Indian to pay $8.6 million in a penalty for launching Cyber Attacks on US University

An Indian origin man named Paras Jha, 22, of New Jersey has been asked to pay $8.6 million as the penalty for launching cyber attacks on a leading US University. The sentence was pronounced by Trenton Federal Court Judge Michael Shipp who asked the individual to serve 6 months House Arrest in addition to the pronounced monetary penalty.

Paras Jha is accused of launching cyber attacks on a leading US University by creating click to fraud botnets, infecting thousands of IoT devices with malicious software.

After the house confinement, Jha is also said to do 2,500 hours of community service under a federal officer’s supervision.

Scribes reporting to Cybersecurity Insiders say that the case on Jha was filed in Nov’14 and latter a series of similar cases were filed against him in different district courts of US till September 2016.

The cases filed accused Paras for launching distributed denial of service attacks on the computer network of New Jersey-based Rutgers University disrupting the central server for weeks. As a result of the shutdown, the staff, faculty, student work of delivering assignments and assessments was severely impacted.

NOTE 1- Paras Jha was also accused by the district court of Alaska for co-working with Josiah White, 21, of Pennsylvania and Dalton Norman, 22, of Louisiana for creating Mirai Botnet. Eventually, all the three accused were collectively found guilty of compromising more than 100,000 US-based connected devices such as home routers with malicious software.

NOTE 2- In September’18 all the three were separately sentenced by the federal court in Alaska to serve a 5- year period of probation; 2,500 hours of community service and were ordered to pay a penalty of $127,000 along with the cryptocurrency they made by launching cyber attacks.

The post Indian to pay $8.6 million in a penalty for launching Cyber Attacks on US University appeared first on Cybersecurity Insiders.

November 01, 2018 at 10:43AM

Read More

Cloud Security Company Qualys acquires Layered Insight

Foster City, Calif-based Cloud Security specialist ‘Qualys’ has made it official that it is going to acquire ‘Layered Insight’ technologies to help secure container related applications on its cloud platform.

As Pleasanton based Layered Insight offers deeper visibility into applications running inside containers, Qualys wants to use those capabilities to help its users set policies, automate enforcement and detect data breaches during runtime- a feature available in serverless containers offered by other companies such as Amazon Fargate and Microsoft Azure Container Instances.

 “The acquisition will help us integrate the Layered Insight abilities such as to automatically correlate deep runtime behavioral analysis with Qualys Threat Protection capabilities to help offer DevOps teams unmatched runtime application protection without much of the container management complexity”, said Qualys in a statement.

Qualys Container Security solutions in combination with Layered Security technology is said to offer customers features like coverage of inventory, vulnerability management and compliance along with runtime visibility and protection capabilities from building to deployment stages across various cloud environments.

As per the details available to our Cybersecurity Insiders, employees of Layered Insight will join the cloud security vendor’s employee count from this month. This includes Asif Awan the CTO of Container Security and John Kinsella, VP Engineering, Container Security- Layered Security.

News is out that Qualys will complete the integration of Layered Insight solutions into its cloud platform by the second half of 2019.

The post Cloud Security Company Qualys acquires Layered Insight appeared first on Cybersecurity Insiders.

November 01, 2018 at 10:40AM

Read More

Cyber Attack news for the day

On October 31st, 2018 the third phase of the public hearing has started on the Cyber Attack related to SingHealth. And to surprise us all, some interesting facts came into light. This includes the reality that the senior manager and some senior staff members of the healthcare provider showed reluctance in disclosing the cyber incident to the world as they did not want to feel the pressure.

It was revealed before the 4 member committee today that Mr. Ernest Tan Choon Kiat a senior IT manager of Integrated Health Information Systems’s (IHiS) -a technology vendor of SingHealth was focused fully in isolating, containing and defending the incident. And was not interested in reporting the suspicious activities to seniors as he did not want the pressure that the senior management along with the government would put him and his team.

In other news related to Cyber Attack, FIFA President Gianni Infantino is willing to disclose all the info which was accessed by hackers when a cyber attack took place on the sporting body a couple of years ago. The disclosure comes after 1 month when the US Department of Justice and the Federal Bureau of Investigation(FBI) jointly confirmed that Russian GRU was responsible for the hack on FIFA in 2016 which led to the leak of evidence from anti-doping investigations and info from lab reports.

However, Infantino added in his statement that he wants to do the disclosure in an appropriate way as he did not want to compromise on the confidentiality, integrity, and availability of data.

As Power grids are super- vulnerable to cyber attacks, researchers from Dartmouth College have developed a tool named PhasorSec which keeps the power facilities isolated from long-term blackouts, permanent physical damage and facility operations break down.

The cybersecurity tool which is installed in utility control systems is said to monitor phasor measurement units coming from power generation and transmission stations. If any alteration is seen in the units, the electrical waves are sent back to data monitoring systems which then analyze info on whether a hacker has gained access to the critical infrastructure.

Now the big news- From the past few months, Facebook has faced endless troubles over elections meddling, data privacy, fake news, hacking and hate speech. Experts now warn that if the situation continues as such then Mark Zuckerberg led company could collapse in no time.

The prediction was given by David Kirkpatrick, who wrote the book on Facebook’s early history in 2010.

The post Cyber Attack news for the day appeared first on Cybersecurity Insiders.

October 31, 2018 at 09:20PM

Read More

It’s the Season of Lists – Time for a Meaningful Risk List

I attended the Cybersecurity Summit in Phoenix recently and presented on the topic of minimizing risk. There were some great conversations around the value of risk management within the cyber threat landscape. Here are some of my musings from the event.

We are now at the forefront of a world of digital transformation. Beyond being a buzz word digital is part and parcel of our daily lives today.  According to the World Economic Forum report earlier this year, cyber-attacks and date theft/fraud bubbled up to number two and three of the top five threats in terms of likelihood of occurrence and cyber risks intensified. With the scale of attacks today, along with the ingrained expectation that you’re either an organization that has been breached or you’re going to be, there is a lot of chatter about investments being made in cybersecurity technologies and how breaches still happen. Prevention is now being balanced with detection and response. Given this, the focus has turned to the need for cyber to be addressed as a business challenge and measurement of risk is key.

Before you go ahead with a cybersecurity investment plan for 2019, consider answering the questions below.

• What are your top 5 cyber risks based on priority?

• Can you describe the actual loss impact in business terms for each of your top 5 risks?

• How are these cyber risk impacts aligned to your risk appetite?

•Are you truly reporting on cyber risks or is it compliance driven with reporting on control effectiveness? 

• Have you considered how you plan to deal with the current risks, emerging risks and treat these risks on an ongoing basis?

A common business edict is: “If we can measure it, we can manage it.”  In the security space, the term GRC (Governance, Risk and Compliance) is common, but typically most organizations have been driven by the compliance focus. Spending has been primarily compliance driven, and along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2019 cybersecurity budget, here are four handy tips to consider that can help cut to the core of cyber risk management.

1. Risk counts, but don’t just be counting

Counting all the risks – as an end – is just a part of thorough risk identification. The question is not, in any case, how many risks you can think up, but what is relevant to your business, i.e. what exactly the key vulnerabilities are in achieving your business objectives.

2. Ongoing debate of Qualitative versus Quantitative

The key here is structured versus abstract. You must be able to measure the risk and quantify it. However, if your organization is going the qualitative route, keep in mind you must back the risk with data to differentiate the levels of risk.  After you have conducted a meaningful risk assessment to identify the inherent risks faced because of the business you do, the next step will be to understand what Risk Mitigation strategies are required, with what priority, invoking what resources.

3. Continuous Cyber Risk Monitoring

Cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud adoption, increasing digital transformation investments, and advancing data analytics sophistication. As these transformations continuously grow the digital footprint, they outpace the security protections companies have in place.

4. Know your Risk Appetite

Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing; and getting close to secure is elusive. The current level of controls for security and privacy that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize. It is a truism that different types of risk require different types of defensive strategies. A more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring.  The key is to balance risk versus reward.

Conclusion

Risk management is at a fascinating point in its evolution. It is now recognized to be not only fundamental to an organizations financial stability and regulatory compliance, but also an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and tolerance for risk.  All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap that will help them reduce their risk as their business expands. How are you able to identify and address new risks quickly while you deliver new technologies? Would love to hear successful techniques and insights on your partnership with finance, operations, and the businesses as we move to the risk function of the future?

      

The post It’s the Season of Lists – Time for a Meaningful Risk List appeared first on Cybersecurity Insiders.

October 31, 2018 at 09:09PM

Read More

Safest websites when it comes to Cyber Security

Dashlane, a New York-based mobile security provider conducted a survey recently and came to a conclusion that most of the popular websites are not well equipped when it comes to protecting their customer’s critical data with two-factor authentication.

Note 1- 2FA or 2 Factor Authentication adds an extra layer of security protection to a service or account before a ‘login’ can be completed. It works commonly alongside a password when a 4 or 6 digit number is sent to a user via SMS, Email or Application in order to gain access. Companies like Google have taken a step ahead by offering hardware tokens such as USB sticks.

The Security firm released a list of the safest websites prevailing on the internet yesterday and also ranked the worst performing commercial sites in order to enlighten the website users about the cybersecurity vulnerabilities they might experience when they visit those sites in future.

After analyzing all the security parameters of websites which the populace of UK and US use on a daily or weekly basis, Dashlane assigned a ‘Pass’ score to those who were enriched with adequate security measures.

Dashlane’s 2018 UK Rankings include

•    5/5 points- PASS- Facebook, Google, Twitter, Battle.net(gaming website).
•    2/5 Points- Means Failed- Amazon, Apple, Evernote, Instagram, Patreon, and Slack
•    1/5 Points- Completely failed- LinkedIn, Yahoo!, Indeed, eBay and Airbnb
•    0/5 Points- disastrous- Trip Advisor and Asos

Note 2- Dashlane evaluated the security options of the above said websites on desktop browsers only and did not take into account the login attempts made on mobile apps, mobile browsers, and desktop apps.

Dashlane’s 2018 US Rankings include

•    5/5 points- PASS- Bank of America, Dropbox, Etrade, Facebook, Google, Stripe, Twitter, and Wells Fargo
•    2/5 Points- Failed- Amazon, Apple, Betterment, Capital One, Evernote, Gemini, GoDaddy, Instagram, Intuit, Slack, Square and WhatsApp
•    1/5 Points- Completely failed- LinkedIn, Yahoo!, Airbnb, American Express, Chase, Citibank, Discover, Mint, and Venmo
•    0/5 Points- disastrous- Best Buy, Next Door, Task Rabbit, ZocDoc

Note 3- The points were offered on the following basis- A site offering SMS or/and email 2FA was awarded 1 point. For a site offering software token options 1 point was awarded and sites offering hardware token options were awarded 3 points out of a maximum point’s tally of 5.

Note 4- Dashlane conducted the surveys in all major cities of the UK, US, and Europe. And the list from Europe is yet to be revealed.

The post Safest websites when it comes to Cyber Security appeared first on Cybersecurity Insiders.

October 31, 2018 at 10:47AM

Read More

Fresh SamSam Ransomware attack campaign targets 67 organizations

SamSam Ransomware was found hitting organizations operating in the US again and this time mostly those belonging to healthcare. A survey conducted by Symantec discovered that at least 67 organizations were hit by the said data locking malware this year, with 61 of attacks reported in the US alone. Just a minute number of attacks were reported in France, Portugal, Ireland, Israel, and Australia.

Traditionally, the SamSam ransomware spreading hacking group was seen hitting firms from all sectors till last year. But this year, hackers preferred mostly to hit those companies which are operating in the healthcare sector.

Symantec report says that the hacking group has managed to gather $6 million from victims so far-often demanding over $50,000 in Bitcoins for restoring systems of organizations having a headcount of more than 100.

In August this year, a report released by another security firm Sophos said that ransomware has claimed over 223 victims in this year and 80% of them showed interest in paying the ransom as they came to a conclusion that data recovery for them would prove more expensive.

RDP backdoors which offer remote access to a website are adding fuel to the problem as they are being sold on Dark Web for just $10.

So, the only way to take control of the situation is to restrict RDP access to public ports and offer support to operations only when it becomes absolutely essential.

Applying 2FA and changing passwords on an occasional note- especially on sensitive systems will also help stop SamSam ransomware from spreading across the network- if in case it somehow finds a way into the network.

Creation of backups which can be used during the time of disaster recovery will also help in restoring data access when a network gets infected with ransomware.

Have something more to add to the list?

Then you can share your mind through the comments section below.

The post Fresh SamSam Ransomware attack campaign targets 67 organizations appeared first on Cybersecurity Insiders.

October 31, 2018 at 10:43AM

Read More

Employee infects US govt network with malware after visiting 9,000 porn sites

By Uzair Amir

Due to the carelessness of an employee, who apparently was a porn fan, the network of the satellite imaging facility, the U.S. Geological Survey (USGS) at the EROS Center, South Dakota got infected with malware. An audit carried out by the U.S. Department of the Interior’s inspector general reportedly identified the extensive history of porn […]

This is a post from HackRead.com Read the original post: Employee infects US govt network with malware after visiting 9,000 porn sites

October 31, 2018 at 12:14AM

Read More

Signal App’s New Privacy Feature Conceals Sender ID from Metadata

By Waqas

Messaging apps are now becoming more and more secure to make it difficult or rather impossible for anyone to access your conversations. Switching to end-to-end encryption although offered a stronger layer of protection but still the unencrypted metadata like sender/receiver information, message sending time, etc., wasn’t secured enough and could be exploited by an attacker. […]

This is a post from HackRead.com Read the original post: Signal App’s New Privacy Feature Conceals Sender ID from Metadata

October 30, 2018 at 08:43PM

Read More

Yes, a Data Breach Is Inevitable: Here’s Why and What You Should Do

Why data encryption is your last line of defense in a data breach

The recent SingHealth breach is considered the worst attack in Singapore history, resulting in the loss of millions of private records and sensitive data. The leaked data not only affects SingHealth, but everyone else who’s had their data stolen. In this blog, we talk about why perimeter defense alone is not a foolproof solution in the event of a breach, and why you should shift your focus to accepting that a breach is inevitable.

Perimeter-based defenses: No longer up to the task?

In recent years we’ve seen data breaches of various scales, ranging from small-time breaches to large-scale attacks like the recent SingHealth breach (1.5 million users), Facebook breach (87 million users), and the massive Equifax breach (146 million users) in 2017. Currently, the SingHealth breach is under investigation by the COI, signaling the complexity of such a large-scale attack.

A recent study revealed that hackers are 80% more likely to attack organizations in the Asia Pacific (APAC) region due to their cybersecurity infrastructure weaknesses. SingHealth joins the ranks of several other high-profile breaches seen in the region since 2016, making it a thriving environment for cybercrime, rife with low cybersecurity awareness and weak regulations

Deprioritizing cybersecurity is no longer an option. Companies are already taking the necessary steps to ensure that security measures are in place. With threats continuously facing security professionals every day, there has been much discussion of today’s traditional network security.

In a traditional network security setup, firewalls, antivirus software, and intrusion detection systems all work together and are designed to keep threats out. However, traditional network security prevention methods while necessary, may no longer be up to the task. Government contractors and software vendors have fallen victim to large-scale breaches, organizations with fewer IT resources start to wonder whether prevention and fortifying a strong perimeter is the best approach.

Belief vs. reality

In our 2017 Gemalto Data Security Confidence Index report, we found that 94% of businesses claim their perimeter security technology is efficient at keeping threats at bay and unauthorized users out of their network. In the same study, we also found that 65% of businesses are not extremely confident that their data would be secure following a breach. After all, employing perimeter-based security alone does not equate to an impenetrable wall surrounding a company’s IT infrastructure.

A change in (data) mindset

I had a conversation with an ethical hacker once, who told me why he prefers being a hacker instead of a security defense expert. He told me, “As hackers, we just need to succeed once. But as a security defense person, you have to succeed every time!”

Security has always been a game of prevention. But even with multiple layers of security, organizations still fall victim to attacks, proving the ineffectiveness of the perimeter defense without the other complementary layers of security. In fact, 91% of breaches start with phishing emails as the beginning of the infection chain as employees are successfully duped into clicking malicious links.

Suffice to say, even with an effective perimeter architecture, attacks can and will gain access to your data, aka, the ‘crown jewels’. Ironically, data security is an area that most organizations neglect the most, because they are making some of the biggest mistakes organizations make: assuming their defense will work as planned. Most organizations assume the person manning the network operations center (NOC) and the security operations center (SOC) won’t go on holiday that day the first alert comes in. They believe and trust that all the end user training they conducted won’t go down the drain. In an ideal world, all our expectations will line up perfectly with reality, but this is not often the case. Do we really want to take things for granted and face the music when a breach finally happens? Or do we want to prepared for it?

True cybersecurity awareness will assume at the onset that a breach is inevitable. We need to protect everything that’s truly vital to your organization and accept that the rest will be compromised.

What can organizations do then if we now realize a breach is inevitable?

“When your business is eventually breached, will your data be secure?”

At Gemalto, we assume that every business will be hacked at some point – and it will. And that’s why we have a 3 step approach to this.
Before it happens, we need you to ask yourself these three questions to help secure the breach.

1) “Where is my data?”

Knowing where your sensitive data lies is highly important. This is the first and most important step in any data security strategy. Once located, encrypt it.

Our 1H 2018 Breach Level Index Report shows that 99% of all breaches involved data that was not encrypted. Encryption is the last and most critical line of defense in the event of a breach, so it’s important that it’s done properly in order to be effective.

2) “Where are the keys?”

Now that you’ve identified and encrypted your sensitive data, ask yourself where and how to secure your encryption keys. Knowing how to manage and store your encryption keys is the next step we recommend in securing the breach. This ensures your ownership and control over your encrypted data at all times.

3) “Who has access to my data?”

Data encryption and key management are nothing without identifying who has access to your corporate resources and applications. Key management and control access is the final step of your data breach strategy but a highly important one. Access management provides additional security, visibility, and overall convenience and to verify users’ identity to grant the appropriate access controls.

A multi-layered security approach will most definitely reduce your risk to exposing your sensitive data and those important data from falling into the cybercriminals’ hands. By implementing our 3-step approach—encrypting all sensitive data, securing your keys, and managing user access—you can effectively prepare for a breach.

Read our step-by-step guide on securing the breach. Contact me or leave a comment below if you’d like to hear more about how you can access your data security posture and how Gemalto helps large banks and enterprises keep their data safe.

The post Yes, a Data Breach Is Inevitable: Here’s Why and What You Should Do appeared first on Cybersecurity Insiders.

October 30, 2018 at 09:11PM

Read More

Data in Cloud is more exposed to Cyber Attacks than in organizations

Finally, the truth is out that the data stored in cloud storage platforms are more exposed to cyber attacks than the data stored in the server farms of organizations. Well, this was discovered in the latest survey made by McAfee.

McAfee report divulges that the data stored in a cloud, SaaS collaboration and PaaS/IaaS platforms are prone to configuration mistakes which can expose data to cyber crooks. The conclusion was made after analyzing billions of events in various cloud deployments.

The American security software company says that in today’s world nearly 1/4th of the data stored in the cloud can be classified as sensitive, which could put an organization into risk- if in case the data gets stolen or leaked.

Researchers discovered that Cloud providers only secure the cloud platform, not the customer data. Thus, the onus of protecting the data falls completely on the customers using it, says the report.

However, a source anonymously reporting from Amazon Cloud says that Cloud Service Providers(CSPs) do their job well of protecting the entire platform. The source adds that CSPs also indulge in the work of protecting their customer data against cyber threats across the spectrum of SaaS, IaaS and PaaS platforms.

However, some security errors creep in when customers do accidental/uncontrolled sharing, become prone to collaboration errors in SaaS cloud services and commit other mistakes when on IaaS/PaaS cloud platforms.

So, what’s the solution?

In order to get ahead of compromised accounts, organizations should understand how cloud services are being used by them. They can do it by tracking down anomalous behavior, such as when the same user accesses an account from two different locations which could mean an account getting compromised or Insider threat.

Furthermore, as soon as a business gets a visibility of what type of data is being stored by them on cloud storage platforms, how file-sharing is being done, and what apps are being collaborated they can ensure that appropriate security measures are put in place to secure the stored info to the core.

From then on, it is simple to apply access controls on the data, both from external access and from possible insider threats and stolen accounts.

Isn’t that easy to say than to implement….?

The post Data in Cloud is more exposed to Cyber Attacks than in organizations appeared first on Cybersecurity Insiders.

October 30, 2018 at 09:10PM

Read More

Google Adwords accounts are vulnerable to Cyber Attacks

An Auckland based SEO marketing agency has issued a warning to all digital marketing agencies operating in New Zealand and across the world that their Google Adwords accounts are vulnerable to cyber attacks.

Kim Voon, the CEO of Insight Online- termed as a leader in SEO Marketing in New Zealand said yesterday that the money in some of the AdWords accounts is being siphoned off via digital campaigns organized by hackers.

Mr. Kim said that his agency has already got a couple of reports where Google ads accounts were being hijacked and the links being pointed towards some Ponzi Schemes in Africa.

“Here the money in the AdWords accounts is not only at risk, but client data is also vulnerable in this scenario”, said Voon.

According to a survey conducted by Standard Media Index (SMI) early this year, the digital advertising spends tops $338,997,508 in New Zealand. That means, with so much money being invested one can easily come to a conclusion that more digital harvesting accounts will become a priority target for cybercriminals in near future.

One way to tackle this situation is to get an insurance cover for advertising losses. This gives a cover to a company when one of its employees goes to a café and uses an unsecured network to access the funds lying in the AdWords account.

Adoption of 2FA which is nowadays a standard data protection can also help to keep your company’s Google Adwords accounts safe from prying eyes.

Ronan Nichol, the Director of Storm IMC Digital Marketing has also confirmed this news and added that 17 of his company’s clients reportedly fell prey to cyber crooks in this year. He added that all those who link their credit card accounts to Adword accounts are sure to put their funds to risk, as a lot of damage can be done before the bank blocks a credit card.

So, what’s your next step is up to you….

The post Google Adwords accounts are vulnerable to Cyber Attacks appeared first on Cybersecurity Insiders.

October 30, 2018 at 09:57AM

Read More

MadoMiner Part 2 – Mask

This is a guest post by independent security researcher James Quinn.      

If you have not yet read the first part of the MadoMiner analysis, please do so now.  This analysis will pick up where Part 1 left off, while also including  a brief correction.  The x64 version of the Install module was listed as identical to the x86 Install module.  However, this is not correct.  The x64 Install module is identical in run-through to the 360Safe.exe module, which will be discussed later in this analysis.

In addition, take care with this portion of the malware.  The batch script for Mask.exe, DemC.bat, appears to run if it detects any copies of itself during runtime, or if you run the x64 version of install on a 32 bit machine.

Where Install.exe was in charge of infecting new victims with MadoMiner, it seems Mask.exe is where the real payoff lies.  Mask.exe utilizes XMRig miners in order to mine for XMR which it then sells for profit.  While madominer was earning $6,000 a month as of the last analysis,

Around 10/14, MineXMR closed the old address due to botnet reports.  A new address has been identified at 47QrUBQ4ejMW5wrWXiKUyRcQCZszauGWg9c3SLkzFoBJi45M5yN6gVPjVxSUfjMq4u8vepEejdnxyRQcv4RuFGy25x67433, mining through minexmr.com again.  Currently, the hashrate is at 109Kh/s, and steadily rising.

Also, around the time that the address changed, MadoMiner also became drastically different.

Malware Analysis

Where Install.exe only downloaded 1 file from a remote host, Mask.exe downloads two files.  In addition, the servers used to download the files are also different than Install.exe, increasing the proposed size of the botnet.

Domains

In addition to the 2 domains identified in part 1, a new domain has also been identified for a distribution server:

• http://d.honker[dot]info

However, the domain is currently dead.  In addition, the mining server currently used is pool.minexmr[dot]com

A C2 server(newly updated version):

• http://qq.honker[dot]info

Previously identified distribution domains:

• http://da[dot]alibuf.com:3/
• http://bmw[dot]hobuff.info:3/

Previously Identified IPs:

• 61.130.31.174

Previously identified mining servers:

• http://gle[dot]freebuf.info
• http://etc[dot]freebuf.info
• http://xmr[dot]freebuf.info
• http://xt[dot]freebuf.info
• http://boy[dot]freebuf.info
• http://liang[dot]alibuf.com
• http://dns[dot]alibuf.com
• http://x[dot]alibuf.com

In addition, http://da[dot]alibuf.com:3, the main distribution server, seems to have been registered by bodfeo[at]hotmail.com in early October 2017. According to an analysis by Steve Butt of DomainTools, this email was linked to APT19/c0d0s0, however it was most likely due to domain reselling.

Exploits

During the execution of sogou.exe, the following exploits are used to install on new victims’ PCs:

• CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
• CVE-2017-0143, SMB exploit
• CVE-2017-0146, SMB exploit

Installation

Mask.exe ends up on a victim’s computer after either x86.dll or x64.dll downloads mado.exe or dst.exe, respectively.  However, unlike with Install.exe, it doesn’t matter which file is downloaded because they are the same files (They have the same file hash).

Setup

Once Mask.exe is on a victim’s computer, it attempts to connect to one of the distribution servers identified above (bmw[dot]hobuff.info).  Once a connection is established, it attempts to download two files, sogou.exe and 360safe.exe.  Sogou.exe is the payload that contains the CPUInfo scanner, however, it has been set to scan for IPV6 addresses.  Sogou is saved as Conhost.exe in C:WindowsInstaller.  360Safe.exe is the payload that contains the XMRig miners as well as the service manager (NSSM).  360Safe is saved as Makes.exe

Mask.exe

Mask.exe seems to be the profitable part of MadoMiner.  Because of this, there are a lot more anti-debug tricks used during Mask.exe’s runthrough.  Mask.exe seems to be in charge of downloading/executing Sogou.exe and 360Safe.exe.  Each of the modules also have batch scripts that will be discussed in the analysis that are run during different stages of the execution. 

MadoMiner generates money by mining for XMR using Mask.exe, 360Safe.exe, and XMRig.  Mask.exe installs 360Safe.exe which in turn installs XMRig.  MadoMiner uses the service manager NSSM in order to install the necessary services for runtime and persistence.  In addition, in Sogou.exe, MadoMiner appears to search for IPV6 addresses that are vulnerable to EternalBlue, as well as installs some tasks.

If Mask.exe detects another copy of itself, demC.Bat is run (see removal section for information).  DemC.Bat is just like the DemC in Part 1, where it attempts to delete the malware from as an attempt at anti-debugging.  It also seems to close any open ports so that you can’t be reinfected — how thoughtful!

Sogou.exe runtime analysis

Sogou.exe appears to be another propagation module for MadoMiner, which answers the question of “Since x64.dll installed a miner during Install.exe, how did the x64 version of the malware propagate?” 

Sogou.exe, once downloaded by Mask.exe, saves itself to C:%Windows%Installerconhost.exe, and then executes. However, Sogou.exe is more of a dropper than the full malware itself.  Sogou.exe drops FileFtp.exe into C:Program FilesWindowsd.  FileFtp.exe appears to be a partially encrypted propagation module that uses the same exploits as ZombieBoyTools, which it drops into Windowsd. However, this propagation module has a bit more in the way of hiding.  Just like in all other modules of MadoMiner, FileFtp includes a script to delete itself from the filesystem.  However, as any forensic investigator can tell you, when a file is deleted, it isn’t really gone, at least not immediately.  However, with FileFtp.exe, prior to deleting itself after installing the propagation exploits and the executable used to spread, runs cmd /c cipher /w:C , which begins overwriting unallocated space, where deleted files are stored.  Not only does FileFTP.exe delete itself, it also wipes itself from the system entirely.

Tasks and batch scripts used by Sogou.exe

AutoKMSK is used by sogou.exe to execute a copy of itself saved as C:WindowsInstallerconhost.exe every 15 minute.  It does this by using the command

schtasks /create /sc minute /mo 15 /tn “AutoKMSK” /tr “C:windowsInstallerconhost.exe” /ru “system” /f

AutoKMSKK is used by sogou.exe to execute a script known as “free.bat”, which is very similar to Install.exe’s free.bat.  However, this script will essentially delete all files installed by conhost.exe every 26 mins.  This is used by the malware in order to evade detection. The command for this is as follows

schtasks /create /sc minute /mo 26 /tn “AutoKMSKK” /tr “C:WindowsInstallerfree.bat” /ru “system” /f

Mask.exe’s Free.bat

360Safe.exe Brief Overview

Where Sogou.exe appears to be a propagation module, 360Safe.exe is a pure mining module.  360Safe.exe begins on a computer after having been downloaded from bmw.hobuff[dot]info and executed by Mask.exe.  As the main mining payload for MadoMiner, 360Safe is in charge of installing the service manager used by MadoMiner, and then dropping and installing the miner.  However, 360Safe does this in a fairly modular and interesting way, because not only does 360Safe consist of both the x86 and x64 versions of the service manager used and the miner used, but it also identifies the architecture of the host PC and then dynamically creates a payload based on the architecture identified.  In addition, 360Safe uses a number of anti-vm techniques, such as changing the base language of the files used by the service manager and using complete information when setting up registry keys (such as official looking descriptions and error messages upon tampering with malware).

360Safe Service Manager

360Safe uses NSSM as its service manager (Non-Sucking Service Manager).  NSSM allows it to quickly and easily install services to the system using simple commands like NSSM install <service name> <path-to-service>.  However, 360Safe uses some techniques to hide the fact that it is NSSM.  First, 360Safe changes the base language of the installation information for NSSM.  The information is changed to the Host’s language during runtime using the MessageBoxEx Windows API command.  However, the result of this is that the strings are semi-unreadable when a basic string analysis is performed.

NSSM strings information

In addition, once the architecture has been identified and the NSSM installer selected, a different installation location is used.  In 360Safe’s use of NSSM, it installs the service manager to the directory C:%Windows%Fonts as “svchost.exe”, with the registry keys 

• “HKLMSYSTEMCurrentControlSetServicesEventLog”
• “HKLMSYSTEMCurrentControlSetServicesEventLogApplication”
• “HKLMSYSTEMCurrentControlSetServicesEventLogApplicationNSSM”

NSSM values

•  “EventMessageFile = C:WindowsFontssvchost.exe”
•  “TypesSupported = 0x00000007”

All of these can be used as IOCs.

In addition, any windows opened by NSSM are hidden so that the host doesn’t suspect anything.  Anytime that 360Safe needs to install a service, it calls “C:windowsFontssvchost.exe” in order to do so.

NSSM Registry Installation

360Safe Miner Installation

Just like the rest of 360Safe, the mining portion also installs all of its executables to C:%Windows%Fonts.  However, it doesn’t use just one executable to install the miners.  First, 360Safe.exe drops Conhost.exe into C:%Windows%Fonts.  In addition to dropping conhost into C:%Windows%Fonts, a new service is created called ServiceMaims, which serves for persistence for Conhost. 

The Display Name (EG: the Name that shows on Task manager) for ServiceMaims is “Network Location Service”, and the Description is “Provides performance library information from Windows Management”.

ServiceMaims is then started which in turn starts Conhost.

Registry Keys:

• “HKLMSYSTEMCurrentControlSetServicesServiceMaims”
• “HKLMSYSTEMCurrentControlSetServicesServiceMaimsParameters”
• “HKLMSYSTEMCurrentControlSetServicesServiceMaimsParametersAppExit”

Values in ServiceMaims

• “DisplayName = ServiceMaims”
• “ErrorControl = 0x00000001”
• “ImagePath = C:windowsFontssvchost.exe”
• “ObjectName = LocalSystem”
• “PreshutdownTimeout = 0x0002bf20”
• “Start = 0x00000002”
• “Type = 0x00000010”

Values in ServiceMaimsParameters:

• “AppDirectory: C:windowsFonts”
• “Application: C:windowsFontsconhost.exe”
• “AppParameters: “

Values in ServiceMaimsParametersAppExit:

• “(Default): Restart”

360Safe Conhost

Conhost.exe in C:%Windows%Fonts is used as a backup/dropper for the miner that will be installed.  Conhost consists of the x86 version of XMRig, the x64 version of XMRig, and a dropper.  The dropper has some installation scripts that are used for persistence, and also drops only one version of the miner, either x86 or x64 depending on your OS.

On first runtime, conhost enumerates the victim’s OS architecture and then creates a file in C:%Windows%Fonts, called “rundllhost.exe”, where it saves either the x86 miner or the x64 miner, depending on your OS.  It then runs a script to save the miner as a Service, as well as save the mining information into registry so that it can be passed to the miner during execution.

The DisplayName = “WMI Performance Services”

The Description = “Identify Computers that are connected to the network, collect and store the properties of these networks, and notify the application when they are changed”

The script then runs ServiceMais so that the miner can be executed.

Note:  This miner only mines at 50% power, but was giving the authors over $6,000 a month before minexmr shut down the address.  The new address is earning around $2,000 a month, and has only been active for a few days, however I’ll get more into that below.

Registry Keys:

• “HKLMSYSTEMCurrentControlSetServicesServiceMais”
• “HKLMSYSTEMCurrentControlSetServicesServiceMaisParameters”
• “HKLMSYSTEMCurrentControlSetServicesServiceMaisParametersAppExit”

Values in ServiceMais:

• “DisplayName = ServiceMais”
• “ErrorControl = 0x00000001”
• “ImagePath = C:windowsFontssvchost.exe”
• “ObjectName = LocalSystem”
• “PreshutdownTimeout = 0x0002bf20”
• “Start = 0x00000002”
• “Type = 0x00000010”

Values in ServiceMaisParameters:

• “AppDirectory: “
• “Application = rundllhost.exe”
• “AppParameters = -o pool.minexmr.com:443 -u 45WVNRZkKoR55thZWviZ3diXBLAcNRp4yFCtDCnCLRL7bq9E7XqQ7GX5auuc8thCvgUv1av6MpgC5gFVECYGHmx1VKkfEnp -p x -k –donate-level=1 –max-cpu-usage = 50

Mask.exe Removal

Disclaimer regarding updated malware:  While MadoMiner did update itself around 10/14-10/16, 2018, it doesn’t look like it can update the current bots that are already deployed, only new ones.  For this reason, while IOCs regarding the new malware will be listed at the bottom, a removal section for the old malware will still be included.  Just keep in mind that if your infection occurs after 10/16/2018, the file names listed in this guide may not be entirely accurate. 

Warning Regarding Batch Scripts

Before attempting to remove this malware, the batch files should be brought up and treated with care.  Make sure that all of your files are backed up.  This malware deletes files and then wipes unallocated space, so file recovery is incredibly difficult.

DemC is mainly used by the malware to disable analysis attempts.  If another copy of it is detected, or if you try to run the 64bit version of Install.exe on a 32 bit system, it scans your system for several different files and folders used in multiple different malware campaigns and makes them inaccessible.  It also closes any open ports that are vulnerable to its campaigns.  It also changes the Image File Execution Options, making it impossible to run the malware again.

Removal Steps – Sogou.exe

Sogou.exe installs 2 tasks during installation, which will need to be stopped, favorably before the free.bat task is allowed to run.  The tasks, known as “AutoKMSK” and “AutoKKMSK”, can be located by opening the Windows tool “Task Scheduler”.  These tasks will need to be stopped and deleted, however, note what files are executed by the tasks in the “Actions” tab of the task description.  In this case, it would be “C:%Windows%Installerconhost.exe” and “C:%Windows%Installerfree.bat”

In C:%Windows%, you’ll want to locate a folder known as “Installer”.  For Sogou.exe, this is the main installation folder.  Inside Installer, you’ll want to locate both “Conhost.exe” and “free.bat”.  Delete them. 

In C:Program Files, you’ll want to locate a folder known as “Windowsd”.  This is where Sogou.exe installs FileFTP.exe and all subsequent files dropped by FileFTP.exe.  If the file deletion script hasn’t already come through and removed them, you’ll want to remove this entire folder.  Note:  Windowsd may or may not contain over 70 different files for propagation to other systems.

Removal Steps – 360Safe.exe

360Safe.exe appears to install more files into registry than Sogou.exe.  First, as 360Safe.exe installs several services, those will need to be stopped using the Service manager, and then deleted from registry.

Service Name: Eventlog

Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog

Image Location: C:%windows%Fontssvchost.exe

Service Name: ServiceMaims

Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMaims

Image Location: C:%windows%Fontsconhost.exe

Service Name: ServiceMais

Regkey: HKLMSYSTEMCurrentControlSetServicesServiceMais

Image Location: C:%windows%Fontsrundllhost.exe

360Safe saves itself to C:%Windows% as makes.exe, which will need to be deleted as well. 

Removal Steps – Install.exe (x64)

As the x64 version is a near identical miner to the x86 and x64 versions of mask.exe, the only things that have changed are the services installed.  Removal steps are below however (order is respective.  RpcEptManger = ServiceMaims, and Samserver = ServiceMais)

Service Name: Eventlog

Regkey: HKLMSYSTEMCurrentControlSetServicesEventLog

Image Location: C:%windows%Fontssvchost.exe

Service Name = RpcEptManger

RegKey = SYSTEM/CurrentControlSet/Services/RpcEptManger/

Image Location = C:%WindowsDirectory%Fontswininit.exe

Service Name = Samserver

RegKey = SYSTEM/CurrentControlSet/Services/Samserver/

Image Location = C:%WindowsDirectory%Fontsrundllhost.exe

Removal – DemC Has Been Run

In the case that DemC is run, removal becomes more complex.  DemC’s purpose is to hide MadoMiner from analysis and thus makes directories/takes ownership of current directories in order to hide.

Specifically

• Removes the %Windows%SpeechsTracing directory (if it exists)
• Removes the %Windows%SecureBootThemes directory (If It exists)
• Removes the %Windows%sysprepthemes directory (if it exists)
• Makes a new directory at %Windows%SpeechsTracingMicrosoft and then proceeds to make that directory inaccessible for everyone
• Makes a new directory at %Windows%SecureBootThemes and then proceeds to make that directory inaccessible for everyone.
• Makes a new directory at %Windows%sysprepthemes and then proceeds to make that directory inaccessible for everyone
• Makes the file C:ProgramDataNatihialsvshostr.exe inaccessible for everyone
• Makes the file C:ProgramDatanewcsrss inaccessible for everyone
• Makes the file C:ProgramDataMicrosoftNatihialcmd.exe inaccessible for everyone
• Makes the file C:ProgramDataexpl0rer.exe inaccessible for everyone
• Makes the file C:windowssvchost.exe inaccessible for everyone
• Makes the directory C:%windows%svchost.exe and then proceeds to make that directory inaccessible for everyone
• Makes the directory C:%windows%tasksche.exe and then proceeds to make that directory inaccessible for everyone
• Makes the directory C:program files (x86)stormiiserver.exe and then proceeds to make that directory inaccessible for everyone

For the files made inaccessible, you’ll need to take ownership of them, either by using the built in security manager GUI, or by using the sysinternals suite TakeOwn.

Indicators of Compromise

Samples	Md5	Size	IP	IOC
Mask.exe	4ae31911c1ef2ca4eded1fdbaa2c7a49	741.4 KB	bmw.hobuff[dot]info:3/	C:%Windows%tem.vbs C:%Windows%demc.bat
360Safe.exe	ce606d80b44ea2aae81056b9088ba1e4	3.6 MB	pool.minexmr[dot]com:443	Services: EventLog ServiceMaims ServiceMais   Regkeys:    +HKLMSYSTEMCurrentControlSetServicesEventLog  +  HKLMSYSTEMCurrentControlSetServicesServiceMaims  + HKLMSYSTEMCurrentControlSetServicesServiceMais   Executables:  + C:%windows%Fontssvchost.exe  + C:%windows%Fontsconhost.exe  + C:%windows%Fontsrundllhost.exe   Connection to pool.minexmr.com:443   Scripts: C:%Windows%tem.vbs
360Safe_svchost_x86.exe	0a7d7ed55c4202f5106824f11ecb22fa	299 KB	–	Regkeys:    +HKLMSYSTEMCurrentControlSetServicesEventLog   Executables:  + C:%windows%Fontssvchost.exe
360Safe_svchost_x64.exe	081f10718d76c9b3b19901f0ee630960	292KB	–	Services EventLog   Regkeys:    +HKLMSYSTEMCurrentControlSetServicesEventLog   Executables:  + C:%windows%Fontssvchost.exe
360Safe_conhost.exe	9c59ea0f58c5143b0860ec434d646780	2.3 MB	–	Services ServiceMaims   Regkeys: +  HKLMSYSTEMCurrentControlSetServicesServiceMaims   Executables: + C:%windows%Fontsconhost.exe
360Safe_rundllhost_x86.exe	467d7dfe3a1fe82d12b38d997df5cfbe	1.6 MB	pool.minexmr[dot]com:443	Services: ServiceMais   Regkeys:  + HKLMSYSTEMCurrentControlSetServicesServiceMais     Executables:  + C:%windows%Fontsrundllhost.exe   Connection to pool.minexmr.com:443
360Safe_rundllhost_x64.exe	e41f5e79400c985e8d8a25f0711095f15302e8dd	481 KB	pool.minexmr[dot]com:443/	Regkeys:  + HKLMSYSTEMCurrentControlSetServicesServiceMais     Executables:  + C:%windows%Fontsrundllhost.exe   Connection to pool.minexmr.com:443
Sogou.exe	edfa66accd958eb87a6e8ef1eb708d2f	3.9 MB	–	Folder: C:%Program Files%Windowsd   Tasks: AutoKMSK AutoKKMSK   Executables: C:%Windows%Installerconhost.exe   C:%Windows%WindowsdFileFtp.exe   Assorted executables needed for spreading found in Windowsd   Scripts: C:%Windows%free.bat
FileFtp.exe	1188f935979806545cbf118e22416be5	8.9 MB	–	C:%Windows%WindowsdFileFtp.exe   Assorted executables needed for spreading found in Windowsd
Installx64.exe	d8470f5c12f5a5fee89de4d4c425d614	1.3 MB	x.alibuff[dot]com	Services: EventLog RpcEptManger Samserver   RegKey: HKLMSYSTEMCurrentControlSetServicesEventLog HKLMSYSTEMCurrentControlSetServicesRpcEptManger HKLMSYSTEMCurrentControlSetServicesSamserver   Executables: C:%windows%Fontssvchost.exe C:%WindowsDirectory%Fontswininit.exe C:%WindowsDirectory%Fontsrundllhost.exe
Installx64_svchost.exe	081f10718d76c9b3b19901f0ee630960	299 KB	–	Services: EventLog   RegKey: HKLMSYSTEMCurrentControlSetServicesEventLog   Executables: C:%windows%Fontssvchost.exe
Installx64_wininit.exe	081f10718d76c9b3b19901f0ee630960	490 KB	–	Services: RpcEptManger   RegKey: HKLMSYSTEMCurrentControlSetServicesRpcEptManger     Executables: C:%WindowsDirectory%Fontswininit.exe
Installx64_rundllhost.exe	e41f5e79400c985e8d8a25f0711095f15302e8dd	481 KB	x.alibuff[dot]com	Services: Samserver   RegKey: HKLMSYSTEMCurrentControlSetServicesSamserver   Executables: C:%WindowsDirectory%Fontsrundllhost.exe
MadoMiner_New_445.exe	d4d8f87c61051c28ca3cee7e38bf839d	2.1 MB	a.f2pool[dot]info:13531	Task named “GooglePingInCongifs” executing C:windowslsass.exe C:%WindowsDirectory%Install.exe C:%WindowsDirectory%lsass.bat Mining at a.f2pool[dot]info
MadoMiner_New_445_Lsass.exe	1dd1550f2586411766cba953badf76f7	4.5 MB	a.f2pool[dot]info:13531	C:%WindowsDirectory%lsass.exe
MadoMiner_New_Dst.exe	4ace52693bdeace5b285d35e47be6cfc	102.4 kb	qq.honker[dot]info	Service: Jklmno   Regkey: HKLMSYSTEMCurrentControlSetServicesJklmno   Executable: C:%Windows%svchost.exe
MadoMiner_New_Dst_DecryptedRAT.exe	01374ea3c48b69876d9375a2baba76ce	51.6 kb	qq.honker[dot]info	Service: Jklmno   Regkey: HKLMSYSTEMCurrentControlSetServicesJklmno   Executable: C:%Windows%svchost.exeds
MadoMiner_New_Mask.exe	345239f58ddfd522ff04ad67009d15e9	4.5 MB	l.f2pool[dot]info:443/	C:%WindowsDirectory%Fontslsass.exe C:%WindowsDirectory%Fontssvchost.exe C:%WindowsDirectory%Fontsrunhost.exe
MadoMiner_New_Mask_lsass.exe	0ef0a7198444a43be51948e10cc15c53	3.5 MB	l.f2pool[dot]info:443/	C:%WindowsDirectory%Fontslsass.exe
MadoMiner_New_Mask_svchost.exe	8a44626c2ca26a84764e7ad771143d44	89.1 kb	–	C:%WindowsDirectory%Fontssvchost.exe

       

The post MadoMiner Part 2 – Mask appeared first on Cybersecurity Insiders.

October 30, 2018 at 09:09AM

Read More

Highlights From Security Congress 2018 – And What to Look Forward To

New Orleans jazz band welcomes attendees to the city and declares (ISC)2 Security Congress 2018 open

By David Shearer, CISSP, (ISC)² CEO

When I made the decision two years ago to transform the annual (ISC)² Security Congress into an independent event, I knew it would be a huge undertaking for our team, but I also understood the passion of our member base and that we had enough interest to support this evolution. After returning from the 2018 Congress held in New Orleans just a few weeks ago (from October 8-10) I am reaffirmed that it was the right move. Our attendees were genuinely enthralled with the caliber of speakers and sessions we pulled together and made me as proud as I’ve ever been to call myself a member of the cybersecurity community. We had nearly 2000 of our colleagues in attendance, which was wonderful, but our global member base is so much larger that I wanted to take a few minutes to catch up to speed those who weren’t able to make it in person. Following are some of the highlights that you missed, as well as a preview of next year’s Security Congress. I sincerely hope to see and speak with as many of you as possible in 2019!

The (ISC)² Security Congress 2018 exhibitor hall hosted a networking night on October 8

On the weekend leading up to Security Congress, we ran pre-conference sessions, most of which were sold out. We were pleased once again to have our friends and members from the Cloud Security Alliance (CSA) join us on Sunday for a full-day CSA summit. On Monday morning, I talked about the need to change our industry’s messaging, focusing on the why behind cybersecurity’s importance in real life easy-to-appreciate ways. Defining ‘Why Cybersecurity’ and ‘Why (ISC)²’ will be a major focus for us going forward. I referenced the old BASF ad campaign about making everything better, and I provided some examples of how (ISC)² and cybersecurity contribute to business and mission enablement. 

At (ISC)², our members don’t make many of the products and services you depend on, they make many of the products and services you depend on better.

• We don’t deliver emergency response services. We secure the data, software and technical infrastructure emergency responders rely on to save lives and property.
• We don’t make the firewall, SIEM or endpoint protection. We deploy, configure and manage the solutions that secure your critical assets every day.

• We don’t build production lines. We secure industrial control systems to ensure the food, medicines and products you buy are safe.

• We don’t create power lines or substations. We secure critical infrastructure, so nobody disrupts your power.

• We don’t make cloud solutions. We help you use the cloud with confidence, wherever you are, knowing your data and online transactions are secure.

• We don’t make smart cars and public transportation systems. We embed security into the software that controls them, so you get where need to be safely.

• We don’t make healthcare solutions. We secure the systems that deliver life-saving services and protect patient healthcare data.

At (ISC)², our members don’t make many of the products and services you depend on, they make many of the products and services you depend on better.

Congressman Cedric Richmond answers questions from John McCumber, director of cybersecurity advocacy for (ISC)² following opening keynote

It was great to hear Louisiana Congressman Cedric Richmond thank all of our attendees for their hard work and dedication. It was equally exciting to hear his remarks on ‘Why Cybersecurity’ by imploring all of us in attendance to “make cybersecurity cool” if we hope to attract more to the profession. We then heard from Jane McGonigal, a noted game designer, about applying a gaming mentality to help us think through all the possible implications of emerging technologies.

On Tuesday we heard from the first female Mayor of New Orleans, who so eloquently expressed her concerns as a mother regarding online safety for children. We learned more about the outstanding work (ISC)²’s Center for Cyber Safety and Education is doing – delivering on our social responsibility. Some of us enjoyed a great parade to a riverboat fundraiser cruise to support the Center. Our keynote Theresa Payton, CEO of Fortalice Solutions and former CIO for the White House, gave us some real-world examples of her time serving the Oval Office regarding how users will work around security when we fail to design solutions that work for them. That is an important lesson for all of us to appreciate about the need to abstract the end user from the complexities of cybersecurity. We also held our Information Security Leadership Awards (ISLA) ceremony for the Americas where we honored some exceptional individuals who have significantly contributed to inspiring a safe and secure cyber world.

Game designer Jane McGonigal addresses the audience at (ISC)² Security Congress 2018

On Wednesday we continued our educational track sessions and we wrapped up with a keynote from Dr. Jessica Barker, co-founder of Cygenta, about the psychology (and reason for optimism) related to cybersecurity.  Dr. Barker called out the mistakes we often make when we characterize end users as the problem as opposed to the solution to our security challenges. The three-day Security Congress and the pre-conference workshops were designed to deliver on our Enrich. Enable. Excel. theme. We hope we hit the mark for our attendees. We’re working through member surveys and post event lessons learned to continue to refine our programming and overall member experience.

I couldn’t be more grateful to our attendees that this was the second year in a row Security Congress sold out. As a result, for 2019 we’re excited to move to Orlando, Florida at the Walt Disney World Swan and Dolphin Resort from October 28-30. The new venue will provide us with a lot of increased capacity to continue to grow the event and to welcome more of our colleagues from around the globe. We want to avoid having to turn people away like we’ve had to do in 2017 and ‘18. For the six years following that, we’ll be at the Hyatt Regency Orlando. Orlando has a much larger and travel-friendly airport than host cities in previous years for international and domestic attendees alike.

Registration is now open! Please make sure to reserve your spot for Security Congress 2019 as early as possible by visiting: Congress.isc2.org

The post Highlights From Security Congress 2018 – And What to Look Forward To appeared first on Cybersecurity Insiders.

October 30, 2018 at 09:08AM

Read More

IBM acquiring Red Hat for a whopping $34 billion

By Waqas

IBM (International Business Machine) is acquiring the world-renowned provider of open source cloud software Red Hat, Inc., for a whopping $34 billion, the news about the deal was announced on Sunday. IBM plans to pay $34 billion in cash for $190.00 per share. After the deal, Red Hat will join IBM’s Hybrid Cloud team while its CEO Jim Whitehurst will […]

This is a post from HackRead.com Read the original post: IBM acquiring Red Hat for a whopping $34 billion

October 29, 2018 at 11:24PM

Read More

Spicing up the MSSP World

We love conducting  surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better.

So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights.

How Much is Outsourced?

The first question was to establish a baseline as to how current security operations programs are currently sourced.

A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations.

The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house.

Attitudes Towards Outsourcing

The question that then arises is how participants felt about outsourcing security operations as a whole.

Just over a quarter, 26 percent, believed that security should never be outsourced.

However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured  that the provider is fulfilling its part of the deal.

Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance.

Another aspect which we did not go into were some of the drivers that lead to companies outsourcing.

The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million  cybersecurity professionals.

Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner.

Budgets

In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends.

The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale. 

Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a planned increase in budget over the coming year, and 25 percent are looking to spend more on outsourcing security operations.  

Conclusion

In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring.

Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors including a skills shortage, standardisation of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.

      

The post Spicing up the MSSP World appeared first on Cybersecurity Insiders.

October 29, 2018 at 09:09PM

Read More

Breached Records More Than Doubled in H1 2018, Reveals Breach Level Index

Break Down of the 2018 Breach Level Index Stats:

• 18,525,816 records compromised every day
• 771,909 records compromised every hour
• 12,865 records compromised every minute
• 214 records compromised every second

Data breaches had a field day in 2018. According to the Breach Level Iindex, a database compiled by Gemalto to track publicly reported data breaches disclosed in news media reports, 2018 is one of the only years where more than two billion records were compromised in publicly disclosed data breaches. The only other year to do so was 2013 due to the exposure of all three billion Yahoo users’ accounts.

Gemalto has analyzed the Breach Level Index during the first half of 2018 and the findings are truly staggering. In just six months, the system tracked more than 3.3 billion breached data files. This figure represents a 72 percent increase over the first half of 2017.

The Breach Level Index didn’t contain as many reported incidents in the first half of 2018 as it did over the same period last year with 944 reported security events during the reporting period compared to 1,162 breaches reported in the first half of 2017.

The Main Trends From the 2018 Report:

• Identity theft yet again the top data breach type: Identity theft was responsible for nearly four billion records compromised in the first half of the year, which represents growth of more than a thousand percent compared to the previous year. During the same time frame, the number of incidents involving identity theft decreased by a quarter.
• Malicious outsiders and accidental loss the most prevalent sources of data breach: The number of events involving malicious outsiders accounted for 56 percent and 34 percent of all data breaches, respectively.
• Social media weathered the greatest number of compromised records: Facebook wasn’t the only social giant that suffered a data breach in the first half of 2018. Twitter also experienced a security incident where a software glitch potentially exposed the login credentials of its 330 million users. In total, data breaches compromised 2.5 billion records stored by social media giants.
• Incidents in healthcare and financial services declined: The number of compromised files and data breaches decreased for both healthcare and financial services. These declines at least in part reflected the introduction of new national regulations that help regulate health data and financial transactions.
• North America led the way in publicly disclosed data breaches: This region represented more than 97 percent of data records compromised in the first half of 2018. In total, there were 559 events in the region, a number which represented 59 percent of all data breaches globally in the first half of 2018.

New Data Privacy Regulations Take Effect:

In the wake of new data protection regulations, reporting of security incidents is on the rise. Following the passage of the Australian Privacy Amendment (Notifiable Data Breaches) Act, the Office of the Australian Information Commissioner (OAIC) received 305 data breach notifications by the end of the second quarter of 2018. This number is nearly triple the amount of the number submitted to the OAIC for the entire 2016-2017 fiscal year. Such growth in data breach reporting will likely continue through the rest of 2018 and beyond under GDPR and New York’s Cybersecurity Requirements for Financial Services Companies.

If you are interested in learning more about Gemalto’s H1 2018 Breach Level Index findings, you can check out the full report or the infographic for a quick snapshot of the stats.

The post Breached Records More Than Doubled in H1 2018, Reveals Breach Level Index appeared first on Cybersecurity Insiders.

October 29, 2018 at 09:09PM

Read More

Four ways to improve your home’s security with the IoT

Smart home security is a hot topic now. More and more homeowners are now looking to home security products to help secure their properties from a variety of threats – mainly burglary. They look to a multitude of options, from smart security cameras, to motion sensors, to microphones and more. Some of these can be effective, when used in the right scenarios, but this isn’t always the case.

So, what can be done to ensure your home is better protected when it comes to securing it with the IoT? Read below for our top four tips.

1. Protect important cabling

The majority of smart home technologies are based on Wi-Fi and Zigbee style protocols. Often, it’s Zigbee for inside the home networks, Wi-Fi for connection to the internet. When looking more closely at this, it’s clear that the Wi-fi-based internet connection is the weak spot in many home security products.

Many connected security camera products available in shops offer the chance for a home owner to monitor their house while they are on a beach on the other side of the world using their smart phone. This of course can be very appealing, and in some cases can provide peace of mind.

However, there is a critical and often-overlooked weakness… Follow the cable from your Wi-Fi router and at some point you will see it probably appears on an outside wall before vanishing into the ground. A pair of wire cutters, or something similar, make a very effective and low tech ‘denial of service’ attack for a couple of quid in this case.

As a result, you should endeavor to make sure you protect this cable otherwise every internet-based security product in your house could rendered interoperable. As an example, the picture below is from the front of a normal house. This box belongs to the ISP of the house… The cable is the internet connection. As you can see, it would take about two seconds to disable the connectivity, so make sure it’s protected!

2. Camera positioning

Once you’ve secured your cabling, protecting your connection, you need to think carefully about where your cameras are pointing. Firstly, it’s worth having a camera that points to your cabling; if a burglar is able to disable/sever the connection, at least you’ll be able to see who it was! This of course is why smart meters have only cellular connectivity – there are no visible parts to attack.

But cellular does comes at a cost as someone needs to pay for and manage the airtime. The return for the utilities is obvious and they pay for the connectivity (which you pay for in your electricity bill, a contract which already exists), the utilities also have the ability to ‘cut you off’ without sending a man in a van.

3. Contracts

If your internet-based security product does not come with a contract to manage it, this unfortunately makes it somewhat useless in certain situations. And this is often a problem when it comes to smart homes – nobody wants another bill, on top of the initial costs of the smart home technology.

A contract is crucial for an effective and consistent service that can be maintained, repaired if need be, or upgraded.

There are of course plenty of failed or flawed ‘over the counter’ assisted living, home security and convenience consumer IoT ideas. When they are based on cellular plans, they have failed to take off in the past due to need for a monthly contract. As MNOs (understandably) want to be paid for the traffic going through their networks, this increased cost has put off consumers.

On the flip side, when the solution is reliant on Wi-Fi, the services depend on the customer’s own equipment, passwords and attitude to cyber security. However, this comes with its own risks. If you know your neighbour’s Wi-Fi password (which plenty of people do), they’d need a second Wi-Fi network just for their home gadgets to stop you being able to switch all their lights off, or worse.

As you can appreciate, professional and industrial security services have cellular connectivity built in with a managed service for a reason. So, there are other technologies to help address this, but you will need to invest in a trusted provider.

4. End to end security

If your data is of critical importance, make sure you invest in end to end devices with robust security. This will likely include cryptography (but not always). This of course is of paramount importance when planning security from the ground up – for more information on how this is done and security by design, see our latest report on the key ingredients for IoT security success.

Let us know if you have any tips for your smart home either by tweeting us @GemaltoIoT or letting us know in the comments below.

And for more information on how our own ‘Out-of-the-Box’ Secure IoT Device Authentication for Cloud Platforms works, and to see how we secure the data-to-cloud journey, check out our step-by-step video, here.

The post Four ways to improve your home’s security with the IoT appeared first on Cybersecurity Insiders.

October 29, 2018 at 09:09PM

Read More

IBM Corp To acquire Red Hat Inc for $34 billion

IBM Corp officially disclosed on Sunday that it is going to acquire US Software Company Red Hat Inc for $34 billion. And as per the details available to our Cybersecurity Insiders, IBM is likely to pay $186- $190 per share in cash to bail out the debt-ridden proprietor of Linux software.

According to the trade analysts, IBM’s latest acquisition will by far be the biggest acquisition for the maker of mainframe computers.

Probably, Ginni Rometty’s (the Chief Executive of IBM) plan is to diversify his company’s technology hardware and consulting business into higher margin products and services.

Red Hat which was termed as an apt competitor to Microsoft’s proprietary Windows software is nowadays finding it hard to maintain its stance in the open source software business.

Although still there is a huge demand for Linux OS versions in the Corporate world, the North Carolina based company is finding it hard to mince money from its corporate customers to provide customized features, maintenance, and technical support.

As the Raleigh based company has succeeded in keeping its cash registers buzzing in cloud computing business, Rometty’s company must have eyed the revenue and might have grabbed the company to gain scale and fend off competition(if & when possible).

Analysts say that IBM will aim to give a tough competition to Amazon.com Inc and Alphabet subsidiary Google in the business of cloud computing from now on.

NOTE 1– IBM’s deal to acquire Red Hat will be closing in the 2nd half of 2019 and the “International Business Machines Corporation” has decided to put down its share repurchase program in 2020 and 2021 to help pay for the deal.

NOTE 2- IBM has also announced that Red Hat Inc will still run under the leadership of the current CEO Jim Whitehurst after the deal and all the management team, headquarters, facilities, brands, and practices will be retained as they are now.

The post IBM Corp To acquire Red Hat Inc for $34 billion appeared first on Cybersecurity Insiders.

October 29, 2018 at 09:03PM

Read More

Identiv to acquire Thursby Software Systems

California based Identiv Inc., formerly known as Identive Group Inc, has made it official that it is going to acquire mobile security offering company Thursby Software Systems. The financial details of the deal are yet to be known, but analysts say that the deal will strengthen the former’s logical access across smart cards and derived credentials on Apple iOS and Google Android devices.

Thursby is known to offer solutions supporting BYOD and 2-factor authentication on mobile devices running on iOS and Android operating systems. The company has so far managed to build deep and long-standing customer relationships by offering security-related software across private and federal government entities.

Source say that the Texas-based security software solutions provider has managed to sell one million software licenses to a range of customers hailing from healthcare, finance, energy, education and to a few standing tall among the Fortune 500 list.
Thursby software seeking customer list includes over 100,000 employees from US Department of Defense and other fed agencies.

Identiv, Inc is known to provide security technologies that secure data, physical places and things. Thursby’s acquisition is said to provide the company a strategic step to move closer to achieving its innovative business model, will help in generating higher profit margins by improving profitability and will help deliver solution platforms that help transform the business of security industry.

Note- Identiv’s acquisition of Thursby is subjected to the usual closing conditions and is expected to close on or around October 28th, 2018.

The post Identiv to acquire Thursby Software Systems appeared first on Cybersecurity Insiders.

October 29, 2018 at 10:04AM

Read More