President Biden’s Peloton exercise equipment under scrutiny

President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.

Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.

To secure the exercise equipment, Biden’s Peloton may have to be modified, removing the microphone, camera and networking equipment.

“If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment … and you basically have a boring bike,” Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. “You lose the shiny object and the attractiveness.”

Source: President Biden’s Peloton exercise equipment under scrutiny

So long Peloton Joe Biden may need new exercise equipment when he moves

Leave a Comment

Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways

The username and password (zyfwp/PrOw!aN_fXp) were visible in one of the Zyxel firmware binaries.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.

Device owners are advised to update systems as soon as time permits.

Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks

Source: Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways | ZDNet



[Tech News] Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways podcast




Leave a Comment

Ransomware Is Headed Down a Dire Path

2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments, and everyone else, it’s going to get worse before it gets better.

AT THE END of September, an emergency room technician in the United States gave WIRED a real-time account of what it was like inside their hospital as a ransomware attack raged. With their digital systems locked down by hackers, health care workers were forced onto backup paper systems. They were already straining to manage patients during the pandemic; the last thing they needed was more chaos. “It is a life-or-death situation,” the technician said at the time.

The same scenario was repeated around the country this year, as waves of ransomware attacks crashed down on hospitals and health care provider networks, peaking in September and October. School districts, meanwhile, were walloped by attacks that crippled their systems just as students were attempting to come back to class, either in person or remotely. Corporations and local and state governments faced similar attacks at equally alarming rates.

Ransomware has been around for decades, and it’s a fairly straightforward attack: Hackers distribute malware that mass-encrypts data or otherwise blocks access to a target’s systems, and then demand payment to release the digital hostages. It’s a well-known threat, but one that’s difficult to eradicate—something as simple as clicking a link or downloading a malicious attachment could give attackers the foothold they need. And even without that type of human error, large corporations and other institutions like municipal governments still struggle to devote the resources and expertise necessary to lay down basic defenses. After watching these attacks in 2020, though, incident responders say that the problem has escalated and that the ransomware forecast for next year looks pretty dire.

Source: Ransomware Is Headed Down a Dire Path



Dealing with a Ransomware Attack: A full guide




Leave a Comment

Fake Amazon gift card emails deliver the Dridex malware

The Dridex malware gang is delivering a nasty gift for the holidays using a spam campaign pretending to be Amazon Gift Cards.

Dridex phishing campaign wants to send a gift

When distributing malware, malware gangs commonly use current events and the holidays as themes for phishing campaigns to lure people into opening malicious attachments.

Such is the case in a recent phishing campaign discovered by cybersecurity firm Cyberreason that pretends to be an Amazon gift certificate sent via email.

These emails, shown below, pretend to be a $100 gift certificate that users must redeem by clicking on a phishing email button.

Source: Fake Amazon gift card emails deliver the Dridex malware



Fake Amazon Email Scam 2020 | How to Detect & Defend | Alert | Windows 10 | Beginners Guide |




Leave a Comment

SUPERNOVA, a backdoor found while investigating SolarWinds hack

While investigating the recent SolarWinds Orion supply-chain attack security researchers discovered another backdoor, tracked SUPERNOVA.

The investigation of the SolarWinds Orion supply-chain attack revealed the existence of another backdoor that was likely used by a separate threat actor.

After the initial disclosure of the SolarWinds attack, several teams of researchers mentioned the existence of two second-stage payloads.

Security experts from Symantec, Palo Alto Networks, and Guidepoint reported that threat actors behind the SolarWinds attack were also planting a .NET web shell dubbed Supernova.

Researchers from Palo Alto Networks revealed that the malicious code is a tainted version of the legitimate .NET library “app_web_logoimagehandler.ashx.b6031896.dll” included in the SolarWinds Orion software.

“In the analysis of the trojanized Orion artifacts, the .NET .dll app_web_logoimagehandler.ashx.b6031896.dll was dubbed SUPERNOVA, but little detail of its operation has been publicly explored.” reads the analysis published by Palo Alto Networks.

“SUPERNOVA differs dramatically in that it takes a valid .NET program as a parameter. The .NET class, method, arguments and code data are compiled and executed in-memory. There are no additional forensic artifacts written to disk, unlike low-level webshell stagers, and there is no need for additional network callbacks other than the initial C2 request. In other words, the SolarStorm attackers have constructed a stealthy and full-fledged .NET API embedded in an Orion binary, whose user is typically highly privileged and positioned with a high degree of visibility within an organization’s network.”

Source: SUPERNOVA, a backdoor found while investigating SolarWinds hack



Learning about .NET Malware by Going Over the SUNBURST SolarWinds Backdoor

Leave a Comment

Suspected Russian hackers spied on U.S. Treasury emails

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury Department and an agency that decides internet and telecommunications policy, according to people familiar with the matter.

Three of the people familiar with the investigation said Russia is currently believed to be behind the attack.

Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said National Security Council spokesman John Ullyot.

The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.

Source: Suspected Russian hackers spied on U.S. Treasury emails – sources


    Active Exploitation of SolarWinds Software

    Emergency directive: Global governments issue alert after FireEye hack is linked to SolarWinds supply chain attack

    SolarWinds Security Advisory

    Massive suspected Russian hack is 21st century warfare

    The government has known about the vulnerabilities that allowed the SolarWinds attack since the birth of the internet—and chose not to fix them.

    WATCH: Trump refuses to acknowledge that Russia meddled in US elections



RUSSIAN GOVERNMENT HACKING GROUP ‘APT29’ BEHIND CYBER HACK ON US GOVERNMENT




U.S. Agencies Hit in Brazen Cyber-Attack by Suspected Russian Hackers




#Sandworm: A New Era of #Cyberwar and the Hunt for the #Kremlin’s Most #Dangerous #Hackers Paperback

Leave a Comment

U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists

A Gizmodo investigation has found that schools in the U.S. are purchasing phone surveillance tools from Cellebrite and companies that offer similar tools just four years after the FBI used it to crack a terrorism suspect’s iPhone.

In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child.

The Cellebrite used to gather evidence in that case was owned and operated by the Shelby County Sheriff’s Office. But these invasive phone-cracking tools are not only being purchased by police departments. Public documents reviewed by Gizmodo indicate that school districts have been quietly purchasing these surveillance tools of their own for years.

In March 2020, the North East Independent School District, a largely Hispanic district north of San Antonio, wrote a check to Cellebrite for $6,695 for “General Supplies.” In May, Cypress-Fairbanks ISD near Houston, Texas, paid Oxygen Forensics Inc., another mobile device forensics firm, $2,899. Not far away, majority-white Conroe ISD wrote a check to Susteen Inc., the manufacturer of the similar Secure View system, for $995 in September 2016.

Source: U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists

Leave a Comment

Brave browser-maker launches privacy-friendly news reader

By design, Brave Today doesn’t let the company or third parties build user profiles.

Brave Software, maker of the Brave Web browser, is introducing a news reader that’s designed to protect user privacy by preventing parties—both internal and third party—from tracking the sites, articles, and story topics people view.

Brave Today, as the service is called, is using technology that the company says sets it apart from news services offered by Google and Facebook. It’s designed to deliver personalized news feeds in a way that leaves no trail for Brave, ISPs, and third parties to track. The new service is part of Brave’s strategy of differentiating its browser as more privacy-friendly than its competitors’.

Key to Brave Today is a new content delivery network the company is unveiling. Typically, news services use a single CDN to cache content and then serve it to users. This allows the CDN or the service using it to see both the IP address and news feed of each user, and over time, that data can help services build detailed profiles of a person’s interests.

The Brave Today CDN takes a different approach. It’s designed in a way that separates a user’s IP address from the content they request. One entity offers a load-balancing service that receives TLS-encrypted traffic from the user. The load balancer then passes the traffic on to the CDN that processes the request.

The load balancer knows the user’s IP address, but because the request is encrypted, it has no visibility into the content the user is seeking. The CDN, meanwhile, sees only the request but has no way of knowing the IP address that’s making it. Responses are delivered in reverse order. To prevent the data from being combined, Brave says that it will use one provider for load balancing and a different one for content delivery.

Source: Brave browser-maker launches privacy-friendly news reader



Brave Browser-Maker Launches Privacy-Friendly News Reader podcast

Leave a Comment

Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020

As just one symptom, 83 percent of the Top 30 U.S. retailers have vulnerabilities which pose an “imminent” cyber-threat, including Amazon, Costco, Kroger and Walmart.

2020 is shaping up to be a banner year for software vulnerabilities, leaving security professionals drowning in a veritable sea of patching, reporting and looming attacks, many of which they can’t even see.

A trio of recent reports tracking software vulnerabilities over the past year underscore the challenges of patch management and keeping attacks at bay.

“Based on vulnerability data, the state of software security remains pretty dismal,” Brian Martin, vice president of vulnerability intelligence with Risk Based Security (RBS), told Threatpost.

Security researchers looked at CVE details across the Top 50 software vendors and found that since 1999, Microsoft is the hands-down leader with 6,700 reported, followed by Oracle with 5,500 and IBM with 4,600.

“New software is being released at a faster rate than old software is being deprecated or discontinued,” Comparitech’s Paul Bischoff told Threatpost. “Given that, I think more software vulnerabilities are inevitable. Most of those vulnerabilities are identified and patched before they’re ever exploited in the wild, but more zero days are inevitable as well. Zero days are a much bigger concern than vulnerabilities in general.”

Source: Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020

Leave a Comment

U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers

The cybersecurity company said the attack compromised its software tools used to test the defenses of its thousands of customers.

“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Kevin Mandia, the chief executive at FireEye and a former Air Force officer, said in a blog post published Tuesday. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.”

The company said the attacker also accessed some internal systems and primarily sought information about government clients. FireEye said it has seen no evidence so far that data belonging to its customers had been compromised from the primary systems used to store it.

FireEye declined to comment on who it believed was behind the breach of its hacking tools, which experts said could potentially be leveraged in future attacks against its customer base, including a diverse array of U.S. and Western national-security agencies and businesses.

Source: U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers



FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State


Fireeye shares plunge after it says it was breached by suspected hackers

Leave a Comment

Hacker opens 2,732 PickPoint package lockers across Moscow

PickPoint says this is the world’s first targeted cyberattack against a post-gateway network.

The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg.

Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address.

Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app.

Source: Hacker opens 2,732 PickPoint package lockers across Moscow | ZDNet



A smart lockers terminal “PickPoint” in Moscow was hacked to unlock the storage boxes with goods




Leave a Comment

Open source vulnerabilities go undetected for over four years

GitHub has analyzed over 45,000 active directories and found that open source vulnerabilities often go undetected for more than four years.

Source: Open source vulnerabilities go undetected for over four years – Help Net Security



The State of Open Source Security Vulnerabilities



Resources for Searching and Analyzing Online Information


Advanced Sciences and Technologies for Security Applications

Leave a Comment

Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020

Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020

Purpose and Intent. In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles:

Consumer Rights

  1. Consumers should know who is collecting their personal Information and that of their children, how it is being used, and to whom It is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children,
  2. Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal Information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
  3. Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
  4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
  5. Consumers should be able to exercise these rights without being penalized for doing so.
  6. Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
  7. Consumers should benefit from businesses’ use of their personal information.
  8. The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and Intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023

Adds a right to opt out of automated decision-making technology, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Opt-out right explicitly extends to sharing of PI used for cross-context behavioral advertising.

Strengthens opt-in rights for minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.

For all inclusive details, download a pdf of THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020 (Amendments to Version 3)



California Privacy Rights Act (CPRA): 10 Big Impacts on Your Business

Leave a Comment

List of data breaches and cyber attacks in November 2020 – 587 million records breached

We recorded 103 data breaches and cyber attacks in November, which accounted for 586,771,602 leaked records.

ITG recorded 103 cyber security incidents in November, which accounted for 586,771,602 leaked records.

The majority of those came from a credential-stuffing attack targeting Spotify and a data leak at the messaging app GO SMS Pro, which you can learn more about below.

Here is ITG complete list of November’s cyber attacks and data breaches.

Source: List of data breaches and cyber attacks in November 2020 – 587 million records breached – IT Governance UK Blog



Biggest Data Breaches of October 2020


Self-assessment to help you achieve your cybersecurity or information security goals. ITG is offering 15% off selected toolkits and self-assessment tools until December 4 to help you achieve your cybersecurity or information security goals. Use promo code THANKFUL at checkout to receive the offer

Leave a Comment

10 Best InfoSec Hacking Books

10 Best InfoSec Hacking Books

To download 10 Best InfoSec Hacking Books pdf

10 best InfoSec hacking books

 

To download 10 Best InfoSec Hacking Books pdf

 

Metsploit cheatsheet

Leave a Comment

Black Friday deal:

Get 68% off NordVPN + 3 months FREE

NordVPN’s Black Friday promotion is now live with 68% off a 2-year VPN subscription and an additional three months for free. This offer gives you a total of 27 months of VPN access for a monthly cost of $3.30!

NordVPN’s Black Friday promotion is now live with 68% off a 2-year VPN subscription and an additional three months for free. This offer gives you a total of 27 months of VPN access for a monthly cost of $3.30!

If you wish to stay anonymous on the Internet while browsing the web, streams movies or listen to music, then this NordVPN deal may be something that will interest you.

As part of this deal, you get a 27-month subscription to the NordVPN VPN service, which allows you to browse the Internet, send email, download files, or perform network requests anonymously.

 

Whether you want to explore a new topic, advance your career, or get a degree, you’ll find a place to start learning on edX. Choose from thousands of courses in over thirty subjects, all brought to you by the world’s best universities and industry leaders.

Use code CYBER2020 to save 20% on your next course or program purchase. https://lnkd.in/g_k_QHF

Image may contain: 1 person, text that says 'CYBER MONDAY edX Don't miss out! Save 20% on your purchase CODE: CYBER2020'

Your online bookshop with Free worldwide delivery.

Leave a Comment

Zero Trust architectures: An AWS perspective

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework.)

Definition and guiding principles for Zero Trust

Let’s start out with a general definition. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters. The zero in Zero Trust fundamentally refers to diminishing—possibly to zero!—the trust historically created by an actor’s location within a traditional network, whether we think of the actor as a person or a software component. In a Zero Trust world, network-centric trust models are augmented or replaced by other techniques—which we can describe generally as identity-centric controls—to provide equal or better security mechanisms than we had in place previously. Better security mechanisms should be understood broadly to include attributes such as greater usability and flexibility, even if the overall security posture remains the same. Let’s consider more details and possible approaches along the two dimensions.

Source: Zero Trust architectures: An AWS perspective | Amazon Web Services

SANS Webcast – Zero Trust Architecture

Leave a Comment

LidarPhone Attack Transforms Smart Vacuum Cleaners Into Spying Tools

LidarPhone attack targets the lidar sensors in smart vacuum cleaners transforming them into microphones to record sounds and eavesdrop.

Describing LidarPhone in brief, the researchers stated, The fundamental concept of LidarPhone lies in sensing such induced vibrations in household objects using the vacuum robot’s lidar sensor and then processing the recorded vibration signal to recover traces of sounds. This sensing method is inspired by the principles of laser microphones that use reflected laser beams to sense sounds from vibrating objects. Although laser mics require sophisticated setups, the rotating lidar sensors are equipped with at least a laser transmitter and reflection sensor. This enables the key possibility to transform a lidar into a microphone.

Source: LidarPhone Attack Transforms Smart Vacuum Cleaners Into Spying Tools

Leave a Comment

How does the Schrems II ruling affect your organization?

GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EU–US Privacy Shield invalid.

Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution – with even some multinationals unsure how to proceed.

If you’re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide

This comprehensive guide covers:

  • DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
  • When organizations must conduct DPIAs (data protection impact assessments);
  • GDPR implementation FAQs;
  • Guidance on how to create data protection processes that are in line with best practices; and
  • An index of the GDPR.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
 

       Buy now

EU GDPR – An international guide to compliance

Ideal for those trying to understand the essentials of GDPR compliance, EU GDPR – An international guide to compliance:

  • Explains the terms and definitions used in the GDPR;
  • Sets out the circumstances under which organizations may receive fines;
  • Shows how to meet your compliance requirements; and
  • Provides guidance on the technologies and documentation you can use to protect the personal data that you process.
EU GDPR – An international guide to compliance
 

       Buy now

Leave a Comment

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says.

Nearly two dozen application programming interfaces (APIs) across 16 different Amazon Web Services offerings can be abused to allow attackers to obtain the roster and internal structure of an organization’s cloud account in order to launch targeted attacks against individuals.

All that a threat actor would require in order to carry out the attack is the target organization’s 12-digit AWS ID — something that is used and shared publicly — Palo Alto Networks said this week.

Source: Nearly Two Dozen AWS APIs Are Vulnerable to Abuse


Testing and Monitoring APIs on AWS – AWS Online Tech Talks




API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.

Leave a Comment