By Uzair Amir
Trump administration has announced that it will be starting to
This is a post from HackRead.com Read the original post: US may screen social media of Immigrant & Non-Immigrant Visa Applicants
April 01, 2018 at 12:13AM
Saturday, March 31, 2018
MailChimp Bans ICO & Blockchain Marketing- Fundraisers Devastated
By Waqas
Well-known email distribution platform MailChimp announced a change in its
This is a post from HackRead.com Read the original post: MailChimp Bans ICO & Blockchain Marketing- Fundraisers Devastated
March 31, 2018 at 07:49PM
Friday, March 30, 2018
Hackers take over power billing records of Indian state; demand ransom
By Uzair Amir
The AMR system (automatic meter reading system) of Uttar Haryana
This is a post from HackRead.com Read the original post: Hackers take over power billing records of Indian state; demand ransom
March 30, 2018 at 10:23PM
Flawed Meltdown patch by Microsoft makes Windows more vulnerable
By Waqas
Microsoft’s January patch was released amidst claims of addressing the
This is a post from HackRead.com Read the original post: Flawed Meltdown patch by Microsoft makes Windows more vulnerable
March 30, 2018 at 09:06PM
Things I Hearted this Week – 30th March 2018
Another week and social media giants Facebook and Google are under scrutiny by all and sundry as to the information they gather and the privacy implications. I know that something is big when my Dad asked me about the whole debacle over dinner this week – and he doesn’t even use, or fully understand Facebook.
Many years ago, my Dad used to run his own magazine, and so understands media and advertising very well. It made for interesting conversation as I explained how online ads are not static like he’s used to – but rather everything is a big information engine, designed to ingest information about you, and then push back tailored content designed to meet your needs. I was half-thinking he’d agree that it was a great innovation. But alas, he defaulted to his standard position that people have entrusted too many critical decisions to computers and nothing good will come of it.
He probably has a point.
#DeleteFacebook
The world seems upset at Facebook, to the point that the #DeleteFacebook campaign has been picking up momentum. But is it a genuine movement or a bandwagon that opportunists are taking advantage of?
Socialsafeguard took a look at the hashtag, where it’s trending, and the dollar value a user has for Facebook
- #DeleteFacebook – what it means for social media security | Social Safeguard
Related:
- Force Multipliers, Facebook and PR – How to influence everything | Mulley Communications
- What the Cambridge Analytica scandal means for big data | Information Age
- Mozilla’s new Firefox extension keeps your Facebook data isolated to the social network itself | Techcrunch
But what if my password manager gets hacked?
Sometimes, the proverbial “WHAT IF IT GETS HACKED?!” question isn’t a question at all, it’s a “Gotcha!” question/comment or attempt to get under my skin with a tired, washed out and predictable argument that I’ve heard about a million times before. Other times, though, especially with non-experts, it’s a legitimate, serious question that doesn’t have an easy “yes or no” answer.
- But what if my password manager gets hacked? | Jessysaurusrex
Cyber, the short version
The man known as TheGrugq recently gave a keynote on cyber conflict, but was kind enough to extract the essence in this post
- Cyber, the short version | The Grugq, Medium
Find bugs and chill
Online video streaming company Netflix seems to be one of those companies that always seems to find its way into the technology news for the right reasons. It ran a private vulnerability disclosure program over the past five years, resulting in 190 issues being addressed. But now its opening its door to public bug bounty program through Bugcrowd.
- Launching the Netflix Public Bug Bounty Program | Netflix, Medium
- Netflix bug bounty program | Bugcrowd
Security scammers
There are many different types of scammers that operate on the internet. Security scammers approach website owners with claims that their website is infected or vulnerable and offer to fix the issues for a fee. However, would-be scammers should do their homework and not try to scam Troy Hunt, aka the Crocodile Dundee of IT Security.
What ensued what a humorous exchange.
- A Scammer Tried to Scare Me into Buying Their Security Services – Here’s How It Went Down | Troy Hunt
Who and what is Coinhive?
Multiple security firms recently identified cryptocurrency mining service Coinhive as the top malicious threat to Web users, thanks to the tendency for Coinhive’s computer code to be used on hacked Web sites to steal the processing power of its visitors’ devices. This post looks at how Coinhive vaulted to the top of the threat list less than a year after its debut, and explores clues about the possible identities of the individuals behind the service.
- Who and what is Coinhive? | KrebsOnSecurity
But it seems that not everyone was pleased with the Krebs article, and retaliated, in a very unique way.
- Angry Users Donate $120K to Cancer Research After Brian Krebs’ Coinhive Article | Bleeping Computer
Investigating lateral movement paths with ATA
Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user.
- Investigating lateral movement paths with ATA | Microsoft
The post Things I Hearted this Week – 30th March 2018 appeared first on Cybersecurity Insiders.
March 30, 2018 at 09:09PM
Trustico’s SSL Certificate Breach: A Reminder to Lockdown SSL Private Keys
Trustico’s SSL (Secure Sockets Layer) certificate and private key breach is certainly unique in the way it played out, but unfortunately, the
type of breach is not. The problems surrounding SSL and TLS (Trusted Layer Security) private key security for SSL/TLS certificates have already been experienced in the larger PKI space where the security of a single private key can impact the trust placed in thousands, if not millions, of certificates in use cases such as code signing, database encryption and the Internet of Things (IoT).
In order to keep websites secure, organizations rely on SSL/TLS certificates to enable secure online transactions. Securing SSL/TLS keys and certificates means a secure website and ultimately a safe experience for customers. In the case of Trustico, an SSL Certificate Provider, it appears that the certificate private keys were archived so that they were available to the company’s CEO rather than being stored isolated and under the customer’s control. Furthermore, Trustico then emailed the SSL private keys to DigiCert, compromising 23,000 websites and customers.
It’s All About Control
The Trustico breach could have been avoided had customers been in control of their crypto keys. In this case, customers allowed Trustico to generate the private keys on their behalf, ultimately handing over control. With the Enterprise transitioning to the cloud, and the increase in “as a service” consumption, service providers are managing more and more responsibilities on behalf of customers, but the one thing that should never be handed over is control of those keys.
HSMs — A Proven Solution for SSL/TLS Private Key Security
Hardware Security Modules (HSMs) offer protection for digital credentials. By generating, storing and using your keys in the safe confines of an HSM you can ensure that you own your encryption keys, know their whereabouts at all times, and remain in control.
Here are the top 3 security tips an Enterprise can take to ensure they don’t end up in the same situation as Trustico, and confirm customer controlled protection of digital credentials:
1. Always generate your private keys in hardware: HSMs provide centralized, secure generation of SSL and TLS private keys, preventing their compromise by adding the assurance of hardware-secured FIPS (Federal Information Processing Standard) 140-2-validated key management, to secure websites. HSMs create a tamper-resistant environment to perform cryptographic processes, and act as a hardware root of trust be it on-premises, private, public, hybrid or multi-cloud.
2. Always store your private keys in hardware: tamper-resistant physical designs, coupled with strict operational policies, ensure that direct physical attacks and attacks from trusted insiders are negated. HSMs help you achieve regulatory compliance while reducing legal liabilities and eliminate the risks associated with storing private keys in a more vulnerable software repository.
3. Always use your private keys in hardware: by providing physical and logical isolation of key materials from the computers and applications that use them, HSMs make it almost impossible to extract key materials through traditional network attacks or software implementation flaws such as Heartbleed.
Gemalto SafeNet Luna HSMs
SafeNet Luna HSMs provide a centralized, multi-layered security approach to generating SSL/TLS private keys. This approach includes the secure generation of FIPS and Common Criteria-certified private keys with a strong entropy source, all within the safe confines of a high-assurance, hardware-secured FIPS 140-2-validated appliance.
Third-party HSM Validation
Given the burden of trust riding on SSL and TLS private key security, strict validation and certification standards have been implemented by various government bodies to provide base criteria for the evaluation of HSMs. The most common standards are the National Institute of Standards and Technology (NIST) FIPS 140-1/140-2 validation, and the multinational Common Criteria certification. Certification standards provide a starting point for good HSM design by providing objective, third-party evaluation of the efficacy of an HSM’s ability to protect private keys through stringent hardware, software, and operational design criteria.
Lesson Learned: Don’t Trust Others to Generate and Store Your SSL/TLS Private Keys
Due to the high stakes surrounding the security of SSL/TLS private keys and certificates, Enterprises alone are responsible for protecting the confidentiality, integrity, and availability of their own website and data. With such a great responsibility, it is crucial to always secure and control the SSL/TLS private keys that back SSL/TLS certificates.
Discover how Gemalto’s SafeNet Luna HSMs can help you protect your SSL and TLS private keys and certificates by downloading our Making SSL Faster and More Secure Whitepaper.
The post Trustico’s SSL Certificate Breach: A Reminder to Lockdown SSL Private Keys appeared first on Gemalto blog.
The post Trustico’s SSL Certificate Breach: A Reminder to Lockdown SSL Private Keys appeared first on Cybersecurity Insiders.
March 30, 2018 at 09:09PM
(ISC)² Item Writing Explained
(ISC)² spoke with Lisa Vaughan, CISSP, about her experience in a recent Item Writing Workshop. Lisa is the Chief Information Officer for the Mississippi Department of Environmental Quality and it was her first-time volunteering as an item writer. She was a participant in a CISSP Item Writing Workshop that took place in Tampa, Florida. The workshop spans three days, taking these dedicated member volunteers away from their jobs and family for a short time.
Lisa didn’t know what to expect going in, as it was her first time, but felt more at ease when she arrived at the workshop to find that most of her group of 19 were also first-timers. “It made it less intimidating,” she said, “since we were all in the same boat and all learning together.” Overall, Lisa enjoyed the whole process, referring to it as a “very enriching, professional development experience.”
Not only did Lisa learn about the steps involved in creating an exam item, but also believed the workshop served as a great refresher for the topics within the CISSP domains. “Some topics may not be in your specific area of expertise, so you need to do some digging to come up with questions and answers,” she said.
“I appreciated that we’re not putting ‘trick’ items into the exam,” Lisa said. “Because what we’re trying to get to with the items is, do you know the material that is required to become a certified information systems security professional?”
The 19 (ISC)² members from around the world who participated in the workshop with Lisa were all strangers to her upon arrival, but she feels like she has made some new friends and has already made many connections on LinkedIn. “It’s a good networking experience,” Lisa said, “as well as rewarding for the mission that you’re there for.”
If you’re an (ISC)² member and want to participate in exam development, please email examdevelopment@isc2.org with your (ISC)² ID #. If you are selected and complete a workshop, you’ll earn up to 21 CPEs, plus you will have travel expenses paid.
The post (ISC)² Item Writing Explained appeared first on Cybersecurity Insiders.
March 30, 2018 at 09:08PM
What Does CISSP CAT Mean for You?
By now, you’ve heard that the CISSP exam format has changed from linear to Computer Adaptive Testing (CAT). This change to the English language exam started in December of 2017. If have questions about what this change means for you, as you’re preparing for your CISSP, we’ve got answers in our latest video:
Looking for even more information? Check out our CISSP CAT FAQs.
The post What Does CISSP CAT Mean for You? appeared first on Cybersecurity Insiders.
March 30, 2018 at 09:08PM
CloudPassage is officially Splunk Cloud Certified!
Great news for anyone who likes a good integration: CloudPassage Halo is Splunk Cloud Certified! What does that mean? It means that CloudPassage Halo events can go directly into the Splunk Cloud App without having to go through a syslog server. We’re thrilled to be welcomed into the Splunk Cloud Certified family, especially considering how rigorous the approval process is.
Special thanks goes to our engineering team, who was able to complete this project in just two weeks, on top of some other major rollouts we have coming (more on this next month).
In order for CloudPassage Halo to be considered for the Splunk cloud CloudPassage Halo needed to be:
- Submitted to Splunkbase once all requirements are prepared and met
- Splunkbase then runs AppInspect cloud checks
- Be available on Splunk Enterprise and Cloud
It’s important to note that applications with return zero failures or manual checks will be the quickest approved for installation on Splunk Cloud.
For more information on what makes an application Splunk Cloud Certified, check out Splunk’s requirements and best practice tips.
The post CloudPassage is officially Splunk Cloud Certified! appeared first on Cybersecurity Insiders.
March 30, 2018 at 09:08PM
(ISC)² ITEM WRITING EXPLAINED
This post was originally published here by (ISC)² Management.
To ensure the CISSP exam remains up-to-date and relevant to the industry, we are constantly working on the exam items (aka “questions”), and that process is 100% member-driven!
(ISC)² spoke with Lisa Vaughan, CISSP, about her experience in a recent Item Writing Workshop. Lisa is the Chief Information Officer for the Mississippi Department of Environmental Quality and it was her first-time volunteering as an item writer. She was a participant in a CISSP Item Writing Workshop that took place in Tampa, Florida. The workshop spans three days, taking these dedicated member volunteers away from their jobs and family for a short time.
Lisa didn’t know what to expect going in, as it was her first time, but felt more at ease when she arrived at the workshop to find that most of her group of 19 were also first-timers. “It made it less intimidating,” she said, “since we were all in the same boat and all learning together.” Overall, Lisa enjoyed the whole process, referring to it as a “very enriching, professional development experience.”
Not only did Lisa learn about the steps involved in creating an exam item, but also believed the workshop served as a great refresher for the topics within the CISSP domains. “Some topics may not be in your specific area of expertise, so you need to do some digging to come up with questions and answers,” she said.
“I appreciated that we’re not putting ‘trick’ items into the exam,” Lisa said. “Because what we’re trying to get to with the items is, do you know the material that is required to become a certified information systems security professional?”
The 19 (ISC)² members from around the world who participated in the workshop with Lisa were all strangers to her upon arrival, but she feels like she has made some new friends and has already made many connections on LinkedIn. “It’s a good networking experience,” Lisa said, “as well as rewarding for the mission that you’re there for.”
If you’re an (ISC)² member and want to participate in exam development, please email examdevelopment@isc2.orgwith your (ISC)² ID #. If you are selected and complete a workshop, you’ll earn up to 21 CPEs, plus you will have travel expenses paid.
Photo:VMware Blogs
The post (ISC)² ITEM WRITING EXPLAINED appeared first on Cybersecurity Insiders.
March 30, 2018 at 08:41PM
Securing Jenkins – Fast
This post was originally published here by casey pechan.
Jenkins is one of the most popular open source Continuous Integration (CI) tools available. It’s extremely flexible, easy to use, and it performs a critical function in many agile development situations. Using Jenkins for CI allows developers and DevOps personnel to automate the repetitive work of testing application code before releasing. Typically, this testing applies to unit and integration tests, and sometimes static code analysis. In some even more rare cases, Jenkins users perform deeper security testing as a part of the CI process.
Security tools have gained a reputation for slowing down software delivery because of their reputation as being manually driven or difficult to automate. Anything that unnecessarily slows down the agile process is at risk of being sidelined or cut out altogether, and this is the crux of the issue that keeps security and operations teams in opposition of each other.
The operations team doesn’t want to wait on manual security assessments, and these teams tend to avoid including security tools in a process where they slow down a critical step in application iterations. Operations wants to automate for speed, and security wants to make build-time security assessments in the name of achieving a proactive approach to application security.
But now thanks to CloudPassage Halo, both of these needs can be met.
CloudPassage Halo now enables rapid security assessment for containerized applications within the CI process. Meaning, security gets high-value information generated in the CI process, and the time required to perform the assessment is now a fraction of the overall build time.
So here’s how it works
First, Jenkins runs unit, integration, and static analysis tests against your source code. You’re probably already doing this.
Next, Jenkins builds a Docker image based on the contents of your project’s Dockerfile. This, also, is something you probably have in place already.
Finally, Jenkins triggers an analysis of the new container image with the CloudPassage-Jenkins plugin. This is the new part for your process, and setup instructions can be found here. In seconds the image is analyzed for vulnerabilities, the report is produced and stored with the job results in Jenkins, and is accessible through the CloudPassage API and web portal. The build can be configured with a threshold for the number of Halo discovered vulnerabilities, and if the resulting vulnerability count exceeds the threshold, the build will be marked as ‘failed’.
See the below image for an example:
Here you can see the results in the Halo portal:
Final results
As you can see (from the above), Docker image security has now become an aspect of code quality. Thresholds can be set to make security an enforceable aspect of code quality. If too many vulnerabilities are discovered, you must break the build and patch before Jenkins will allow your code to move along the pipeline. Developers can get rapid feedback for security issues, product owners enjoy reduced cost for security defects (because they’re being fixed pre-deploy), and security teams get visibility into application stack vulnerabilities before the code hits production.
The post Securing Jenkins – Fast appeared first on Cybersecurity Insiders.
March 30, 2018 at 08:33PM
Under Armour says hackers stole 150 million MyFitnessPal user accounts
By Carolina
Another day, another data breach – This time, hackers have
This is a post from HackRead.com Read the original post: Under Armour says hackers stole 150 million MyFitnessPal user accounts
March 30, 2018 at 05:34PM
Thursday, March 29, 2018
Animal abuse website hacked; thousands of users exposed
By Waqas
An animal abuse website or otherwise called a “bestiality” platform
This is a post from HackRead.com Read the original post: Animal abuse website hacked; thousands of users exposed
March 30, 2018 at 03:04AM
Boeing production plant hit by malware, apparently WannaCry ransomware
By Waqas
The world’s largest aerospace company Boeing has been hit by a
This is a post from HackRead.com Read the original post: Boeing production plant hit by malware, apparently WannaCry ransomware
March 30, 2018 at 12:48AM
Fauxpersky Keylogger Malware Stealing Passwords from Windows PCs
By Waqas
Cybercriminals are quite innovative, to be honest; they are always
This is a post from HackRead.com Read the original post: Fauxpersky Keylogger Malware Stealing Passwords from Windows PCs
March 29, 2018 at 10:23PM
YARA Rules for Finding and Analyzing in InfoSec
Introduction
If you work in security anywhere, you do a lot searching, analyzing, and alerting. It’s the underpinning for almost any keyword you can use to describe the actions we take when working. The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use. It’s YARA. The variables of the equation really don’t matter. A quick interrogation of a file to find out about its contents? Dig through source code to find a specific algorithm? Determining if something is malicious or safe to whitelist? YARA handles those use cases and plenty more. Really, it comes down to finding things. Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus. YARA is my go-to.
Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am. If you are up for a little exploration, dive into the details with me for a minute.
Delving into Details of Data
When it comes to finding, it’s a discussion of what “whole” thing am I looking for or what “fragment” of a whole am I look to find. In YARA-speak, that’s a detection or detection fragment. Just like bacon makes everything better, so do examples. As a detection, we are going to use “Alienvault”. It’s a recognizable term, after all, and one we want to find. However, perhaps it’s not exactly as we spelled it. To combat spelling, spacing and other issues, we can break the whole thing we are looking to find into detection fragments. Those might be “Alien” and “vault”. Written in a rule, that would look something like this:
rule at_whole_frag {
meta:
description = “simple detection and detection fragment logic”
strings:
$whole = “Alienvault”
$frag1 = “Alien”
$frag2 = “vault”
condition:
$whole or ($frag1 and $frag2)
}
The syntax and structure of YARA is pretty intuitive, so I’m going to skip going into full detail about it. I chatted about the basics of YARA previously on Alienvault and it’s a good primer to get started. Equally, you can jump into one of our classes and really get into the details. Regardless, you have to outline a name for your rule, in this case “an_whole_frag”, that identifies it. Then, you have three internal sections: “meta”, “strings”, and “condition” within a pair of curly brackets. The meta and string sections are handled like variable assignments. The condition section is written to return a Boolean value. If true, it will match, and if false, it will not. The normal code actions of concatenation, stemming, counting, comparison, and looping are allowed at the condition line.
What we did previously in the example was very simple, ASCII text detection. We can shift those detections to Unicode strings, remove issues with upper and lower case, or include negation logic at the condition line to look for the absence or negative space.
rule av_whole_frag_alt {
meta:
description = “simple detection and detection fragment logic with a little more spice.”
strings:
$whole = “Alienvault” fullword nocase
$frag1 = “Alien” ascii wide
$frag2 = “vault” ascii wide
condition:
($frag1 and $frag2) and not $whole
}
The changes we made here reflect the above points. The detection fragments now look for “Alien” and “vault” in both ASCII and UTF formats. The “whole” detection looks for “Alienvault”, regardless of how its spelled and matches only when it’s a complete word bounded by non-alphanumeric characters. Lastly, the condition line has been rebuilt to express logic that will only match when the two fragments are present and the whole is not, showing a negation check. We could do more but that’s a good depiction of the heart of direct or negative detection with YARA.
Describing Patterns with YARA
Where YARA shines very brightly is in describing patterns. If you have used grep or regex, then you likely understand what I mean about searching via patterns. YARA effectively does both of these things, plus a lot more with patterns. When you see rules that leverage patterns, you begin to see a person’s craftsmanship. Patterns are descriptive in nature. You use YARA to outline a concept in a file, like an algorithm or a repeating set of data; a structured output of data and as a means of describing a combination of knowns and unknowns.
Before dropping deeply into this example, I want to introduce a powerful concept. When you put more than one rule together in a file to build a ruleset, you can use a rule as part of the condition of another rule. The only real sticky part here is YARA reads rules in a set from top to bottom. That means a rule has to be placed before the rule using it in the ruleset or it will error. Let’s combine this with an algorithm to look for data.
To keep this compact, I’m going to focus on the algorithm and reference the rule we are going to import. This rule will be called IsHTML and its job is to match on HTML files. This will be brought into the condition of our rule described below.
rule detect_shell_in_div {
meta:
description = “Looking for a target value within a set of <div> tags.”
webhshell = “wso_webshell”
strings:
$my_target = “<form name=pf method=pos”
$divopen = “<div>
$divclose = “</div>”
condition:
// I only want to look at HTML files and exclude HTML in other files.
IsHTML and
/* Here is the iteration. The “@“ symbol in YARA means position. The “#” symbol in YARA is a reference to the count. Here, I’m looking for a value within the position of the starting and ending <div> tags within the HTML file and going until I reach the end of the count of opening <div> tags.
/*
for any i in (1..#divopen) : my_target in (@divopen..@divclose)
A Little Bit of Math
Pattern calculus is a great way to perform threat hunting techniques (grouping, stacking, clustering, etc.). I like to call it “verbal” YARA, since you describe the actions, e.g., “within X of”, “inside of”, “compared to”, “stacked with”, “constant to”, etc. If I have a favorite, its to look inside of a defined area for a detection. I’ve an example of that for you below. Rule logic is longer than what we’ve previously described but bear with me. I’ll break it down with comments in the rule. As a note, this leverages the Hash module of YARA.
rule looking_inside {
meta:
description = “looking inside the last 200 bytes for a hash match.”
condition:
/* IsPE represents a rule we’ve previously defined to find portable executable files. */
IsPE and
//and we are looking for a specific file size only
filesize < 420KB and
/*
This beautiful expression says to hash 20 bytes of the file, starting at the end of the file and backward until 200 bytes are reach to see if it matches the provided hash value.
*/
for any i in (20,40,60,80,100,120,140,160,180, 200) : hash.md5(filesize-i, filesize+20-i) == “302f73788a2dcfac52f4a9b3397c35f6”
}
Some Figure-Ground Reversal
Let me cap this off by describing what I consider the most elegant use case for YARA. Its finest hour is when you need to tackle something for which no community exists to drawn on, no easy store of information is on hand, and you can’t fall back on old faithful, e.g., Google it.
YARA can provide the platform to allow you to identify what the issue isn’t. You won’t be able to do this with a singular rule but definitely via the right composition it can be done. By describing what you know, it can help isolate the unknowns. Once you know where something isn’t, you can exclude those locations within the file and narrow the scope of investigation to where it might be.
It also can find a solution by helping you invert the problem. Example: you have a file that has been packed with an unknown packing utility. Instead of trying to identify the packer, identify which packer it isn’t and then isolate out its characteristics. It will rapidly thin out the list of possible suspects.
Take a Step to the Left, and Then a Step to the Right
Another fun technique to tackle these types of problems is to use YARA to move laterally to define the problem. Example: I know where one algorithm in a file is located but I don’t know where the problem algorithm is. Via observation, I’ve derived a likely chain of execution that tests to be true. With that in hand, I can use YARA to move laterally from my known point in the file to test to find (via detection fragments) in the file where the problem algorithm lies.
Conclusion
Every one of these techniques is a form of pattern matching or pattern calculus logic and YARA handles them well. Its use is pretty much only limited by your imagination to apply it and it has a robust, very active community supporting, creating not only rules, but enhancing and bettering YARA as well. Hopefully, I’ve whetted your appetite to learn more. If so, the YARA github repository or the program documentation are the place go next. Dig in, build some rules and share them and your use cases for them.
The post YARA Rules for Finding and Analyzing in InfoSec appeared first on Cybersecurity Insiders.
March 29, 2018 at 09:09PM
HCISPP Spotlight: Debi Carr
Title: CEO and Consultant
Employer: D. K. Carr and Associates, LLC
Location: Christmas, FL, U.S.A.
Years in IT: 28 years
Years in cybersecurity and/or privacy: 20 years
Cybersecurity certifications: HCISPP, CAHIMS
How did you decide upon a career in healthcare security and/or privacy?
As a practice manager of a healthcare practice, I was appointed the “Privacy and Security” Officer when HIPAA went into effect. I was also responsible for overseeing the technology in the practice through the years. As a result, I began educating myself on security and privacy protocols.
Why did you decide to pursue your HCISPP?
Practices and doctors would ask me to assist them to implement a paperless office. I soon found that I was in business as a consultant. I decided to pursue the HCISPP as (ISC)² certifications are considered the “gold standard” and I knew it would give my clients confidence in my advice and recommendations.
In cybersecurity, no two days are the same – what is your main role in your organization?
My main duties are to assist private practices to implement a security management plan in their practice. We start by conducting a risk analysis and then work with their team and their IT Company to implement a secure program. We also respond when there has been a breach to assist with the investigation and recovery process. I believe I am unique because I understand the small practice environment, but I also understand technology and security, so I can show them how to make it work effectively.
Tell us about a project that you were particularly proud of –
It is not necessary a “proud of” moment, but rather a good feeling moment when I am able to show a practice how to take security seriously and to help them close the issues that make them vulnerable.
What impact has the HCISPP had on your career?
Recognition – I have had several job offers just because I hold the HCISPP certification. But I enjoy what I am doing working with private practices. I feel they are the most vulnerable.
What advice would you give to those aspiring to get their HCISPP?
Obtaining the HCISPP can be overwhelming but well worth the time and effort. Take advantage of all the resources available to study, and you will gain the confidence you need to pass.
Show them you’re the health IT security & privacy go-to. Download your free HCISPP Ultimate Guide.
The post HCISPP Spotlight: Debi Carr appeared first on Cybersecurity Insiders.
March 29, 2018 at 09:08PM
White paper: Best practice considerations for Kubernetes network management
At first glance, Kubernetes can seem like an overwhelmingly versatile open-source system; especially if your organization has only just begun adopting containerization. Our latest white paper: Best practice considerations for Kubernetes network management, will help your team simplify and streamline your approach to Kubernetes network management.
This paper will help you oversee:
- Networking in Kubernetes
- IP address management
- Overlay networks
- Segmentation and policy enforcement
- Focus on Flannel
So if you’re involved in the architecture or implementation of Kubernetes, this white paper is a must read! And while this guide is focused on Kubernetes deployed within the context of a private data center, expect to still gain plenty of insight if your organization operates in a public or private cloud.
To learn more, read our latest Kubernetes white paper.
The post White paper: Best practice considerations for Kubernetes network management appeared first on Cybersecurity Insiders.
March 29, 2018 at 09:08PM
Popular VPNs Leaking Your Real IP Address Through WebRTC Leak
By Waqas
Paolo Stagno, an Italian security researcher using the online moniker
This is a post from HackRead.com Read the original post: Popular VPNs Leaking Your Real IP Address Through WebRTC Leak
March 29, 2018 at 07:44PM
The latest Cyberthreat Defense Report reveals lowered optimism, attacks, and the importance of DevOps
This post was originally published here by casey pechan.
We’re a proud sponsor of the Cyberthreat Defense Report, a report that we think should be read by every CISO, CIO, and their teams. What makes this report so special is that it’s vendor agnostic, and it examines exactly how organizations perceive cyberthreats, and how they leverage third party products to overcome them.
This year’s survey compiled responses from 1,200 security decision makers and professionals, all from organizations with more than 500 employees.
The top five key findings from this survey include:
- For the first time in five years the percentage of organizations affected by a successful cyberattack has decreased – from 79.2% to 77.2%.
- Ransomware is still a prevalent problem with 55% of organizations having been victimized by ransomware in 2017.
- Containers have tied with mobile devices as the most difficult IT components to secure, with DevOps remaining as the most challenging IT security function for the second straight year.
- More than 9 in 10 security professionals acknowledge cloud security challenges. Maintaining data privacy, access, and monitoring for threats have been cited as the most challenging.
- A “lack of skilled personnel” is now the number one greatest inhibitor to the IT security industry, moving up from second place in 2017.
The post The latest Cyberthreat Defense Report reveals lowered optimism, attacks, and the importance of DevOps appeared first on Cybersecurity Insiders.
March 29, 2018 at 08:40PM
Wednesday, March 28, 2018
HiddenMiner Android Monero Mining Malware Cause Device Failure
By Waqas
Another day, another Android malware – This time, the malware
This is a post from HackRead.com Read the original post: HiddenMiner Android Monero Mining Malware Cause Device Failure
March 29, 2018 at 04:27AM
A 3-month old flaw in iPhone camera app takes users to phishing sites
By Waqas
Last week it was reported that there were a bunch
This is a post from HackRead.com Read the original post: A 3-month old flaw in iPhone camera app takes users to phishing sites
March 28, 2018 at 11:47PM
Baltimore’ 911 CAD system hacked; remained suspended for 17 hours
By Waqas
The 911 dispatch system of Baltimore became the target of
This is a post from HackRead.com Read the original post: Baltimore’ 911 CAD system hacked; remained suspended for 17 hours
March 28, 2018 at 11:00PM
Dude, Where’s My [Unstructured] Data?
Okay, so as a 90’s born kid who grew up in the 2000s, the whimsical spectacular “Dude, Where’s My Car” was a huge intro to my love for comedy. If you haven’t seen the flick – TL;DW is this: Jesse (Ashton Kutcher) and buddy Chester (Seann William Scott) have a wild night and can’t remember anything that happened. They walk outside and realize Jesse’s car is missing, and all kinds of weird drama happens whilst trying to piece together the previous night’s shenanigans. Oh yeah, there’s some alien stuff in there too. Just think The Hangover meets Star Trek and you’ve pretty much got it nailed.
So as I’m watching this blast from the past-erpiece (get it, masterpiece? Huge portmanteau fan) the other night, it dawned on me that this is the exact type of thing that IT/Security professionals deal with all the time, and I’m not just talking about saving the universe from aliens. (on a gaming console, of course.)
Shadow IT and Unstructured data are real, dude – and they’re definitely not sweet.
The biggest problem in the movie is that they were being held responsible for actions that they had no idea had occurred – supposedly they had this Continuum Transfunctioner and they didn’t even know what that was much less that they had it. Spoiler: They did have it, and it was under the guise of a Rubik’s cube. Sound familiar? Something crazy deadly for an environment and it was just walking around in a pocket under the guise of being something innocent?
The IT/Security department(s) are viewed as the “offices of NO” because a lot of people don’t understand how many threat vectors are out there – much less how they work. So when marketing wants to purchase a new tool and is afraid of being told no, they do it anyway. (Trust me, I’ve utilized this to my advantage before.) They’re not thinking about the ramifications of uploading data into an unapproved cloud so that they can send out new campaigns. When sales downloads a document that is supposed to be internal only and sends it out via email to their customers because “it’s a really great selling piece!” how do you know? Moreover, how do THEY know that they’re causing an issue?
Unfortunately, there is an “and then” here: A bad actor gets a hold of that data or IP and the next thing you know a Super Hot Giant Alien is tromping all around your putt-putt golf course of data. It’s really not a great scenario.
The biggest problem with unstructured data is that traditional email filtering/anti-virus/database security isn’t going to catch these exploits. They are looking for signatures, access profiles, etc. to determine if something can be a downloaded or is a known threat, but that’s about it. They aren’t accounting for the human component.
What about screen grab? What about copy/paste? Even if it’s allowed to be downloaded how are you keeping tabs on where it goes after the fact? It probably looks like an innocent action but could be turned into something malicious. It’s like seeing an ostrich but thinking it’s a llama – and man are those ostriches mean.
Just like anything in InfoSec, there is no singular solution to the problem. It has to start from the bottom: making sure your people understand the importance of keeping IT/Security in the loop. Setting policies to stop it before it goes out. Having the tools to not only catch it, but actually pull back any data that wasn’t supposed to be ex-filtrated.
A Native Texan now living in the magnificent New York City, Tricia Howard is an artist gone rogue who ended up in the wonderful world of security. With a B.A. in Theatre Arts and interests ranging from Star Wars to Opera, she brings a unique and artistic perspective to her clients and the tech world. When she’s not solving business problems, you can find her singing, painting, and doing copious amounts of jigsaw puzzles. (Spoiler: This is my sales hat talking.)
The good news is there are plenty of great organizations who can help you with this, whether it be the tools, help writing/enforcing policy, or even managing it themselves. Wanna chat? Hit me up with the links below and I can tell you how Optiv can help.
The post Dude, Where’s My [Unstructured] Data? appeared first on Cybersecurity Insiders.
March 28, 2018 at 09:10PM
Gemalto Partners Drive Accelerated Growth and Digital Transformation in APAC
Rana Gupta, Vice President of APAC Sales, Enterprise & Cybersecurity at Gemalto
Last week at Gemalto Accelerate in Da Nang, Vietnam we brought together our APAC Enterprise & Cybersecurity team and more than 70 Gemalto partners from across the APAC region for another great sales and partner kickoff. During the three-day event, we celebrated our 2017 achievements and participated in many keynotes and informational sessions on how our solutions can help solve the critical security issues facing our customers today and what they can anticipate tomorrow. It is clear that many businesses, governments and other organizations are undertaking rapid digital transformations both how they operate and how they deliver services to their customers. That is why the theme of this year’s event was “Drive the Transformation”.
This digital transformation that is occurring across all industries has serious implications for the integrity and protection of data. More services are being built in the cloud, delivered from the cloud, and accessed from a growing number of mobile devices. Trust will be the key to the success of the digital revolution, and Gemalto is ideally positioned help customers because of our unique focus on the new security perimeter: data and identities. From our data encryption and key management solutions to our authentication and cloud access management solutions, we bring security closest to what matters most in order to protect the most sensitive data assets, applications and transactions. Due to the high relevance of Gemalto and its data protection solutions there was incredible enthusiasm by our partners and sales teams for the opportunities ahead of us.
In addition to building new digital businesses, our customers must also manage the current realities of data breaches and security threats and building security strategies to address them. According to Gemalto’s Breach Level Index, nearly 10 billion data records have been stolen or lost since 2013, and 2017 turned out to be a big year in terms of data breaches. Against these threats, our customers must also manage the growing number of compliance regulations and government data security mandates not only in countries across the APAC region but in others across the globe as well.
Compliance was therefore also a major topic with discussions focusing on how organizations should address new data protection regulations relevant to the region. This includes the recently enacted Australian Privacy Amendment (Notifiable Data Breaches) Act of 2017, the mandated use of HSMs by the Unique Identification Authority of India (UIDAI) to protect the private cryptographic keys used to digitally sign and authenticate the Unique Identification numbers of all residents of India as well as the UIDAI’s notification on mandatory Tokenization of Aadhaar Data, the Philippines’ Data Privacy Act 2012 (DPA) which took effect in sept 2017, the Singapore Cyber Security Bill currently under discussion, and lastly the EU’s General Data Protection Regulation (GDPR) which has ramifications for APAC-based companies that operate in the EU and collect EU customer data.
In addition to looking to the future opportunities, we also took the opportunity to look back and recognize the outstanding achievements of our top partners in 2017 for the transformational growth we have had together.
This year we again decided to recognize two distributors and jointly awarded Exclusive Networks in India and Nera Telecommunications in Singapore as Gemalto’s 2017 APAC Top Contributor of the Year. The fact that these two distributors were nominated again after winning the award last year, speaks volumes about the support and effort they have put into our business.
For the second consecutive year, Exclusive Networks was recognized for maintaining excellent Year over Year growth, achieved by a highly motivated team with a value based selling approach. Similarly, for the second consecutive year, Nera, a long-standing partner in Singapore, was recognized for illustrating their commitment to Gemalto, in particular for their willingness to invest in the skills of their team as well as other resources to ensure all our major clients and key system integrators are well supported.
Looking at the next category – this year Japanese reseller, Intelligent Wave Inc. (IWI) achieved the 2017 APAC Solution Partner of the Year title, not only for their consistent phenomenal growth year over year, but also for creating new key management opportunities in the Manufacturing sector.
The 2017 Data Protection Partner of the Year award went to TIS Inc. in Japan who accelerated new encryption deals with strategic customers, achieving exceptional revenue growth during 2017 as a result. The dedication of the TIS team helped us to enhance awareness of Gemalto in the local market and strengthen our position.
In our 2017 Rising Star of the Year category, we decided to award three Gemalto partners for achieving triple digit growth. The first winner is Indian reseller Technobind Solutions India. The highly motivated team at Technobind maintained consistent high growth rates year over year.
The second winner in this category is Appliance Korea. Although this partner only came onboard last year, they made an exceptional first impression and had tremendous success especially with our Hardware Security Modules (HSMs).
Our third winner in this category was Root Security in Singapore who deserves a special mention for their consistent focus on Gemalto’s authentication solutions. Regardless the complexity of end user requirements, they have consistently demonstrated the value of our authentication solutions and developed trusted relationships with our joint customers.
Last but not least, I would like to congratulate two winners in our 2017 Marketing Excellence of the Year category. We recognized both Zero One Technology in Taiwan and JNR Management Resources in India for their exceptional marketing support resulting in an increased number of leads generated and subsequently significant revenue growth.
Before I conclude, allow me to thank Senetas, our high-speed network encryption technology partner and sponsor at Gemalto Accelerate 2018 in Da Nang.
I am very proud of the record growth we achieved with our channel partners in APAC last year and I look forward to the opportunities ahead in 2018 and beyond. Our channel partners are key to our success and that is why we made significant investments to our program in 2017 to really accelerate our growth together. In addition to the investments in our channel program last year, we also launched two new very important solutions – SafeNet Trusted Access and SafeNet Data Protection On Demand – both of which give our partners even more opportunities to grow their business with us. Together with our partners, Gemalto is very well positioned as not only the leading digital security company in the APAC region but across the globe.
The post Gemalto Partners Drive Accelerated Growth and Digital Transformation in APAC appeared first on Gemalto blog.
The post Gemalto Partners Drive Accelerated Growth and Digital Transformation in APAC appeared first on Cybersecurity Insiders.
March 28, 2018 at 09:09PM
The Digital Identity ecosystem is evolving and operators cannot afford to miss out
There used to be a time when something you ordered would be delivered in a month—and that was completely normal. Now, customers have become used to same and next-day delivery. Everything else has accelerated too. You can find out the answer to any question in an instant thanks to Google and when you call or write to a business you expect an instant response.
This always-on culture is a real challenge for businesses. Customers now flit between online websites, social media and bricks-and-mortar stores. For mobile network operators catering to this new omnichannel reality can be a challenge and is something we’ve discussed on the blog before.
Creating secure digital identities becomes paramount for each stage of the customer journey, from on-boarding new customers to providing support and opening up access to new services. Each part of the experience must be as frictionless as possible while ensuring security is never compromised.
The regulatory back-down
Alongside managing demands for improvements in the customer experience, new regulation such as eIDAS, KYC and AML are coming into effect. Fortunately, new technology approaches can help governments, financial services, telecoms businesses navigate this new environment. For example:
- Mobile Connect—a log-in solution that uses a mobile number—has more than 62 deployments in 33 countries
- FIDO has built an alliance of more than 250 cross-industry, global member organizations focused on secure user-authentication
- The US Commerce Department’s National Institute of Standards and Technology (NIST) awarded a federal grant to further support the development of trusted identities based on a digital driver’s license.
Global and regional initiatives have also been set-up such as ID2020—a public-private consortium aiming provide digital identities for the 1.1 billion people who currently have none. The UN and World Bank also have their own identity initiative, Identification for Development (ID4D), which has a goal of providing everyone on the planet with a legal ID by 2030.
It is clear how fast things are moving when it comes to digital identity. It goes far beyond simply supplying your name, ID number and birthday. It’s now about proving you are who you say you are so that you can access services. Not only will this help cut down fraud, but the experience people receive can be better tailored to their needs.
A number of companies and governments are making headway in this field:
China Mobile has established itself in the digital identity market by deploying a mobile authentication system now used by more than 62 million users. More than 450 million daily transactions occur on the platform offering a range of authentication capabilities across several commercial contexts.
In India, the government’s digital ID platform, Aadhaar has now been linked to around 558 million bank accounts. Since its launch in 2009, more than 1.18 billion biometric accounts have been set-up.
Biometric technology is also popular in Pakistan. Its NADRA platform works with banks, mobile operators, and other companies. Recently its biometric database has been utilized to manage the payments of flood relief to 2.4 families.
In Estonia, long a nation of technology innovation, their Digital ID service manages the public and private interactions of 98% of the population. This is across everything from eVoting, traveling within the EU, health insurance, e-prescriptions, public transport, voting, proof of ID, and taxes. In all, there are over 700 applications on the platform.
Similar initiatives are underway across Europe, including the Single Digital Identity. Other countries like Canada, Austria and Spain are moving in this direction too, emphasizing the role that telecom operators can play from a very early stage—something which is vital for widespread adoption.
For financial services identification and verification have always been crucial elements for financial services. Banks alone are now spending over $1billion a year on identity management solutions.
The role for telecoms operators
It shouldn’t come as a surprise to hear me say that telecoms operators play a fundamental role in all of this. They have decades of experience in connecting people and have built up a huge wealth of consumer trust when it comes to securely managing digital identities.
In several regions across the world operators are already providing services to verify identity and reduce fraud. And in some markets, mobile carriers are also providing digital identity solutions where some citizens don’t have access to bank accounts.
Digital identities are being woven into the fabric of society, so having a clear strategy for how your company can make use of them will become paramount in the years ahead.
We are excited about this massive challenge, but we also know that our customers need long-term support to adapt to shifting market conditions. Collaboration will be essential to unlock all the opportunities that digital identities present.
Stay tuned for upcoming posts, where we will discuss how new technologies are helping to build a trusted digital ecosystem, smooth customer experience and create added value for end-users.
The post The Digital Identity ecosystem is evolving and operators cannot afford to miss out appeared first on Gemalto blog.
The post The Digital Identity ecosystem is evolving and operators cannot afford to miss out appeared first on Cybersecurity Insiders.
March 28, 2018 at 09:09PM
Our latest integration – Check Point connects with CloudPassage
Co-authored by Ash Wilson and John Janetos.
We’ve got some great news for our current (and future) customers. We’ve partnered with Check Point to provide you with the best of both worlds for infrastructure security: the best network and workload security in a single integrated solution. So you can now surround any number of your dynamic or traditional environments with one secure perimeter. Whether you’re growing your DevSecOps practice, expanding your cloud footprint, or already in the cloud, capitalizing on our integrated solution automates the security of your elastic and dynamic environments in any public, private, or hybrid cloud.
In fact, trying to secure a growing volume of cloud and container infrastructure, (which is now being intermixed with legacy data centers at many organizations) with just traditional tools often frustrates stakeholders. That’s why the key is in the combination of the two. Legacy, siloed solutions were designed for relatively static, slow changing environments. Using them for highly elastic dynamic environments often slows down the business and compromises the benefits of cloud adoption.
A new model is needed, fast. And together with Check Point, we’ve got it. This latest integration helps to optimize your Check Point virtual appliance, meaning users have a better experience with less risk to the business thanks to the fact that potential exploits are being blocked at the perimeter.
So here’s how it works
The Check Point Cloud Guard IaaS system manages the assignment of threat protections, which prevent malicious network traffic from reaching vulnerable workloads. Applying only the protections you need is absolutely essential to maintain peak performance and network traffic throughput in order to protect potentially vulnerable infrastructure.
A network administrator typically creates and manages these profiles by hand. Using CloudPassage Halo, you can identify exactly which software vulnerabilities exist on your workloads. Our integration dynamically and automatically builds protection profiles that would otherwise be a time-consuming and repetitive task.
One benefit is the elimination of error prone manual efforts resulting in time savings for the network administrator who can now focus on higher-order tasks. A second benefit is the automatic creation and management of fine-grained protection profiles that optimize the performance of your Check Point network gateways. A perfect intersection of visibility, prevention, and automation.
The post Our latest integration – Check Point connects with CloudPassage appeared first on Cybersecurity Insiders.
March 28, 2018 at 09:09PM
Northern Irish Parliament Hit by Brute Force Attack
By Carolina
The email service at the Northern Ireland Parliament, Stormont has
This is a post from HackRead.com Read the original post: Northern Irish Parliament Hit by Brute Force Attack
March 28, 2018 at 07:22PM
Tuesday, March 27, 2018
Hackers spread password stealer malware from YouTube comment section
By Waqas
Another day, another malware aiming at Windows devices – This
This is a post from HackRead.com Read the original post: Hackers spread password stealer malware from YouTube comment section
March 27, 2018 at 11:32PM
Tales from the SOC: The Simulated Attack
Introduction
In today’s world, understanding threats and how to avoid them are critical to a business’s success. Last year, we saw an evolution in malware and attacks. Ransomwares like WannaCry made their debut; featuring worm-like attributes that allowed ransomware to self-propagate through a network, exploiting vulnerable machines and continuing the damage. We started to see attackers using more advanced automation in their malware and shiftier distribution methods to thwart defenses. In September 2017, we saw a supply chain attack against download servers that added a Trojan virus within versions of the popular CCleaner PC utility software. The download was undetected for almost a month and it is estimated that over 2 million users had installed it.
According to the US government, cyberattacks reportedly cost the US economy a $57-109 billion-dollar loss in 2016. Cisco reported in 2017 that 53% of cyberattacks resulted in damages of over $500k or more; 8% had damage totals over $5 million per incident. While costs are skyrocketing, so is the average timeframe for detecting cyberattacks. Multiple studies over the last several years have found businesses are averaging a three to eight-month time period before even detecting a cyber-attack.
We know the threat is real and the costs of a cyberattack can be exorbitant, so what can we do with all this information? As an MSSP, something we always recommend to our clients and prospects is practicing a multi-layer defense approach within their network. Multiple layers of security are an important part of detecting, preventing, and minimizing a business’s exposure to a cyberattack. So many times, we have heard “I have good anti-virus and an expensive firewall; I don’t need any other defenses.” Unfortunately, that is no longer the case. Preventive security is no longer enough; organizations must build a strong defense and use offensive practices to proactively head off potential intrusions.
In today’s blog, we share with you a real-life experience and what we did to mitigate the threat by building a strong cybersecurity strategy.
Tale from Our SOC
Several years ago, we helped a client implement managed security services. The client’s priorities were never focused on security, until they had hired a consulting company to perform a simulated cyberattack. The exercise shed light on their security shortcomings. It highlighted how the current controls they had in place failed during the simulated attack and what methods were missing from their environment, including: incident response, security awareness and systems capable of detecting these acts.
The Simulated Attack
When the simulated attack was started, they only used the organization’s name. The first step was reconnaissance about this organization, where common tools like Google and LinkedIn were used to search for user email formats, website, and domain information. As the discovery phase progressed, IPs for VPN server access and email servers were identified. Based off the information they discovered, user lists were built, and a phishing campaign was prepared. The attacker ran vulnerability scans and methodical brute force tests to identify any weaknesses within the external services they had already identified.
The next step in the simulated attack was the phishing campaign. Now that the attacker had built a list of potential emails, they fired a phishing email off to the targeted employees. Many users happily signed into a deceptive website and entered domain credentials for a chance to win an iPad from HR – which made the attacker’s job that much easier. Within about 15 minutes of work, they already had information that would let them dig deeper, without even attempting exploits against vulnerabilities that they had found during the discovery phase. The phishing website that was used was also packed with an exploit kit that allowed the attacker to obtain reverse shell access via PowerShell on users’ computers – a popular tactic used by threat actors. Since a few users had connected the attacker into the environment, they were free to investigate the machines they now controlled.
As the attacker was unaware of who might have mentioned a suspicious email to IT, they had to act quickly. A simple reboot would kick the attacker out since the exploit was neither persistent nor installed. When the credentials were obtained, the attacker also used them to connect into the network via the organization’s remote access VPN they had already discovered.
The remote access VPN had no additional authentication challenge other than a valid set of domain credentials. Working with the machines they had PowerShell access to, they eventually identified that one of users had local admin access to the workstation and there were at least six additional users who had signed into this workstation at some point. Utilizing their PowerShell access, several popular tools were used to determine encrypted cache passwords for a brute force attack.
Since the domain password policy only enforced six characters, they successfully decrypted all six accounts. Having no idea if these were current or expired passwords or what level of access these accounts held within the network, they started testing them against other machines that were identified from the remote access VPN. It was determined they had obtained at least one domain administrator account from the list. At this point the rest was history; the attacker was now free to move around to any device on the network with minimal resistance.
How to Prevent This Attack
So, what could have been done to prevent this from happening? What if this was a real attacker who had installed ransomware or some other type of malware? In this scenario there are several security practices that could have detected andor prevented this:
Let’s start with the most obvious issue, the users. In this scenario and so many other experiences we have seen, organizational Security Awareness training is lacking. We have seen businesses wire tens of thousands of dollars to attackers via C-Level spear-phishing attacks to phishing attacks that leads to an intrusion. Keeping your staff aware of what to look for is very important. Another solution in this scenario would have been to use a spam filtering system capable of identifying phishing emails and flagging external emails. Providing a visual cue to a user such as [EXTERNAL] in the subject field can help head off many phishing attacks.
During the exercise, vulnerabilities were also found in some of their externally facing services. While the attacker did not need to exploit these, performing proactive Vulnerability Scanning would have identified missing patches and a hole within an existing patch procedure. Patch Management is an important practice that was also neglected here. While many companies practice patch management, having a patch procedure documented will keep you aware of what services are externally facing. Keeping those systems free from known vulnerabilities can lessen your chances of becoming a target.
During the simulated attack the threat actor utilized a remote access VPN to access the network. Multifactor Authentication (MFA) has become a standard for securing internet facing applications. If the attacker had faced a MFA enabled VPN, even with the known credentials it would have made it very difficult for them to continue with the attack without finding a more challenging method in.
Once the attacker was inside the environment they discovered that the client had a poor password policy and all users had local admin credentials to their workstations. The IT department was also using their own accounts which had domain administrator rights to perform basic setups and troubleshoot workstation issues. Since they had no password expiration and strong passwords were not enforced, their credentials were cached on the machines, which the attacker exploited.
While the client had data backups, it is important to note that if an attacker had used ransomware with data encryption abilities the client may have suffered a significant data loss. Having a robust and efficient Data Backup and Disaster Recovery system is an important layer of defense.
The main piece missing from this customer’s arsenal of tools was a Managed Detection and Response (MDR) solution. A tool like AlienVault’s Unified Security Management (USM) coupled with a knowledgeable MSSP would have enabled the logging and correlation required to identify many of the shortcomings in the tale above. I can never stress enough how important logging and correlation is. There have been countless times where we’ve seen clients who have had an intrusion; however they have no means of determining how the attacker got in or where an attack might have spread.
The Fix
Following the exercise, company ownership made security a top priority. The organization worked with a consultant to implement security awareness training for their user base while assisting in building compliance-based policies and procedures that are now followed. The organization also now performs table top exercises in conjunction with our team to review scenarios and how they should respond.
Over the next year, we assisted in implementing numerous changes within the client’s environment. We implemented our MDR solution (USM Anywhere) pulling logs from every corner of their network. We worked with them to install next generation firewalls that run malware, IPS, URL, DNS and geographically blocking. We implemented group policy changes to enforce stronger password and enabled the client to separate user accounts from admin accounts.
The Second Wave
Once all of these changes had been implemented, another simulated cyberattack was performed. During the exercise, several users did input credentials that provided the attacker access, however with the improved security implementation; the attacker was forced to attempt an install of a tool on the client. The next generation firewall detected this intrusion and blocked it. Since this was unsuccessful for the attacker, they attempted to connect to the remote access VPN. The client had not yet implemented MFA, so the attacker connected again successfully. The difference here was the MDR solution was enabled and actively monitored. During the exercise we received three different alarms:
- Brute-force attack alarm from a VPN user IP.
- Alarm generated by the IPS, identifying a hacking application was blocked.
- Several additional alarms related to the user’s PC where anti-virus and logging identified an application attempting to be installed.
We executed the incident response plan: killing the VPN access, disabling the users’ accounts and then escalated the information to the internal team. They were able to pull the affected machines off the network and the incident was contained. While the attacker had still gained access, quick response kept the incident from going any deeper. Over the next several weeks MFA was enabled on all external facing applications.
The simulated attack exercise is a great example of how an attacker can easily slip by traditional defenses and why layers of defense are required in your cybersecurity strategy. Each solution discussed above would have played a pivotal part in detecting and/or stopping the original attack. As we saw in the second attack, the newly added layers of defense were key in slowing down the attack, which ultimately kept the attacker from gaining any sensitive information.
Matt Kimpel is the Director of IT Engineering at Magna5, his trade is network security. Magna5 is a certified AlienVault Partner. Check his company out at http://www.magna5global.com/managed-security/
The post Tales from the SOC: The Simulated Attack appeared first on Cybersecurity Insiders.
March 27, 2018 at 09:08PM
