Bug in Toyota, Honda, and Nissan Car App Let Hackers Unlock & Start The Car Remotely

The majority of major automobile manufacturers have addressed vulnerability issues that would have given hackers access to their vehicles to perform the following activities remotely:-

• Lock the car
• Unlock the car
• Start the engine
• Press the horn
• Flas the headlights
• Open the trunk of certain cars made after 2012
• Locate the car

Flaw in SiriusXM

SiriusXM, one of the most widely used connected vehicle platforms available on the market, has a critical bug in its platform that affects all major vehicle brands.

There is a particular interest among security researchers in the area of connected cars, like Yuga Labs’ Sam Curry. In fact, he’s the one who was responsible for discovering a security hole in the connected cars of major car manufacturers during his routine research.

More car hacking!

Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.

Here's how we found it, and how it works: pic.twitter.com/ul3A4sT47k

— Sam Curry (@samwcyo) November 30, 2022

There are a number of car manufacturers who use Sirius XM telematics and infotainment systems as a part of their vehicle technology.

Affected Car Brands

Here below we have mentioned the brands’ names that are affected due to this critical bug in SiriusXM:-

• Acura
• BMW
• Honda
• Hyundai
• Infiniti
• Jaguar
• Land Rover
• Lexus
• Nissan
• Subaru
• Toyota

Vulnerability Analysis

During the process of analyzing the data, it was found that there is a domain (http://telematics(.)net) that is used during the vehicle enrollment process for the remote management of Sirius XM.

The flaw is associated with the enrollment process for SiriusXM’s remote management functionality which results in the vehicle being tampered with.

There is not yet any technical information available about the findings of the researchers at the present time, since they haven’t shared anything in detail.

Upon further analysis of the domain, it becomes apparent that the Nissan Car Connected App is one of the most plentiful and frequently referenced apps in this domain.

In order for the data exchanged through the telematics platform to be authorized, the vehicle identification number (VIN) only needs to be used. The VIN of the vehicle can therefore be used to carry out a variety of commands by anyone who knows the number.

The next step would be to log in to the application later on, and then the experts examined the HTTPS traffic that came from a Nissan car owner.

Since exploiting this involved many steps, we took all of the requests necessary to exploit this and put it into a python script which only needed the victim's email address. After inputting this, you could then execute all commands on the vehicle and takeover the actual account. pic.twitter.com/Bz5G5ZvHro

— Sam Curry (@samwcyo) November 29, 2022

Researchers discovered one HTTP request during the scan in which they conducted a deep analysis. 

It is possible to obtain a bearer token return and a “200 OK” response by passing a VPN prefixed ID through as a customerID in the following way:-

Using the Authorization bearer in an HTTP request, researchers attempted to obtain information about the user profile of the victim and, as a result, they successfully retrieved the following information:-

• Name
• Phone number
• Address
• Car details

In addition to this, the API calls used by SiriusXM for its telematics services worked even if the user did not have an active subscription with SiriusXM.

As long as the developers or owners are not involved in the process of securing a vulnerable app, it is impossible to guarantee the security of that app. This is why they should be the only ones who can issue security updates and patches.

Recommendations

Here below we have mentioned the recommendations made by the security analysts:-

• Ensure that you do not share the VIN number of your car with unreliable third parties.
• In order to protect your vehicle from thieves, it is imperative to use unique passwords for each app connected to the vehicle.
• Keep your passwords up-to-date by changing them on a regular basis.
• Keeping your system up-to-date should be a priority for users.

The Car Hacker’s Handbook: A Guide for the Penetration Tester

Emotions-of-a-Social-Engineering-Attack-1

A New Linux Flaw Lets Attackers Gain Full Root Privilege

The Threat Research Unit at Qualys’ has revealed how a new Linux flaw tracked as (CVE-2022-3328),  may be combined with two other, seemingly insignificant flaws to gain full root rights on a compromised system.

The Linux snap-confine function, a SUID-root program installed by default on Ubuntu, is where the vulnerability is located.

The snap-confine program is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications.

Linux Flaw Let Attackers Gain Full Root Privilege

The newly discovered flaw, tracked as CVE-2022-3328, is a race condition in Snapd, a Canonical-developed tool used for the Snap software packaging and deployment system. 

The issue specifically affects the ‘snap-confine’ tool that Snapd uses to build the environment in which Snap applications are executed.

“In February 2022, Qualys Threat Research Unit (TRU) published CVE-2021-44731 in our “Lemmings” advisory. The vulnerability (CVE-2022-3328) was introduced in February 2022 by the patch for CVE-2021-44731).” reads the post published by Qualys.

“The Qualys Threat Research Unit (TRU) exploited this bug in Ubuntu Server by combining it with two vulnerabilities in multipathd called Leeloo Multipath (an authorization bypass and a symlink attack, CVE-2022-41974, and CVE-2022-41973), to obtain full root privileges”.

The CVE-2022-3328 weakness was chained by the researchers to two other flaws in Multipathd, a daemon responsible for looking for failed paths. Particularly, in several distributions’ default installations, including Ubuntu, Multipathd runs as root.

Two Vulnerabilities Impact Multipathd

• CVE-2022-41974 (CVSS 7.8) 

The device-mapper-multipath, when used alone or in conjunction with CVE-2022-41973, enables local users to gain root access. 

In this case, the access controls can be evaded and the multipath configuration can be changed by local users who have the ability to write to UNIX domain sockets.

This problem arises because using arithmetic ADD rather than bitwise OR causes a keyword to be incorrectly handled when repeated by an attacker. Local privilege escalation to root may result from this.

• CVE-2022-41973 (CVSS 7.0)

Together with CVE-2022-41974, the device-mapper-multipath enables local users to get root access. Further, due to improper symlink handling, local users with access to /dev/shm can modify symlinks in multipathd, which could result in controlled file writes outside of the /dev/shm directory. Hence, this could be used indirectly to elevate local privileges to the root.

Notably, any unprivileged user might get root access to a vulnerable device by chaining the Snapd vulnerability with the two Multipathd vulnerabilities.

“Qualys security researchers have verified the vulnerability, developed an exploit, and obtained full root privileges on default installations of Ubuntu,” Qualys said.

On Ubuntu default installations, Qualys security researchers have confirmed the vulnerability, developed an exploit and got full root access.

Although the vulnerability cannot be used remotely, the cybersecurity company issues a warning that it is unsafe because it can be used by an unprivileged user.

Mastering Linux Security and Hardening

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

 

Data of Israeli Employees from 29 Logistics Firms Sold Online

The 50GB worth of data is currently being sold on two clear web forums with a price tag of 1 BTC per database.

A group of hackers has posted a trove of approximately 50GB of data for sale on two online forums and a Telegram group. The data was posted on 26 and 27th November 2022. This was revealed to Hackread.com by researchers at VPNMentor.

A probe into the incident revealed that the data belonged to 29 Israeli transportation, logistics services and forwarding firms. Researchers believe that the hackers breached a software provider’s single point of failure, gained unauthorized access to these logistics firms’ supply chains, and exfiltrated a trove of personal data and shipping records.

50 GB of Israeli Firms’ Data on Sale

Hackers have posted the stolen data for sale. Visitors can buy a complete employee and customer information dataset from the targeted companies. The per-database rate is 1 BTC, which equals $17,000. An analysis of the graphics associated with these posts revealed that the data is part of a Black Friday Sale.

Previously, when some Israeli delivery firms were targeted in cyberattacks, the Israeli government’s cyber agencies named Iranian threat actors as the perpetrators. However, it is unclear if the same actors are responsible in this instance.

Details of Leaked Data

According to VPNMentor’s blog post, exposed data includes contract details and shipment information of the affected Israeli firms. The hackers have listed 1.1 million records for sale on different online forums. It seems like they have shared a small sample of data.

Whether 1 record represented 1 person or 1.1 million people were impacted in this data breach couldn’t be determined. The exposed information includes full names, addresses, and contact numbers.

Researchers were unsure whether the exposed addresses were work or home addresses. Customers’ exposed data includes full names and shipping details (sender and receiver’s addresses, number of packages, contact numbers, etc.).

Possible Dangers

These records can be exploited to intercept packages or blackmail/threaten courier firms’ employees into handing over valuable shipments. Threat actors can use personal data such as full names or contact details to target people with scams and phishing attacks.

Customers of these firms should be wary of suspicious SMS messages and calls and do not share personal information via phone. They should reveal sensitive data only to a trusted source only when necessary.

8 Reasons Why Enterprises Use Java

What is an enterprise application in java?

An enterprise application in Java is a software program whose backend was created with the help of the Java programming language. Java is an excellent choice for creating back-end functionality.

In addition, the use of Java microservices enables the creation of large-scale, complex but well-performing solutions, that’s why it is often chosen by enterprises that are dealing with large amounts of data and need to create multi-functional complex solutions for their business.

What is Java used for?

8 Reasons Why Enterprises Use Java

Essential Business Knowledge for InfoSec Professionals

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Lack of basic business knowledge and common business terminology hinders success and progress. 

I have started creating a body of knowledge for basic business skills required for success of security professionals and elevating their status in the business hierarchy. Following are eight major domains of essential business knowledge for information security professionals.

• DOMAIN 1 – Essential Business Terminology for InfoSec Professionals
• DOMAIN 2 – Business Communication for InfoSec Professionals
• DOMAIN 3 – Funding Requests and Managing InfoSec Budget
• DOMAIN 4 – Working with Vendors and Partners
• DOMAIN 5 – Building Alliances, Collaboration to Advance InfoSec Goals
• DOMAIN 6 – Excellence in InfoSec Customer Service, Knowing and Serving Customers
• DOMAIN 7 – Creating Business Value with InfoSec
• DOMAIN 8 – General Soft Skills to Succeed as InfoSec Professional

what are major skill gaps?

ISACA published a report on “State of Cybersecurity 2022” in which they presented their findings on the global workforce. The most striking of all the findings is Figure 14 of the report showing major skill gaps among security professionals.

At the top of these skill gaps is “soft skills” that includes communications, flexibility, leadership and others. This is similar to what we have been talking about creating a body of knowledge for Core Cybersecurity Skills and Practices. Please see a screenshot of Figure 14 from the ISACA report (the report is available for download at https://www.isaca.org/go/state-of-cybersecurity-2022).

Business Knowledge for Cybersecurity Executives

CISOs in investment firms help fast-track cybersecurity startups

In this Help Net Security video, Frank Kim, CISO-in-Residence at YL Ventures, discusses the growing role of CISOs in investment firms and how their role as advisors helps drive cybersecurity startups.

Frank works closely with cybersecurity startup founders on ideation, product-market-fit, and value realization, on an in-house and regular basis.

He provides them with what can be considered an important perspective into the needs of modern CISOs, security teams, and businesses, and he specifically guides them on how to make security solutions provide business value at business speed, resolving the gap between business and tech latency.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy malicious PDF documents containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

In its report, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

7 Steps to Removing Spyware

Zero-Trust-Essentials-eBook

Zero Trust Security: An Enterprise Guide

The CHRISTMA EXEC network worm – 35 years and counting!

Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.

December 2022 sees the 35th anniversary of the first major self-spreading computer virus – the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the day…

… not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.

As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:

                *               
                *               
               ***              
              *****             
             *******            
            *********           
          *************                A
             *******            
           ***********                VERY
         ***************        
       *******************           HAPPY
           ***********          
         ***************            CHRISTMAS
       *******************      
     ***********************         AND MY
         ***************        
       *******************         BEST WISHES
     ***********************    
   ***************************     FOR THE NEXT
             ******             
             ******                    YEAR
             ******

If you’re wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMAS…

…that’s because filenames were limited to eight characters, which could be followed by a space and what we would today call an “extension” of EXEC in order to turn them into scripts that could be run directly by the user – executed, in technical jargon.

The virus itself was written in IBM’s powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as “program code”, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.

Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)…

/*********************/
/*    LET THIS EXEC  */
/*                   */
/*        RUN        */
/*                   */
/*        AND        */
/*                   */
/*       ENJOY       */
/*                   */
/*     YOURSELF!     */
/*********************/

…and then offers the following cheery advice to non-techies:

/*  browsing this file is no fun at all
       just type CHRISTMAS from cms     */

CMS is short for Conversational Monitor System, a command prompt environment on top of IBM’s venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.

Handily, the user didn’t have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.

As stated above, the code did indeed display the Christmas Tree ASCII art – or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).

But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command prompt…

…a sea of copies of the virus would be distributed, and so on, and so on.

Shades of the future

As we said in this week’s podcast, where we discussed this seminal worm:

[This is j]ust like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on… why not click the button? It’s much easier that way.”

35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.

Detection of Network Worm to Eliminate Security Threats in MANET: Wormhole Attack and its Challenges

10 Best Vulnerability Scanning Tools For Penetration Testing – 2023

A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.

The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.

Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.

What does a Vulnerability Scanner do?

Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.

It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.

Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.

In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.

What are the Three types of Vulnerability Scanners?

This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.

Following are the types of vulnerability scanners

• Discovery Scanning
• Full Scanning
• Compliance Scanning

What is an example of a Vulnerability Scanner?

The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online

In this article, we’ll take a look at the top 10 best vulnerability scanning tools available in the market.

10 Best Vulnerability Scanner Tools

Vulnerability Scanner	Key Features
OpenVAS Vulnerability Scanner	Custom Scan Configuration Targeted IP Address Task Naming Authorized (credentialed) Scans Scheduling scans
Tripwire IP360	Flexible Scanning Full Network Discovery Vulnerability Risk Scoring Asset Discovery
Nessus vulnerability scanner	Target Profiling Sensitive data discovery Malware Detection PCI DSS requirements Vulnerability scanning
Comodo HackerProof	Daily Vulnerability Scanning Web-based Management Tool PCI Scanning Tools
Nexpose community	Real Risk Score Integration with Metasploit Powerful Reporting Adaptive Security
Vulnerability Manager Plus	Customization of Patches to Application Detecting zero-day vulnerabilities Audit end-of-life software Security recommendations
Nikto	Support for Proxy with authentication Cookies Support Username Enumeration Outdated component report
Wireshark	Live capture and offline analysis Deep inspection of protocols VoIP analysis Read/write Capture file Coloring rules
Aircrack-ng	Analyzing WiFi networks for weaknesses Capture and injection of WiFi cards Sniff wireless packets Recover lost keys
Retina network security scanner	Discover the Full network Environment Identify Application Flaw Analyze threats and gain security intelligence

10 Best Vulnerability Scanning Tools 2023

1. OpenVAS Vulnerability Scanner
2. Tripwire IP360
3. Nessus vulnerability scanner
4. Comodo HackerProof
5. Nexpose community
6. Vulnerability Manager Plus
7. Nikto
8. Wireshark
9. Aircrack-ng
10. Retina network security scanner

for more details on these vulnerability scanning tools

Checkout latest books on Vulnerability Scanning Tools

As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.

Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.

But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. What’s more, there hasn’t been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.

What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.

In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.

The solution rests in a two-pronged approach.

#1. Leverage cybersecurity frameworks and automation.

Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain — including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.

#2. Migrate cybersecurity to the cloud.

https://www.securitymagazine.com/articles/98664-strategies-for-closing-the-cybersecurity-skills-and-leadership-gap

Navigating the Cybersecurity Career Path

On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.

The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape. 

With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.

In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.

Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.

In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.

There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.

Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.

Overcoming the challenge of ISO 27001 certification

A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:

• Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
• Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.

Next steps toward a successful future

While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.

It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.

Source: https://wordpress.com/read/blogs/126020344/posts/2830377

ISO 27001 Risk Assessment and Gap Assessment

ISO 27001 Compliance and Certification

Best practices for implementing a company-wide risk analysis program

The associated risk management programs are also constantly evolving, and that’s likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISO’s today face several dilemmas: How do I define the business impact of a cyber event? How much will it cost to protect our company’s most valuable assets? Which investments will make the business most secure? How do we avoid getting sidetracked by the latest cyber breach headline?

A mature risk analysis program can be thought of as a pyramid. Customer-driven framework compliance forms the base (PCI/ISO frameworks required for revenue generation); then incident-driven infrastructure security in the middle (system-focused security based on known common threats and vulnerabilities); with analysis-driven comprehensive coverage at the pinnacle (identification of assets, valuations, and assessment of threat/vulnerability risk).

How do you kickstart that program? Here are five steps that I’ve found effective for getting risk analysis off the ground.

Determine enterprise-specific assets

The first step is determining what is critical to protect. Unlike accounting assets (e.g., servers, laptops, etc.), in cybersecurity terms this would include things that are typically of broader business value. Often the quickest path is to talk with the leads for different departments. You need to understand what data is critical to the functioning of each group, what information they hold that would be valuable to competitors (pricing, customers, etc.) and what information disclosures would hurt customer relationships (contract data, for instance).

Also assess whether each department handles trade secrets, or holds patents, trademarks, and copyrights. Finally, assess who handles personally identifiable information (PII) and whether the group and its data are subject to regulatory requirements such as GDPR, PCI DSS, CCPA, Sarbanes Oxley, etc.

When making these assessments, keep three factors in mind: what needs to be safe and can’t be stolen, what must remain accessible for continued function of a given department or the organization, and what data/information must be reliable (i.e., that which can’t be altered without your knowledge) for people to do their jobs.

Value the assets

Once you’ve identified these assets, the next step is to attach a value. Again, I make three recommendations: keep it simple, make (informed) assumptions, and err on the side of overestimating. The reason for these recommendations is that completing a full asset valuation for an enterprise would take years and wouldn’t ever be finished (because assets constantly change).

Efficient risk analysis requires a more practical approach that uses broad categories, which can then be prioritized to understand where deeper analysis is needed. For instance, you might use the following categories, and assign values based on informed assumptions:

• Competitive advantage – the items/processes/data that are unique to your company and based on experience. These are items that would be of value to a competitor to build on. To determine value, consider the cost of growing a legitimate competitor in your dominant market from scratch, including technology and overhead.
• Client relationships – what directly impacts customer relationships, and therefore revenue. This includes “availability” impacts from outages, SLAs, etc. Value determination will likely be your annual EBIT goal, and impact could be adjusted by a Single Loss Exposure.
• Third-party partnerships – relating to your ability to initiate, maintain or grow partner networks, such as contractors, ISPs or other providers. When valuing, consider the employee labor cost needed to recruit and maintain those partners.
• Financial performance – items that impact your company’s ability to achieve financial goals. Again, valuation might equate to annual EBIT.
• Employee relations – the assets that impact your ability to recruit and retain employees. Valuation should consider the volume of potential losses and associated backfill needs, including base salaries, bonuses, benefit equivalencies, etc.

Determine relevant threats, assess vulnerability, and identify exposures

When it comes to analyzing risk from threats, vulnerabilities and exposures, start with the common security triad model for information security. The three pillars – Confidentiality, Integrity and Availability (CIA) – help guide and focus security teams as they assess the different ways to address each concern.

Confidentiality touches on data security and privacy; it entails not only keeping data safe, but also making sure only those who need access, have it.

Integrity reflects the need to make sure data is trustworthy and tamper-free. While data accuracy can be compromised by simple mistakes, what the security team is more concerned with is intentional compromise that’s designed to harm the organization.

Availability is just what it sounds like – making sure that information can be accessed where and when needed. Availability is an aspect of the triad where security teams need to coordinate closely with IT on backup, redundancy, failover, etc. That said, it also involves everything from secure remote access to timely patches and updates to preventing acts of sabotage like denial of service or ransomware attacks.

In undertaking this part of the risk assessment, you’re using this security triad to determine threats, and then identifying exposure and assessing vulnerability to better estimate both the potential impact and probability of occurrence. Once these determinations are made, you’re ready for the next step.

Define risk

AV = assigned Asset Value (quantitative/qualitative) as identified above.
EF = the Exposure Factor, a subjective assessment of the potential percentage loss to the asset if a specific threat is realized. For example, an asset may be degraded by half, giving an EF of 0.50.

From this we can calculate the Single Loss Expectancy (SLE) – the monetary value from one-time risk to an asset – by multiplying AV and EF. As an example, if the asset value is $1M, and the exposure factor from a threat is a 50% loss (0.50) then the SLE will be $500,000.

Risk definition also takes this one step further by using this SLE and multiplying it by a potential Annualized Rate of Occurrence (ARO) to come up with the Annualized Loss Expectancy (ALE). This helps us understand the potential risk over time.

When working through these figures, it’s important to recognize that potential loss and probability of occurrence are hard to define, and thus the potential for error is high. That’s why I encourage keeping it simple and overestimating when valuing assets – the goal is to broadly assess the likelihood and impact of risk so that we can better focus resources, not to get the equations themselves perfectly accurate.

Implement and monitor safeguards (controls)

Now that we have a better handle on the organizational risks, the final steps are more familiar territory for many security teams: implementing and monitoring the necessary and appropriate controls.

You’re likely already very familiar with these controls. They are the countermeasures – policies, procedures, plans, devices, etc. – to mitigate risk.

Controls fall into three categories: preventative (before an event), detective (during) and corrective (after). The goal is to try to stop an event before it happens, quickly react once it does, and efficiently get the organization back on its feet afterward.

Implementing and monitoring controls are where the rubber hits the road from a security standpoint. And that’s the whole point of the risk analysis, so that security professionals can best focus efforts where and how appropriate to mitigate overall organizational risk.

Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

What is an Identity Verification Service and How Does it Work?

In an increasingly technologically-based world, being certain of precisely who you are speaking to or doing business with can be tricky. Identity verification is an important step in most online transactions that concern money or sensitive information and services, but it can also be used during recruitment processes as a part of a background check. 

This article will explain what an identity verification service is, why they are useful, and how they work.

What is an Identity Verification Service?

An identity verification service is a process by which the information and identity provided by an individual is investigated and found to be true or false. These comprehensive online services are based on the traditional identity verification processes used in banks and other financial institutions when new accounts are opened. 

Technological services are more robust and comprehensive in their verification methods, however. The point of this process is to check and verify that the person applying for an account or service is being honest and upfront about who they are.

Why Use an Identity Verification Service?

While you can find arrest history with a universal background check (as well as other crucial information), the ability to complete a background check of any kind requires correct information about an individual.

Using an identity verification service enables you to confirm that you are performing a background check on, or providing a service to, a person who is identifying themselves correctly. This ensures that the information you receive from a check is correct and connected to the person you are dealing with.

There are other reasons to use such a service, however. For example, if you run a business with an online component identity verification at login, it’s important for data protection purposes. 

Identity verification is also an important part of risk management for most businesses and can help you to avoid fines and legal issues, reduce the risk of fraud, and help you to meet regulatory requirements while showing due diligence.

How Do Identity Verification Services Work?

Digital identity verification services collect and verify personal data and information, usually at the point of account access or onboarding to a new service, by checking it against reputable sources. There are different approaches to this process:

• Data-oriented digital verification
• Traditional, document-based digital identity verification

In most cases, data-based identity verification is sufficient, especially for platforms such as online shopping or online lottery ticket purchases. In these cases, the service provider or business may request information such as your date of birth, full name, or national ID/social security number. 

For financial services, such as banking or personal loan applications, however, digital document-based verification is usually required. In these cases, the institution or business you are dealing with may request copies or pictures of official documents, such as your driver’s license or birth certificate.

Whichever method of identity verification a company or institution undertakes, the process of verification is the same. The documents or data provided will be checked against trusted sources to ensure that all details match perfectly. When there are no issues, this is a very quick process that should take no more than a few minutes.

What Happens When An Identity Check Fails?

So, what happens when the identity verification process fails? What are the secondary processes, and what are the repercussions when information is found to be false? There are a number of potential issues that can cause queries or failures in the identity verification process. The most common are:

• Typos or spelling errors.
• Out-of-date documentation.
• Obscured or damaged documentation.
• Poor image quality regarding documentation.

In most cases, the first reaction of a company will be to query the details that do not match or request that documentation be re-sent. If all is in order, they may proceed to a positive verification, but it is also common for companies to ask for secondary or supporting information or documents in these cases.

If issues cannot be resolved and it is impossible to verify the identity of a person, there are two possibilities. Firstly, and in most cases, services will be denied to the applicant on the basis of failed identity verification.

In some cases, however, more robust action may be taken. For example, trying to open a bank account under a false name is a legal offense and financial institutions may see fit to hand information over to the authorities. 

What’s Amazon Rekognition Identity Verification | Amazon Web Services

Identity Attack Vectors: Implementing an Effective Identity and Access Management Solution

Nearly 500 million WhatsApp User Records Sold Online

The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers.

In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp users’ mobile phone numbers on a popular hacking community forum which surfaced as an alternative to popular and now-sized Raidforums.

The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers (45 million), Italy with 35 million, and the US with 32 million. 

The complete list of countries is included in the original report by Cybernews which also contains the exact amount of numbers up for sale. According to the threat actor, they are willing to sell the US dataset for $7000, the UK one for $2500, and the German one for $2000. 

Upon being requested, the threat actor also shared a sample of data with researchers who then confirmed that the numbers included in the sample were in fact WhatsApp users. The exact sample contained 1097 UK and 817 US mobile numbers. 

The seller did not reveal their process for obtaining the database and simply said they “used their strategy” to collect the data. Whatever the method used, the damage that can be caused by this leakage should not be taken lightly.

Such data is readily bought by attackers to use for smishing and vishing attacks. It is advised that you cautiously interact with unknown calls, unsolicited calls, and messages. Impersonation and fraud are also common worries associated with mobile number leakage. 

Meta has refused to comment on this for now, while in their report, Cybernews speculates that this information could have been obtained by harvesting information at scale, also known as scraping, which violates WhatsApp’s Terms of Service. 

However, Hackread.com can confirm that, at the time of writing, the listing was deleted from the hacker forum. Another listing was published in which another threat actor is claiming to sell details of WhatsApp users.

Unfriended: Dark Web

5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security. CISA is in charge of enhancing cybersecurity and infrastructure protection at all levels of government, coordinating cybersecurity initiatives with American U.S. states, and enhancing defenses against cyberattacks.

To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.

Cyber Hygiene Vulnerability Scanning

You can register for this service by emailing vulnerability@cisa.dhs.gov. Scanning will start within 3 days, and you’ll begin receiving reports within two weeks. Once initiated, this service is mostly automated and requires little direct interaction.

Cybersecurity Evaluation Tool (CSET)

This tool provides organizations with a structured and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

Checklist for implementing cybersecurity measures

This document outlines four goals for your organization:

• Reducing the likelihood of a damaging cyber incident
• Detecting malicious activity quickly
• Responding effectively to confirmed incidents
• Maximizing resilience.

Known Exploited Vulnerabilities (KEV) Catalog

The KEV Catalog enables you to identify known software security flaws. You can search for software used by your organization and, if it’s found, update it to the most recent version in accordance with the vendor’s instructions.

Malcolm network traffic analysis tool suite

Malcolm is comprised of several widely used open source tools, making it an attractive alternative to security solutions requiring paid licenses.

The tool accepts network traffic data in the form of full packet capture (PCAP) files and Zeek logs. Visibility into network communications is provided through two interfaces: OpenSearch Dashboards, a data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a tool for finding and identifying the network sessions comprising suspected security incidents. All communications with Malcolm, both from the user interface and from remote log forwarders, are secured with industry standard encryption protocols.

Malcolm operates as a cluster of Docker containers, isolated sandboxes which each serve a dedicated function of the system.

Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence

How to hack an unpatched Exchange server with rogue PowerShell code

ust under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange.

As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082:

[were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behaviour in Exchange’s Autodiscover feature, described by Microsoft as a protocol that is “used by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchange”.

Fortunately, the Autodiscover misfeature that could be exploited in the ProxyShell attack by any remote user, whether logged-in or not, was patched more than a year ago.

Unfortunately, the ProxyShell patches didn’t do enough to close off the exploit to authenticated users, leading to the new CVE-2022-40140 zero-day, which was soon laconically, if misleadingly, dubbed ProxyNotShell.

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Not as dangerous, but dangerous nevertheless

How to improve secure coding education

Did you know that not one of the top 50 undergraduate computer science programs in the U.S. requires a course in code or application security for majors? Yet the threatscape is only expanding.

A recent report by Security Journey reveals the gap left by academia when developers are being trained to write code, and the ways in which the current state of security awareness can evolve into continuous, programmatic, and more effective education. Other key suggestions from the discussion include:

• Investment should be driven down from the top of organizations
• Training must be relevant to each professional
• Collaboration between industry and academia is needed

In this Help Net Security video, Jason Hong, Professor at Carnegie Mellon University, discusses the steps both industry and academia can take to improve application security knowledge and secure coding education.

Building Secure and Reliable Systems

How social media scammers buy time to steal your 2FA codes

Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

• Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
• With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

• Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:

more details: How social media scammers buy time to steal your 2FA codes