If Vendor insecurity seems to be the new norm then God help all of us

Attackers compromise Twilio's SDK due to misconfigured  AWS S3 buckets left the SDK's path publicly readable and writable for roughly five years. Twilio powers communications for over 40,000 businesses and helps developers add voice, video, messaging, and authentication capabilities. 

The company's customer list includes Twitter, Netflix, Uber, Shopify, Morgan Stanley, Airbnb, Wix, Spotify, Yelp, Hulu, Intuit, ING, eBay, and countless others.

https://www.bleepingcomputer.com/news/security/twilio-exposes-sdk-attackers-inject-it-with-malvertising-code/

Interesting Observations on Hate groups:

 1 - Education plays a MINOR role in determining who does or does not join a hate group. 

2 - The more religious groups on the East Coast, the more hate groups. 

3 - Poverty is a crucial driver. 

https://talglobal.com/knowledge-center/the-map-to-hate-groups/

The Ransomware attack was thwarted but the ransom was paid. Wonder Why?

 By the time the company responded, the unidentifiable hackers already had stolen a data subset. According to the company "We paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,”.  I, wonder what "confirmation" means here (A picture of Mickey Mouse?)

https://www.hackread.com/cloud-hosting-blackbaud-pays-ransom-ransomware-attack/

Our smart phones have multiple privacy settings that can improve security. Here are a few that we could use

https://www.zdnet.com/article/privacy-settings-how-to-secure-your-iphone-and-android-device/

Finally, Nice to see a solution for the Robocall torture - T-Mobile customers (with Magenta and Essentials plans) will also be able to get a free PROXY phone number that can be used when they want to keep their main (personal) phone number private

https://www.bleepingcomputer.com/news/security/t-mobile-announces-free-scam-shield-robocall-and-scam-protection

Fact is stranger than fiction - This critical WORMABLE vulnerability existed for 17 years - SIGRed (CVE-2020-1350) . The Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack.

https://thehackernews.com/2020/07/windows-dns-server-hacking.html

Another good reason to deploy MFA and increase Awareness Training / Phishing exercises - Researchers from Agari who discovered the operation — dubbed Cosmic Lynx — claim that this is the first-ever reported case of a Russian cybercriminal outfit running an organized BEC phishing scam.

https://www.scmagazine.com/home/security-news/cybercrime/bec-scams-grow-in-complexity-as-russian-actors-launch-cosmic-lynx-operation/

Top 3 Threats according to DHS Cybersecurity and Infrastructure Security Agency (CISA)- Backdoors (some have forgotten about it), cryptominers, and ransomware constituted more than 90% of the active signatures detected.

https://www.darkreading.com/vulnerabilities---threats/dhs-shares-data-on-top-cyber-threats-to-federal-agencies/d/d-id/1338261

Curious - How many of us think about what happens when we share information online - is it Stored? if so, safely?, How long ?, whom is it shared with? and finally, what happens if it is exposed?

https://www.wired.com/story/dating-apps-leak-explicit-photos-screenshots/

Ripple20 bug - The curse of IoT continues

 19 different vulnerabilities, four of them critical, are affecting hundreds of millions of internet of things (IoT) 

https://threatpost.com/millions-connected-devices-ripple20-bugs/156599/

FREE - 150+ tools and resource from SANS.

https://www.sans.org/media/free/free-faculty-tools.pdf

We can stop using Facebook and Whatsapp for conveying our messages , our light bulbs can do that for us (One minor problem, they can do it without your consent)

.Good news is that it is not easy (at this point in time)as additional gadgets and multiple steps are involved.

https://threatpost.com/lamphone-hack-lightbulb-vibrations-eavesdrop/156551/

Protect your YouTube accounts - Stolen accounts can be used to spread malware and launch fraud scams against viewers, it is also used to blackmail the account owner.

 One snap poll run by an underground forum revealed that 80% of (dark web) members wanted to see more YouTube credentials put up for sale.

https://www.infosecurity-magazine.com/news/dark-web-demand-youtube-account/

Ransom-warez - No hacking skills needed , just visit auction site and bid for (interesting) stolen data.

With many companies losing our personal information , the only solution for us is to be vigilant and follow simple policies like "Think before you Click/Pick (phone)" and keep an eye on credit/bank reports.

https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/

Important Ransomware Lessons:

1 - "Prevention is better than cure"
2 - Backups help with recovery but, won't prevent a data breach. 

We now have NetWalker - “ransomware-as-a-service” (RaaS) - Threatens to publish victims’ data on the internet if ransoms are not paid.  Attackers send poisoned emails are sent that appear related to the Coronavirus crisis. It  can also masqueraded as the legitimate password management app Sticky Password.

https://www.tripwire.com/state-of-security/featured/netwalker-ransomware-what-need-know/

Salted Passwords are good. but, if old algorithms like MD5 then it is no use

In case of Mathway, the storage mechanism for the passwords is PHPASS, which gets salted MD5. Allan says " if I wanted to crack these passwords,I could do so on a rig that computes millions of MD5 hashes a second. With more secure cryptographic hashes, such as bcrypt or scrypt, it is much slower to compute the hash."

https://www.scmagazine.com/home/security-news/mathway-breach-latest-caper-for-shiny-hunters/

Android user check if your device vendor has a fix for bug StrandHogg 2.0 (CVE-2020-0096)- Similar to previously discovered StrandHogg but more dangerous and more difficult to detect. Attackers can access SMS messages and photos, swipe login credentials, track GPS movements, record phone conversations, access the camera and microphone, and review contact lists and phone logs.

https://www.scmagazine.com/home/security-news/vulnerabilities/strandhogg-2-0-bug-enables-android-app-hijacking-poses-patching-challenge/

ATM Skimmers - This one has three bad news

1 - ATM Skimmers (nothing new)
2 - ATM vendor wanted to install it
3 - The vendor enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office.

https://krebsonsecurity.com/2020/05/report-atm-skimmer-gang-had-protection-from-mexican-attorney-generals-office/

Few ransomware stats to help manage your business risk

: 1 - Criminals succeeded in encrypting the data in 73% of these attacks.
2 - 59% of attacks involved data in the public cloud.
3- One in five organizations has a major hole in their cyber security insurance.
4 - The average cost to rectify the impacts is US$732,520 for those who do not pay the ransom, rising to US$1,448,458 for those who pay.

Good news - 56% got data back via backups than by paying the ransom .


https://news.sophos.com/en-us/2020/05/12/the-state-of-ransomware-2020/?cmp=26105

iPhone Spyware called "Hide UI" used by law enforcement, can track a suspect's passcode when it's entered into a phone. In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect

https://www.nbcnews.com/tech/security/iphone-spyware-lets-cops-log-suspects-passcodes-when-cracking-doesn-n1209296

Apple products - Price Up & Quality down. wonder why? - “Apple has a poor history of paying hackers or recognizing when payment for work should occur,” said researcher Jake Davis.

https://www.cyberscoop.com/ios-zero-day-zerodium-high-supply/

Don't fall for this scam - Fake warning "someone using your Internet address has been caught viewing child pornography" - Message claims to have been sent from Microsoft Support, and says the recipient’s Windows license will be suspended unless they call an “MS Support” number to reinstate the license, the goal is to trick callers into giving fraudsters direct access to their PCs.

https://krebsonsecurity.com/2020/05/tech-support-scam-uses-child-porn-warning/

Attention Samsung fans - Vendor has released a security update for its smartphones. It includes a critical fix for a vulnerability that affects all devices sold by the manufacturer since 2014 (yes, the vulnerability existed for last 6 years)

https://www.tripwire.com/state-of-security/security-data-protection/six-years-samsung-smartphone-users-risk-critical-security-bug-patch-now/

How many of us are ready for this ? - LockBit Ransomware-as-a-Service (RaaS) - It is a WORM. Have we enabled a simple rule that blocks incoming connections on our "Host based firewalls"? (Remember it is packaged free with windows )

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-self-spreads-to-quickly-encrypt-225-systems/

Golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. Here is how a tech industry pro (having worked in security for several years at a fairly major cloud-based service) fell for a banking scam

https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

Thanks to everyone contributing to the Folding@Home - This is a project that for 20 years has been employing crowdsourced computer-processing power to help run molecular calculations for diseases including cancer and Alzheimer's disease - and most recently for COVID-19. Folding is basically the process of assembling a protein, and simulating that process takes massive CPU and GPU (graphical processing unit) power.

https://www.darkreading.com/endpoint/white-hat-hackers-help-fold-covid-19-proteins-/d/d-id/1337629

Starbleed Vulnerability - A new security bug that impacts Xilinx FPGA chipsets.- Why is it important? - These chips are in many safety-critical applications today, from cloud data centers and mobile phone base stations to encrypted USB-sticks and industrial control systems

. This vulnerability allows an attacker to crack the bitstream encryption and tamper with the operations stored inside the bitstream, allowing the attacker to load their own malicious code on vulnerable devices. Intellectual properties included in the bitstream can be stolen. It is also possible to insert hardware Trojans into the FPGA by manipulating the bitstream.


https://www.zdnet.com/article/starbleed-bug-impacts-fpga-chips-used-in-data-centers-iot-devices-industrial-equipment/

Does this company know what "COGNIZANT" means. This news is troubling for two reasons. 1- Cognizant has many large customers. 2 - Maze ransomware is known for data exfiltration and extortion.

https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/

Manufacturer of AirSense 10, the world’s most widely used CPAP says the AirSense 10 would require “significant rework to function as a ventilator,” while (surprise!) many ventilator functions were already built into the device firmware.

 Security researcher Trammel Hudson has released a patch (dubbed Airbreak) that he says unlocks the hidden capabilities buried deep inside the AirSense 10.


https://arstechnica.com/information-technology/2020/04/firmware-jailbreak-lets-low-cost-medical-devices-act-like-ventilators/

(S)Extortion - Hope, it never happens but if it ever does then remember this video

https://youtu.be/veY0WzoubQw

Watch out for FLEECEWARE - Mobile apps that can still charge users even after users uninstall the app from their devices. Researchers have identified 32 iOS apps (see table at the end of this article) that charge up to $30/month or $9/week for simple features that are usually available for free. Some of these fees seem small, but they can add up to between $360 and $468 per year.

https://www.zdnet.com/article/fleeceware-apps-discovered-on-the-ios-app-store/

School districts around the world are quickly moving to an eLearning format, meaning most of kids social and educational lives are online. This webcast can help parents to ensure their kids are making the most of technology safely and securely.

https://www.youtube.com/watch?v=vrAmvj00jYo&feature=youtu.be

FREE COVID-19 Threatlist from DOMAINTOOLS

- We know bad guys are creating fake COVID-19 related domains to lure us. To battle this , DomainTools is providing a free, curated list (updated everyday) of high-risk COVID-19-related domains to support the community during the Coronavirus crisis.

https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats

Zero Trust Security Model is the new rage - How much do we know about it. Here is a timely doc from Microsoft that can help

https://www.microsoft.com/en-us/security/business/zero-trust

(US Residents) Beware of these COVID-19 relates emails:

1. Emails purporting to contain helpful information from the Centers for Disease Control and Prevention (CDC)
2. Medical sources, and phishing emails that ask to provide their personal information in order to receive an economic stimulus check.
(3. Free pass to entertainment services like Netflix)

https://www.scmagazine.com/home/security-news/cybercrime/fbi-warns-of-covid-19-phishing-scams-promising-stimulus-checks-vaccines/

Security vendors are in the business of selling security they don't have to care about securing their own environment (Remember RSA, Symantec)

- British security outfit Keepnet Labs exposed a massive database (without any password protection) on the internet, containing more than five billion records.

https://www.grahamcluley.com/security-firm-five-billion-records-exposed-unsecured-database/

In case you missed it due to everything happening around COVID-19 - Microsoft has issued a new security advisory warning billions of Windows users of two new critical, unpatched zero-day vulnerabilities

This could let hackers remotely take complete control over targeted computers.  No Patch Yet Available; Apply Workaround ( Disable the Preview Pane and Details Pane in Windows Explorer)

https://thehackernews.com/2020/03/windows-adobe-font-vulnerability.html

Another free service during the Coronavirus outbreak - Emsisoft and Coveware will be offering their ransomware decryption and negotiation services for free to healthcare providers

https://www.bleepingcomputer.com/news/security/emsisoft-coveware-offer-free-ransomware-help-during-coronavirus-outbreak/

Bookmark this page/ link, it has a list of free software - Never know we might need one of them during this COVID-19 outbreak

https://www.bleepingcomputer.com/news/software/list-of-free-software-and-services-during-coronavirus-outbreak/

If you use whatsapp (who doesn't) then , spend a few minutes to review your privacy settings.

https://privacycrypts.com/blog/whatsapp-privacy-settings-should-know-about/

Can this be true? - CIA's password for its top-secret hacking tools? 123ABCdef. The passwords were shared

 The passwords were shared by the entire team and posted on the group’s intranet. IRC chats published during the trial even revealed team members talking about how terrible their infosec practices were, and joked that CIA internal security would go nuts if they knew.


https://www.theregister.co.uk/2020/03/05/cia_leak_trial/

Free Anti Virus and smart phone protection Software from Sophos

https://www.sophos.com/en-us/products/free-tools.aspx?cmp=30726

FREE Cybersecurity Law Casebook.

Thanks to Bobby Chesney,Professor at University of Texas at Austin for publishing this FREE Cybersecurity Law Casebook.
Who should use it: The book is designed to be valuable not just to beginners but also those who may have experience in one area but would like to see how their corner of the puzzle relates to the larger whole.
About this book: This is an interdisciplinary “eCasebook,” designed from the ground up to reflect the intertwined nature of the legal and policy questions associated with cybersecurity.

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3547103

If you think any subdomain with "microsoft.com" is safe, think again

Researchers were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently FORGOTTEN about it.

https://nakedsecurity.sophos.com/2020/03/06/researcher-finds-670-microsoft-subdomains-vulnerable-to-takeover/

Ransomware Evolution #5 - Steal data from backups and delete it. We thought good backups are important (they still are) but, what happens when ransomware authors can gain control of the Backup Software

Evolution:
1. Encrypt local data
2. Worm
3. Threaten to expose sensitive pictures
4. Threaten to expose data (leading to breach)

https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/

CCTV footage from a Fake Call Center involved in Tech support scams.

https://youtu.be/le71yVPh4uk

Must Watch - (Sad and touching,) How a 13 year old girl is cheated by a scammer from a Fake Call Center in India.

https://youtu.be/kFwt-_svg_0

Smart Speaker or Smart Snooper, maybe we whould call it "Smart Sneaker" - Forget big brother , your own pet electronics might be spying on you. Study estimates that activations of smart speakers when it wasn't you who uttered any wake word occur between 1.5 and 19 times a day. The average time of activation is 43 seconds.

https://www.zdnet.com/article/dont-worry-alexa-and-friends-only-record-you-up-to-19-times-a-day/

Dangerous evolution of Ransomware - Started as ransom for encryption our files, changed to data/pictures exposure black mail and now it could wipe important evidence and let dangerous people walk free.

https://nakedsecurity.sophos.com/2020/02/28/ransomware-wipes-evidence-lets-suspected-drug-dealers-walk-free/

Another reminder for "Prevention is better than cure" - Once you are infected by Malware, you will be at the mercy of its author who will determine what they want to get out of you.

https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/

Security folks love NIST CSF but have difficulty adapting it. Now, if you are an AWS customer then it has become easier. download the Aligning to the NIST CSF in the AWS Cloud" whitepaper for more details.

https://pages.awscloud.com/aligning-to-the-NIST-CSF-in-the-AWS-Cloud.html

I did not know that there are vacuum cleaners with video cameras (that also allows hackers to view the video). Makes total sense, It will CLEAN your house and may also help (robbers) to CLEAN-UP your house.

https://threatpost.com/unpatched-security-flaws-open-connected-vacuum-to-takeover/153142/

Outsourcing important IT Services is not a bad idea but with what's going on recently, shouldn't we also consider a scenario of vendor being taken down by Malware, Ransomware, Breach, etc

. I am excluding big guns like Microsoft, Amazon and Google.


https://threatpost.com/iss-world-hit-with-malware-attack-that-shuts-down-global-computer-network/153109/

What happens when a (dumb) vendor cannot separate test and production environment - Nothing much , just a bunch of freaked-out customers

Many owners of Samsung smartphones have received an odd notification but the message  simply disappeared when they clicked on it. Samsung explains "This notification was confirmed as a message sent unintentionally during internal testing and there is no effect on your device"

https://www.grahamcluley.com/samsung-find-my-mobile-notification/

Are you sure the stranger in the street is taking a selfie,not your picture?

 - If it is your picture then he/she may also be able to gather your personal information, thanks to "Clearview AI"

https://www.nowtheendbegins.com/clearview-ai-app-allows-strangers-access-your-name-address-phone-number/

Reminder - Hackers don't care , Anyone can be a victim

 so, stop burying your head in the sand thinking my account/business is not important enough to be hacked.


https://hotforsecurity.bitdefender.com/blog/data-breach-hits-san-diego-low-income-preschool-provider-22261.html?utm_source=dlvr.it&utm_medium=twitter

Free guide for SYSMON ,an excellent security tool from Microsoft

Remember "Prevention is Ideal but Detection is a MUST."

Sysmon is designed to extend the current logging capabilities in Windows to aid in understanding and detecting attackers by behavior.

Download Link:
https://lnkd.in/gupkbqK

hxxps://github.com/trustedsec/SysmonCommunityGuide/releases

WhatsApp users, here's something to remember - A vulnerability (in desktop app) could allow the spread of malware

. It could also  impact WhatsApp for iPhone, if we don’t update our desktop and mobile apps, and if we don’t use newer versions of the Chrome browser.

https://threatpost.com/whatsapp-bug-malicious-code-injection-rce/152578/

This could happen to any organization - Ransomware => Blackmail => Data Breach

 The gang places the company name on a website. If a payment is not forthcoming immediately it then places a small amount of the stolen data on the site as proof. If payment is received the name is removed. The important question is "how can we be sure?" after all what's stopping them from blackmailing again.

https://www.scmagazine.com/home/security-news/ransomware/maze-ransomware-publicly-shaming-victims-into-paying/

How to drive cars with autopilot crazy? - Project fake images from drones on the road or on surrounding billboards, as rea

l.  Researchers  were able to create “phantom” images; use a projector to transmit them within the autopilots’ range of detection; and trick systems into believing that they are legitimate.

https://threatpost.com/tesla-autopilot-duped-by-phantom-images/152491/

We might not be up-to-date on current events but, cybercriminals are and they are quick to capitalize on them. The latest being "CoronaVirus"

One important behaviour pattern cybercriminals depend on is that if, an email sounds scary / urgent then we might click on the link or attachment. The new botnet campaign targets geographic regions that may be more impacted by the outbreak given their locations in Asia to spread Emotet trojan.IBM X-Force warned that Emotet operators will probably expand their targeting beyond Japan soon.

https://threatpost.com/coronavirus-propagate-emotet/152404/

Trickbot trojan gets dangerous as it can now run in stealth mode

. It uses Wsreset.exe , which when executing a command it will not display a UAC prompt and users will have no idea that a program has been executed.


https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/

Finally, UK has an IoT Law

The Law Mandates:

1. IoT device passwords must be unique. 
2. Manufacturers must also provide a public point of contact so that anyone can report a flaw. 
3. Manufacturers must also explicitly state the minimum length of time for which devices will receive security updates.

https://threatpost.com/mandatory-iot-security-uk-proposal/152217/

Interesting Attack Technique - Ransomware can now infect any Active directory connected windows system if the user profile is setup to execute a login script when a user logs in.

The attacker weaponized AD by putting not Trickbot, but Ryuk, into the AD [roaming] login script. So anybody who logged into that AD server was immediately infected.
So as soon as an engineer, for example, logged in from his or her workstation, the payload would drop, execute, and lock the user out of the machine.

https://www.darkreading.com/threat-intelligence/ryuk-ransomware-hit-multiple-oil-and-gas-facilities-ics-security-expert-says-/d/d-id/1336865

I am dumbstruck - Microsoft exposed (in clear-text) 14 years worth of data with 250 million CSS records

. This means records from 2005 to December 2019 were leaked online and left without any security authentication allowing the public to access it with just a web browser.


https://www.hackread.com/250-million-microsoft-customer-support-records-leaked-plain-text/

Extortionists find new victims - "Plastic surgery patients"

Hackers not only know their personal information, but also might have photographs of their “before” and “after”. One can easily imagine that things become even more uncomfortable if it’s other parts of your body that you’ve had “tweaked”.

The Center for Facial Recognition says that within three weeks of being threatened by the extortionists, up to 20 patients have been contacted by the criminals with individual demands for payment.

https://www.grahamcluley.com/plastic-surgery-patients-ransomware/

Remember - Patch all windows computers (Corp / Personal) with 01/2020 MS Updat

e. An attacker can spy on your web browsing, even on encrypted sites, as well as altering the content you get back or modifying the data you upload.

https://nakedsecurity.sophos.com/2020/01/14/serious-microsoft-crypto-vulnerability-patch-right-now/

Microsoft starts 2020 patch Tuesday with a BANG - Brian Krebs calls one of the vulnerability (fixed) as "extraordinarily serious security vulnerability". So, if we don't patch then, "Shame on Us".

It could have wide-ranging security implications for a number of important Windows
functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools


Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.


https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/

Hidden Camera Risk (Airbnb or anywhere other than home), What can we do aboutit ?. This article has some recommendation (Tools like Angry IP Scanner, Nmap, and Network Scanner)

https://getpocket.com/explore/item/how-to-scan-your-airbnb-for-hidden-cameras?utm_source=pocket-newtab

Official statement "We have now contained the virus and are working to restore our systems". The reality was that it was a Ransomware attack and Britain's largest retail banks have been forced to halt processing foreign currency.

https://www.cnbc.com/2020/01/09/british-banks-hit-by-hacking-of-foreign-exchange-firm-travelex.html

Upgrade Firefox NOW !!! - Mozilla, has identified (and patched) a zero-day vulnerability in Firefox that could allow an attacker to take control of users’ computers.

The vulnerability was detected in exploits seen in-the-wild. United States

Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory


https://www.grahamcluley.com/stop-everything-update-firefox-now/