USB port is a wonderful invention but, also serves as a good attack vector - Security researchers have discovered a new class of security vulnerabilities (Thunderclap) that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks.

In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected - check whether your laptop supports Thunderbolt.

Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity.

Additionally, researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.

https://thehackernews.com/2019/02/thunderbolt-peripheral-dma-attacks.html

You MUST watch this. - Rep Katie Porter traps Equifax CEO with his own answer

Asks him to provide his SSN and birth date in public hearing
he declines, stating potential for harm

She then asks “Why are Equifax’s lawyers arguing in court that there was no harm” from data breach?

https://twitter.com/i/status/1100459600824815617

Time to patch WINRAR (to version 5.70 beta 1) - A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.

If a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim’s startup folder and malware could then be quickly planted on the system.

https://threatpost.com/critical-winrar-flaw-found-actively-being-exploited/142204/

After a ransomware incident , here is what one company said - “We paid the ransom, and it sucked”.

(This company did not the meaning for the element "A" in CIA Triad?

“When they encrypt the data, that happens really fast,”, “When they gave us the keys to decrypt it, things didn’t go quite as cleanly”.

Smart people learn from other's mistakes. Are you ready to learn from these guys.

Experts say attacks like the one against Apex HCM are playing out across the world every day, and have turned into a billion-dollar business for cyber thieves. The biggest group of victims are professional services firms

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.



https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/

Just, be aware that every time you turn ON location service/GPS setting on your smartphone, let's say for using Uber app or Google Maps, Facebook (app) will start tracking your location.

Because, installing the Facebook app on your Android and iOS smartphones automatically gives the social media company your rightful consent to collect the history of your precise location.

Users can manually turn Facebook's Location History option OFF from the app settings

Unfortunately, disabling Location History would also break some Facebook features that rely on location data like checking into a nearby location, tagging locations in an uploaded photo

https://thehackernews.com/2019/02/facebook-location-tracking.html

As long as we spend more money on security tech and less on people , we will continue to see more breaches and security incidents. Technology CANNOT think so, to adapt to the ever changing threat landscape we need intelligent people (do not confuse them with "power point" experts or "Yes-men") to protect our organization.

Indeed, the number of attacks are on the rise, taking longer to address than ever before. It's estimated that the average cost of a data breach in 2018 was up 6.4% over the previous year to $3.86 million. This is why companies cannot afford to simply rely on preventative technologies, which often lull them into a false sense of security.

Security teams understand they need to think like hackers. And they understand that it's not computers attacking their companies. Rather, it's the people behind them — people with real-life experience and intuition.

https://www.darkreading.com/threat-intelligence/to-mitigate-advanced-threats-put-people-ahead-of-tech/a/d-id/1333913

"Security Culture" can help you to avoid embarrassment. Example - A patient who Googled their name was able view their medical file.

 (Because,) someone misconfigured a website server belonging to University of Washington and it was searchable on the internet from December 4-26 containing the data on 974,000 patients.


UW did not discover the problem,the patient reported this finding to them.


https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/

MITM Attacker Found

Joke of the day - A man called Jay Brodsky is bringing a class action against Apple in California, complaining that two-factor authentication (2FA) on an iPhone or Mac takes too much time.

In his class action suit, Brodsky alleges:

• Apple enabled 2FA on his account without his explicit consent. Which seems very odd, as my experience has been that Apple only offers 2FA on an opt-in basis.
• 2FA is too inconvenient to actually set up - requiring several steps on several devices.
• 2FA is just too darn inconvenient to use… because it requires to both remember a password *and* have access to a trusted device. Umm, isn’t this exactly how 2FA is supposed to work? Helping to stop hackers simply needing your password to break into your accounts.
• Apple doesn’t let you disable 2FA after it has been enabled for two weeks straight. This appears to be true. It looks like Apple gives you 14 days’ grace to deactivate 2FA if you wish, but after that… you’re 2FA-secured. Of course, this could be argued to be a good thing security-wise.
• 2FA is required every time an Apple device is turned on. Really? Can’t say I’ve noticed.
• 2FA takes between two to five minutes to complete. Hmm. When AppleInsider got its stopwatch out, it reckoned the 2FA process took them in total about 22 seconds to complete.

https://www.grahamcluley.com/apple-sued-two-factor-authentication/

Most common lie - "“We take your privacy and security seriously.”. About one-third of 285 data breach notifications had some variation of the same line.

So, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen

Most of the breaches today are the result of shoddy security over years or sometimes decades, coming back to haunt them

companies would rather just pay the fines.

• - Target paid $18.5 million for a data breach that ensnared 41 million credit cards, compared to full-year revenues of $72 billion. 
• - Anthem paid $115 million in fines after a data breach put 79 million insurance holders’ data at risk, on revenues that year of $79 billion. 
• - Remember Equifax? The biggest breach of 2017 led to all talk but no action.

https://techcrunch.com/2019/02/17/we-take-your-privacy-and-security-seriously/

Phishing attack bent on stealing Facebook credentials - A bad actor was able to design a very realistic-looking social login popup prompt in HTML. When a victim visits a malicious website (which an attacker could somehow convince them to visit, using social engineering tactics or otherwise), they would be prompted to log into their Facebook account via a false login prompt Once they fill out their username and password, that information is sent to the attacker.

Once they fill out their username and password, that information is sent to the attacker.

“The only way to protect yourself from this type of attack is to actually try to drag the prompt away from the window it is currently displayed in,” he said. “If dragging it out fails (part of the popup disappears beyond the edge of the window), it’s a definite sign that the popup is fake.”

In general, as a precaution users should always drag popups away from their initial position to spot for abnormal behavior.

https://threatpost.com/sneaky-phishing-scam-facebook/141869/

Equifax Breach - Strange twist in the story. The stolen data has NEVER been FOUND and the investigators have two interesting theories.

First, the foreign government is probably combining this information with other stolen data, then analyzing it using artificial intelligence or machine learning to figure out who's likely to be — or to become — a spy for the U.S. government. 

Second, credit reporting data provides compromising information that can be used to turn valuable people into agents of a foreign government.

https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-data.html

Who's watching the watchers?, Luckily, SEC was - On more than one occasion, Gene Levoff, senior director of corporate law and corporate secretary (responsible for Apple's compliance with securities laws) disobeyed the company's "blackout" period for stock transactions, selling or buying stock worth tens of "millions of dollars", according to the SEC

Gene Levoff, senior director of corporate law and corporate secretary until September, "traded on material nonpublic information about Apple's earnings three times during 2015 and 2016," according to the SEC.

Before his termination in September, Levoff was "responsible for Apple's compliance with securities laws," the SEC complaint says.

https://www.cnbc.com/2019/02/13/sec-files-insider-trading-lawsuit-against-former-apple-lawyer.html

Attention WordPress admins - A critical vulnerability in popular WordPress plugin Simple Social Buttons enables non-admin users to modify WordPress installation options – and ultimately take over websites.

Update Simple Social Buttons to version 2.0.22


https://threatpost.com/wordpress-plugin-flaw-website-takeover/141746/

Time to PATCH (again) - Attackers can escape Linux CONTAINERS and obtain unauthorized, root-level access to the host operating system.

• Docker users should check the Docker release notes for version 18.09.2.
• Kubernetes users should consult the Kubernetes blog article entitled Runc and CVE-2019-5736, 
• Any containerization product that uses runc is probably vulnerable – if you have a version numbered runc 1.0-rc6 or earlier, you need to take action

• Patch runc if you’re using it yourself.
• Stop guest containers running as root if you can.
• Ask your provider if they’re using runc on your behalf. 

CVE-2019-5736 - This bug means that a program run with root privileges inside a guest container can make changes with root privilege outside that container.

https://nakedsecurity.sophos.com/2019/02/12/linux-container-bug-could-eat-your-server-from-the-inside-patch-now/

A "security policy" may be ineffective without a "security culture" - (Evidence) According to Ponemon’s 2019 State of Password and Authentication Security Behaviors Report, extremely poor password management habits by those in IT are making a hacker’s job much easier.

51% reuse the same password across an average of five business and/or personal accounts. It seems "Eating your own dog food" does not apply to IT


This is in line with LastPass’s 2018 findings where 50% of users use the same passwords for work and personal accounts


https://blog.knowbe4.com/a-hackers-dream-half-of-it-admins-reuse-passwords-across-multiple-accounts

Do you know how many employees in your organization use TeamViewer. More importantly, are you sure they are NOT USING a malicious version of TeamViewer?

Trend Micro researchers have discovered a Trojan spyware disguising as TeamViewer to collect and steal user data

https://www.hackread.com/hackers-using-malicious-teamviewer-tool-to-spread-malware

Watchout - Another cryptographic attack that can break encrypted TLS traffic (including 1.3). It's a variation of the original Bleichenbacher oracle attack.

Good news is is that an updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper

The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations


The reason for all these attack variations is because the authors of the TLS encryption protocol decided to add countermeasures to make attempts to guess the RSA decryption key harder, instead of replacing the insecure RSA algorithm.


https://www.zdnet.com/article/new-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3/

Vendor Risk Management - Remember their security practices will affect your security posture. An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP

The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand

In this case, the executable was Gandcrab, a widely distributed ransomware tool that has been used in numerous previous attacks. All customer systems that the MSP was managing via the Kaseya RMM tool were encrypted simultaneously, locking users out of them.

Attacks on MSPs are a growing concern. Recently, threat actors, some sponsored by nation states, have begun targeting MSPs in an attempt to get to the networks of their clients.

https://www.darkreading.com/attacks-breaches/ransomware-attack-via-msp-locks-customers-out-of-systems/d/d-id/1333825

If you absolutely have to have Alexa or Google Assistant in your home, heed the following advice:

DO NOT put a digital assistant in a child's room.

1. Change the Default Password on Your Wi-Fi Router
2. Set the Voice Lock
3. Decide Whether You Want to Shop By Voice
4. Understand that Privacy Rights in the US Are on the Way – but Are Not Law Yet
5. Be Smart About Where you Locate Your Devices
6. Be Aware that Smart TVs Come With Digital Assistants


Make sure to set the voice lock for just the adults in the home.

Make sure you receive follow-up emails confirming your purchases, and check your credit card statements to make sure fraudsters aren't running up charges on your account

When the TV gets old and you pass it along to a friend or take it to the dump, find out how to erase all the data. 

https://www.darkreading.com/vulnerabilities---threats/6-security-tips-before-you-put-a-digital-assistant-to-work/d/d-id/1333783

Interesting Security Extension for Google Chrome - Google has released a new add-on for the Chrome browser that automatically and securely checks website credentials against known password breaches.

The Chrome browser extension, called Password Checkup, is available today. It securely checks credentials used to log in to websites—whether they're manually entered or stored in Chrome's password manager—against hashed credentials stored in an encrypted database of billions of compromised accounts maintained by Google.

https://arstechnica.com/information-technology/2019/02/google-releases-chrome-extension-that-alerts-to-breached-passwords/

Another Good news if you are a Firefox user - Firefox 67, which is planned to be released in May 2019, will have a few exciting features

1. Block cryptocurrency miners
2. Block fingerprinting
3. Mute videos autoplaying.

Cryptominers not only use the CPU’s resources to mine for cryptocurrency but also affects the computer’s performance in the long run. The entire system becomes slow and operations get delayed

Fingerprinting is a technique that can create user profiles for tracking purposes using the information that the connecting device, scripts (if permitted), and browser provide.

https://www.hackread.com/firefox-offers-fingerprinting-cryptomining-protection/

Interesting Headline - Japanese government plans to hack into citizens' IoT devices

The Japanese government approved a law amendment on Friday that will allow government workers to hack into people's Internet of Things devices as part of an unprecedented survey of insecure IoT devices.

NICT employees will be allowed to use default passwords and password dictionaries to attempt to log into Japanese consumers' IoT devices.

The plan is to compile a list of insecure devices that use default and easy-to-guess passwords and pass it on to authorities and the relevant internet service providers, so they can take measures to alert consumers and secure the devices.


https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

Cyber attack against US - Different countries , different intentions (apart from meddling with upcoming 2020 election)

• China, has the capacity and desire to go after American targets for not only diplomatic and military information, but also for attacks on infrastructure and private-sector business.
• Russia, for example, will likely continue to go after critical infrastructure and focus on stealing intel from NATO
• Iran, meanwhile, is likely to focus on social media campaigns to help boost its public image and sway opinions in its favor.
• North Korea will look to boost its coffers with financial hacks. 

https://www.theregister.co.uk/2019/01/30/us_election_meddling/