cases, but this is more about machine learning and advanced statistics than AI

https://www.scmagazine.com/home/security-news/buyer-beware-autonomous-security-is-a-myth/

Email continues to be the favorite attack vector, even for "Nation State Attacks" - The APT10 (Chinese hacker) group did used the same method with a twist and were successful. They targeted the MSPs (not, their direct targets) to hack industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and ultimately made off with hundreds of gigabytes of data from dozens of companies.

As usual, it just starts with a carefully crafted email. “C17 Antenna problems,” read the subject line of one APT10 message that hit the inbox of a helicopter manufacturer, part of the 2006 campaign. The body copy was a simple request to open the attached file, a Microsoft Word doc called “12-204 Side Load Testing.”.  Once someone opens the attachment, it is game over.


The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.

APT hackers put themselves in a position where they not only had access to MSP systems, but could move through them as an administrator might. Using those privileges, they would initiate what’s known as Remote Desktop Protocol connections with other MSP computers and client networks

The hackers would encrypt the data and use stolen credentials to move it to a different MSP or client system before jettisoning it back to an APT10 IP address. They’d also delete the stolen files from the compromised computers, all in an effort to avoid detection. Anytime a private security company would identify APT10 domains, the group would quickly abandon them and move on to others

https://www.wired.com/story/doj-indictment-chinese-hackers-apt10/

Travel websites, how secure are they? - Dashlane’s 2018 Travel Website Password Power Rankings™ revealed that nearly 90% of sites examined “leave their users’ accounts perilously exposed to hackers due to unsafe password practices.” In addition, only a handful of these sites (just 4%) support two-factor authentication (2FA)

What can you do about it?
Dashlane offers the following (common sense) tips:

• Use a unique password for every online account
• Generate passwords that exceed eight characters
• Create passwords with a mix of case-sensitive letters, numbers, and special symbols
• Avoid using passwords that contain common phrases, slang, places, or names
• Use a password manager to help generate, store, and manage your passwords
• Never use an unsecured WiFi connection (e.g. public WiFi) while traveling

https://www.wombatsecurity.com/blog/cybersecurity-travel-tips-proactively-protect-data-and-devices

We know Google learns about our online activities (from websites) and OFFLINE activities (Master Card), Did you know Facebook does the same by getting info from mobile apps

A newly released study of 34 prominent Android apps (example - Duolingo, Kayak, Shazam, Spotify Music, TripAdvisor and Yelp) found that roughly 68 percent of them share user data with Facebook even when the device operator isn’t actively logged into the social media service or, for that matter, never created a Facebook account.

61 percent of the 34 apps begin automatically transmitting this data immediately, from the very moment the app is opened.

https://www.scmagazine.com/home/security-news/not-using-facebook-apps-still-sharing-your-data-with-the-company-says-study/

Happy New ("Doxxed") Year - Hundreds of German politicians, including Chancellor Angela Merkel, have been doxxed with their private information and political documents dumped online.

The victims hail from all major parties — except the far-right Alternative for Germany (AfD). The information released includes emails, cell phone numbers, physical addresses, private chat conversations, pictures of their ID cards and even bank details and debit authorizations. The data also included internal party documents.

Julian Röpcke of Bild tweeted that he had found “shocking” details related to nepotism, and that the data stretches back to 2009. He also speculated that more compromising material may be in the offing:

https://threatpost.com/wide-ranging-german-doxxing-incident-hits-hundreds-of-politicians/140560/

Remember, you can't protect what you don't know and that's the main reason why the top two CIS controls have remained the same. Here is an interesting thought from Jeremiah Grossman on Penetration testing / Vulnerability Assessment.

Many ORGs prioritize vuln assessments / pen-tests towards their most ‘critical’ assets. While a seemingly sensible approach, breach data shows it’s very often the obscure or unknown assets that get compromised first — and the adversary pivots. It’s their easiest path to victory.