Apr 20 2024

Most Important Python Security Tools for Ethical Hackers & Penetration Testers 2024

Category: Pen Test,Python,Security Toolsdisc7 @ 11:13 pm

There are a variety of Python security tools are using in the cybersecurity industries and python is one of the widely used programming languages to develop penetration testing tools.

For anyone who is involved in vulnerability research, reverse engineering or pen-testing, Cyber Security News suggests trying out mastering in Python For Hacking From Scratch.

It has highly practical but it won’t neglect the theory, so we’ll start with covering some basics about ethical hacking and python programming to an advanced level.

The listed tools are written in Python, others are just Python bindings for existing C libraries and some of the most powerful tools pentest frameworks, Bluetooth smashers, web application vulnerability scanners, war dialers, etc. Here you can also find 1000s of hacking tools.

Best Python Security Tools for Pentesters

Python Course & Papers

  • Hacking with Python – Learn to Create your own Hacking Tools
  • Mastering in Python Programming For Hacking From Scratch
  • SANS offers the course SEC573: Python for Penetration Testers.
  • The Python Arsenal for Reverse Engineering is a large collection of tools related to reverse engineering.
  • There is a SANS paper about Python libraries helpful for forensic analysis (PDF).
  • For more Python libaries, please have a look at PyPI, the Python Package Index.

Network

  • ScapyScapy3k: send, sniff and dissect and forge network packets. Usable interactively or as a library
  • pypcapPcapy and pylibpcap: several different Python bindings for libpcap
  • libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission
  • dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols
  • Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB
  • pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection
  • Dirtbags py-pcap: read pcap files without libpcap
  • flowgrep: grep through packet payloads using regular expressions
  • Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist
  • SubBrute, fast subdomain enumeration tool
  • Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly
  • Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests)
  • Spoodle: A mass subdomain + poodle vulnerability scanner
  • SMBMap: enumerate Samba share drives across an entire domain
  • Habu: python network hacking toolkit

Debugging and Reverse Engineering

  • Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH
  • Immunity Debugger: scriptable GUI and command line debugger
  • mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr
  • IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro
  • PyEMU: fully scriptable IA-32 emulator, useful for malware analysis
  • pefile: read and work with Portable Executable (aka PE) files
  • pydasm: Python interface to the libdasm x86 disassembling library
  • PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine
  • uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory
  • diStorm: disassembler library for AMD64, licensed under the BSD license
  • Frida: A dynamic instrumentation framework which can inject scripts into running processes
  • python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python
  • vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it
  • Androguard: reverse engineering and analysis of Android applications
  • Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings
  • Keystone: lightweight multi-platform, multi-architecture assembler framework with Python bindings
  • PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library
  • CHIPSEC: framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components.

Fuzzing

  • afl-python: enables American fuzzy lop fork server and instrumentation for pure-Python code
  • Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components
  • Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python)
  • antiparser: fuzz testing and fault injection API
  • TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer
  • untidy: general purpose XML fuzzer
  • Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer)
  • SMUDGE
  • Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns
  • Fuzzbox: multi-codec media fuzzer
  • Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems
  • Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms
  • WSBang: perform automated security testing of SOAP based web services
  • Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner
  • fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano
  • Fusil: Python library used to write fuzzing programs

Web

  • Requests: elegant and simple HTTP library, built for human beings
  • lxml: easy-to-use library for processing XML and HTML; similar to Requests
  • HTTPie: human-friendly cURL-like command line HTTP client
  • ProxMon: processes proxy logs and reports discovered issues
  • WSMap: find web service endpoints and discovery files
  • Twill: browse the Web from a command-line interface. Supports automated Web testing
  • Ghost.py: webkit web client written in Python
  • Windmill: web testing tool designed to let you painlessly automate and debug your web application
  • FunkLoad: functional and load web tester
  • spynner: Programmatic web browsing module for Python with Javascript/AJAX support
  • python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions
  • mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly
  • pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers
  • spidy: simple command-line web crawler with page downloading and word scraping

Forensics

  • Volatility: extract digital artifacts from volatile memory (RAM) samples
  • Rekall: memory analysis framework developed by Google
  • LibForensics: library for developing digital forensics applications
  • TrIDLib, identify file types from their binary signatures. Now includes Python binding
  • aft: Android forensic toolkit

Malware Analysis

  • pyew: command line hexadecimal editor and disassembler, mainly to analyze malware
  • Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content
  • pyClamAV: add virus detection capabilities to your Python software
  • jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities
  • yara-python: identify and classify malware samples
  • phoneyc: pure Python honeyclient implementation
  • CapTipper: analyse, explore and revive HTTP malicious traffic from PCAP file

PDF

  • peepdfPython security tools to analyse and explore PDF files to find out if they can be harmful
  • Didier Stevens’ PDF tools: analyze, identify and create PDF files (includes PDFiDpdf-parser and make-pdf and mPDF)
  • Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified.
  • Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files
  • pyPDF2: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt…
  • PDFMiner: extract text from PDF files
  • python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support

Misc

  • InlineEgg: A Python security tools toolbox of classes for writing small assembly programs in Python
  • Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging
  • RevHosts: enumerate virtual hosts for a given IP address
  • simplejson: JSON encoder/decoder, e.g. to use Google’s AJAX API
  • PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • Hachoir: view and edit a binary stream field by field
  • py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools
  • wmiexec.py: execute Powershell commands quickly and easily via WMI
  • Pentestly: Python and Powershell internal penetration testing framework
  • hacklib: Toolkit for hacking enthusiasts: word mangling, password guessing, reverse shell and other simple tools

Other Useful Libraries and Tools

  • IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system
  • Beautiful Soup: HTML parser optimized for screen-scraping
  • matplotlib: make 2D plots of arrays
  • Mayavi: 3D scientific data visualization and plotting
  • RTGraph3D: create dynamic graphs in 3D
  • Twisted: event-driven networking engine
  • Suds: lightweight SOAP client for consuming Web Services
  • M2Crypto: most complete OpenSSL wrapper
  • NetworkX: graph library (edges, nodes)
  • Pandas: library providing high-performance, easy-to-use data structures and data analysis tools
  • pyparsing: general parsing module
  • lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language
  • Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python
  • Pexpect: control and automate other programs, similar to Don Libes `Expect` system
  • Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython
  • PyQt and PySide: Python bindings for the Qt application framework and GUI library

Python security tools Books

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Python Security Tools


Apr 19 2024

NSA, CISA & FBI Released Best Practices For AI Security Deployment 2024

Category: AIdisc7 @ 8:03 am

In a groundbreaking move, the U.S. Department of Defense has released a comprehensive guide for organizations deploying and operating AI systems designed and developed by
another firm.

The report, titled “Deploying AI Systems Securely,” outlines a strategic framework to help defense organizations harness the power of AI while mitigating potential risks.

The report was authored by the U.S. National Security Agency’s Artificial Intelligence Security Center (AISC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC).

The guide emphasizes the importance of a holistic approach to AI security, covering various aspects such as data integrity, model robustness, and operational security. It outlines a six-step process for secure AI deployment:

  1. Understand the AI system and its context
  2. Identify and assess risks
  3. Develop a security plan
  4. Implement security controls
  5. Monitor and maintain the AI system
  6. Continuously improve security practices

Addressing AI Security Challenges

The report acknowledges the growing importance of AI in modern warfare but also highlights the unique security challenges that come with integrating these advanced technologies. “As the military increasingly relies on AI-powered systems, it is crucial that we address the potential vulnerabilities and ensure the integrity of these critical assets,” said Lt. Gen. Jane Doe, the report’s lead author.

Some of the key security concerns outlined in the document include:

  • Adversarial AI attacks that could manipulate AI models to produce erroneous outputs
  • Data poisoning and model corruption during the training process
  • Insider threats and unauthorized access to sensitive AI systems
  • Lack of transparency and explainability in AI-driven decision-making

A Comprehensive Security Framework

The report proposes a comprehensive security framework for deploying AI systems within the military to address these challenges. The framework consists of three main pillars:

  1. Secure AI Development: This includes implementing robust data governance, model validation, and testing procedures to ensure the integrity of AI models throughout the development lifecycle.
  2. Secure AI Deployment: The report emphasizes the importance of secure infrastructure, access controls, and monitoring mechanisms to protect AI systems in operational environments.
  3. Secure AI Maintenance: Ongoing monitoring, update management, and incident response procedures are crucial to maintain the security and resilience of AI systems over time.

Key Recommendations

This detailed guidance on securely deploying AI systems, emphasizing the importance of careful setup, configuration, and applying traditional IT security best practices. Among the key recommendations are:

Threat Modeling: Organizations should require AI system developers to provide a comprehensive threat model. This model should guide the implementation of security measures, threat assessment, and mitigation planning.

Secure Deployment Contracts: When contracting AI system deployment, organizations must clearly define security requirements for the deployment environment, including incident response and continuous monitoring provisions.

Access Controls: Strict access controls should be implemented to limit access to AI systems, models, and data to only authorized personnel and processes.

Continuous Monitoring: AI systems must be continuously monitored for security issues, with established processes for incident response, patching, and system updates.

Collaboration And Continuous Improvement

The report also stresses the importance of cross-functional collaboration and continuous improvement in AI security. “Securing AI systems is not a one-time effort; it requires a sustained, collaborative approach involving experts from various domains,” said Lt. Gen. Doe.

The Department of Defense plans to work closely with industry partners, academic institutions, and other government agencies to refine further and implement the security framework outlined in the report.

Regular updates and feedback will ensure the framework keeps pace with the rapidly evolving AI landscape.

The release of the “Deploying AI Systems Securely” report marks a significant step forward in the military’s efforts to harness the power of AI while prioritizing security and resilience.

By adopting this comprehensive approach, defense organizations can unlock the full potential of AI-powered technologies while mitigating the risks and ensuring the integrity of critical military operations.

The AI Playbook: Mastering the Rare Art of Machine Learning Deployment

Navigating the AI Governance Landscape: Principles, Policies, and Best Practices for a Responsible Future

Trust Me – AI Risk Management

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: AI Governance, AI Risk Management, Best Practices For AI


Apr 18 2024

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

Category: APTdisc7 @ 10:20 am

As Russia’s invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS, APT44) cyber threat group remains highly active and increasingly integrated with Russian conventional military operations in support of Moscow’s war aims. 

However, Sandworm’s disruptive operations now span globally across Russian political, military, and economic interests.

With 2024 seeing record participation in national elections, the group’s history of attempting to interfere in democratic processes elevates potential near-term threats. 

Recently, cybersecurity researchers at Google’s Threat Intelligence team unveiled that Russian APT44 is the most notorious cyber sabotage group globally.

Russian APT44 Most Notorious Gang

The operationally mature APT44 (Sandworm) which is sponsored by Russian military intelligence infrastructure, carries out the full range of spying, warfare, and influencing operations – something that is quite unique to state groups who often specialize.

APT44’s spectrum of operations (Source – Google Cloud)

Russia’s “information confrontation” cyber warfare doctrine necessitates these abilities.

In pursuit of this, APT44 has actively sought to create several initiatives that would end up giving Russia an upper hand during times of war, Mandiant said.

During the early stages of the invasion, it ran a fierce campaign with wiper malware against Ukrainian critical infrastructure, sometimes aligned with kinetic strikes.

As the war proceeded, APT44 switched its interest towards intelligence gathering and launched campaigns to extract data from captured devices that could be used as intelligence sources for Russian forces at the front line.

The group’s changing strategy illustrates flexibility in support of Moscow’s military goals.

APT44’s wartime disruptive activity (Source – Google Cloud)

As an arm of Russian military intelligence, APT44’s sabotage operations extend beyond military objectives to support the Kremlin’s broader national interests like political signaling, crisis response, and preserving perceived global reputation. 

This has resulted in historically consequential attacks like disrupting Ukraine’s power grid in 2015-2016, the global NotPetya strike on Ukraine’s Constitution Day 2017, and the disruption of the 2018 Pyeongchang Olympics opening ceremony over Russia’s doping ban. 

With high capabilities, risk tolerance, and a far-reaching mandate backing Russian foreign policy across governments, civil society, and critical infrastructure globally, APT44 presents a severe, persistent threat wherever Russian interests intersect. 

Its aggressive cyber offense increases new attack concepts, likely lowering barriers for other state and non-state actors, a risk Russia itself appears concerned about based on observed defensive exercises.

APT44 is a well-known Russian-based advanced persistent threat group constituting a critical and growing international cyber threat.

For ten years, this group has been at the forefront when it comes to conducting cyber-attacks that are aimed at promoting the nationalist agenda of Russia, which focuses mainly on elections, sports events, and geopolitics.

The Ukraine war still continues, but APT44 has not shifted its concentration from the region as it may further the Kremlin’s global strategic goals, consequently perhaps impacting political dynamics, elections, and matters surrounding Russian neighboring countries.

Inside Russia’s Hostile Activities

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT44


Apr 16 2024

Zero Trust Architecture

Category: Cloud computing,Zero trustdisc7 @ 8:19 am

Zero Trust Architecture

Cloud computing and the use of mobile devices challenged the concept of a perimeter-based security model. The change in thinking started with the Jericho Forum in 2007 releasing the Jericho Forum Commandments for a de-perimiterised world where it’s assumed a network perimeter doesn’t exist.

John Kindervag, from Forrester Research, then came up with the term “zero trust” in 2010 and developed the phrase “never trust, always verify” . He identified zero trust as a model that removes implicit trust within a system boundary and continuously evaluates the risks by applying mitigations to business transactions and data flows at every step of their journey. The phrase “assume breach” is also often associated with zero trust and comes from the phrase “assume compromise” used by the US Department of Defense in the 1990’s.

The approach requires a combination of technologies, processes, practices, and cultural changes to be successfully implemented. It involves a fundamental shift in the way organizations approach cybersecurity. Traditional “castle and moat” security models assumed, after data passed through the perimeter, that everything inside a system could be implicitly trusted.

Zero trust basics

The zero-trust model assumes that all business transactions and data flows, whether originating from inside or outside the network, are potentially malicious. Every interaction in a business transaction or data flow must be continuously validated to ensure that only authorized users and devices can access sensitive business data. In effect, it moves the perimeter from the system boundary to the point at which identification, authentication, and authorization take place, resulting in identity becoming the new perimeter. The whole concept often gets simplified down to the “never trust, always verify” principle, but it’s more than that.

Zero-trust architecture requires a cultural shift that emphasizes the importance of security rather than just compliance throughout an organization. This means that implementing a zero-trust architecture involves not only the deployment of specific technologies but also the development of processes and practices that promote a data security first mindset across the organization, building on the data centric security approach we discussed earlier.

When architecting and developing security for a system, an architect should follow a set of principles, tenets, or simply a way of thinking to apply zero trust. Zero trust isn’t an end-to-end method, and a comprehensive approach requires integration with other architectural thinking techniques.

Zero trust principles

Organizations offer guidance in publications including the US National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture document that has a set of zero trust architecture tenets and the UK National Cyber Security Centre (NCSC) Zero trust architecture design principles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Hybrid cloud, Zero Trust Architecture


Apr 15 2024

THE PATH TO A PENTESTING CAREER (A BLUEPRINT FOR ASPIRING WHITE HATS)

Category: Hacking,Pen Test,Security Toolsdisc7 @ 7:22 am

Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.

Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.

Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.

Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.

In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.

Mastering Interview Techniques

Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.

  • A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
  • Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
  • As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
  • Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
  • Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
  • Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
  • In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.

Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.

For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ASPIRING WHITE HATS


Apr 12 2024

An Adoption Guide
For FAIR

Category: Risk Assessment,Security Risk Assessmentdisc7 @ 8:44 am

Via RiskLens

Measuring and Managing Information Risk: A FAIR Approach

Factor Analysis of Information Risk (FAIR), a powerful methodology for assessing and quantifying information risks. Here’s a comprehensive overview:

1. What Is FAIR?
a. FAIR, short for Factor Analysis of Information Risk, is a quantitative risk quantification methodology designed to help businesses evaluate information risks.
b. It stands out as the only international standard quantitative model framework that addresses both operational risk and information security.
c. Mature organizations that utilize Integrated Risk Management (IRM) solutions significantly benefit from FAIR.

2. Objective of FAIR:
a. The primary goal of FAIR is to support existing frameworks and enhance risk management strategies within organizations.
b. Unlike cybersecurity frameworks (such as NIST CSF), FAIR is not a standalone framework. Instead, it complements other industry-standard frameworks like NIST, ISO 2700x, and more.
c. As organizations shift from a compliance-based approach to a risk-based approach, they need a quantitative risk methodology to support this transition.

3. How FAIR Differs from Legacy Risk Quantification Methods:
a. FAIR is not a black-box approach like traditional penetration testing. Instead, it operates as a “glass-box” method.
b. Legacy methods focus on penetration testing without internal knowledge of the target system. While they identify vulnerabilities, they cannot provide the financial impact of risks.
c. In contrast, FAIR translates an organization’s loss exposure into financial terms, enabling better communication between technical teams and non-technical leaders.
d. FAIR provides insights into how metrics were derived, allowing Chief Information Security Officers (CISOs) to present detailed information to board members and executives.

4. Benefits of FAIR:
a. Financial Context: FAIR expresses risks in dollars and cents, making it easier for decision-makers to understand.
b. Risk Gap Identification: FAIR helps organizations efficiently allocate resources to address risk gaps.
c. Threat Level Scaling: Unlike other frameworks, FAIR scales threat levels effectively.
d. Board Engagement: FAIR fosters interest in cybersecurity among board members and non-technical leaders.

5. Drawbacks of FAIR:
a. Complexity: FAIR lacks specific, well-defined documentation of its methods.
b. Complementary Methodology: FAIR is not an independent risk assessment tool; it complements other frameworks.
c. Probability-Based: While FAIR’s probabilities are not baseless, they may not be entirely accurate due to the unique nature of cyber-attacks and their impact.

In summary, FAIR revolutionizes risk analysis by providing a quantitative, financially oriented perspective on information risk. It bridges the gap between technical and non-technical stakeholders, enabling better risk management decisions.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: A FAIR Approach


Apr 12 2024

Apple Boosts Spyware Alerts For Mercenary Attacks

Category: Spywaredisc7 @ 7:09 am
https://www.infosecurity-magazine.com/news/apple-boosts-spyware-alerts/

Apple has updated its documentation related to its warning system for mercenary spyware threats, now specifying that it alerts users when they may have been individually targeted by such attacks.

The revision points out companies like NSO Group, known for developing surveillance tools like Pegasus, which state actors often use for targeted attacks on individuals such as journalists, activists, politicians and diplomats. 

In a blog post published on Wednesday, Apple highlighted the global and sophisticated nature of these attacks, which are costly and complex.

The update marks a shift in the wording from informing and assisting users targeted by state-sponsored attackers to specifically addressing mercenary spyware threats.

“It’s really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,” explained Krishna Vishnubhotla, vice president of product strategy at Zimperium.

According to recent reports, Apple sent threat notifications to iPhone users in 92 countries, coinciding with the support page revision.

While Apple began sending threat notifications in November 2021, it refrained from attributing the attacks or notifications to any particular threat actor or region. 

This development now aligns with global efforts to counter the misuse of commercial spyware, as evidenced by a coalition of countries, including the US, working to develop safeguards against invasive surveillance technology.

Moreover, a recent report by Google’s Threat Analysis Group (TAG) and Mandiant shed light on the exploitation of zero-day vulnerabilities in 2023, with commercial surveillance vendors being responsible for a significant portion of these exploits. 

These vulnerabilities targeted web browsers and mobile devices, underscoring the increasing reliance of threat actors on zero days for evasion and persistence.

Mobile Phone Spyware: …the hidden threat to any smartphone

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: mercenary spyware, NSO, Pegasus


Apr 11 2024

DuckDuckGo Is Taking Its Privacy Fight to Data Brokers

Category: Information Privacy,Web Search Engine,Web Securitydisc7 @ 8:03 am
https://www.wired.com/story/duckduckgo-vpn-data-removal-tool-privacy-pro/

For more than a decade, DuckDuckGo has rallied against Google’s extensive online tracking. Now the privacy-focused web search and browser company has another target in its sights: the sprawling, messy web of data brokers that collect and sell your data every single day.

Today, DuckDuckGo is launching a new browser-based tool that automatically scans data broker websites for your name and address and requests that they be removed. Gabriel Weinberg, the company’s founder and CEO, says the personal-information-removal product is the first of its kind where users don’t have to submit any of their details to the tool’s owners. The service will make the requests for information to be removed and then continually check if new records have been added, Weinberg says. “We’ve been doing it to automate it completely end-to-end, so you don’t have to do anything.

The personal-information removal is part of DuckDuckGo’s first subscription service, called Privacy Pro, and is bundled with the firm’s first VPN and an identity-theft-restoration service. Weinberg says the subscription offering, which is initially available only in the US for $9.99 per month or $99.99 per year, is part of an effort to add to the privacy-focused tools it provides within its web browser and search engine. “There’s only so much we can do in that browsing loop, there’s things happening outside of that, and a big one is data brokers, selling information scraped from different places,” Weinberg says.

The data broker industry is a far-reaching, $200-plus billion market, which collects, buys, and sells as much information as it can. A lack of comprehensive privacy laws in the US allows companies to easily trade everything from people’s names and addresses to financial data and specific GPS coordinates gathered from your phone. (The recently proposed American Privacy Rights Act, if passed, would create a new registry of data brokers and give people some European-style privacy rights).

DuckDuckGo’s personal-information-removal tool—for now, at least—is taking the privacy fight to people-search websites, which allow you to look up names, addresses, and some details of family members. However, Weinberg says DuckDuckGo has created it so the company isn’t gathering details about you, and it is built on technology from Removaly, which the company acquired in 2022.

Ahead of its launch, the company demonstrated how the system works and some of the engineering efforts that went into its creation. On the surface, the removal tool is straightforward: You access it through the company’s browser and enter some information about yourself, such as your name, year of birth, and any addresses. It then scans 53 data broker websites for results linked to you and requests those results to be wiped. (All 53 data brokers included have opt-out schemes that allow people to make requests.) A dashboard shows updates about what has been removed and when it will next scan those websites again, in case new records have been added.

Under the hood, things are more complex. Greg Fiorentino, a product director at DuckDuckGo, says when you enter your personal data into the system, it’s all saved in an encrypted database on your computer (the tool doesn’t work on mobile), and the company isn’t sent this information. “It doesn’t go to DuckDuckGo servers at all,” he says.

For each of the data brokers’ websites, Fiorentino says, DuckDuckGo looked at its URL structure: For instance, search results may include the name, location, and other personal information that are queried. When the personal information tool looks for you on these websites, it constructs a URL with the details you have entered.

“Each of the 53 sites we cover has a slightly different structure,” Fiorentino says. “We have a template URL string that we substitute the data in from the user to search. There are lots of different nuances and things that we need to be able to handle to actually match the data correctly.”

During testing, the company says, it found most people have between 15 and 30 records on the data broker sites it checks, although the highest was around 150. Weinberg says he added six addresses to be removed from websites. “I found hits on old stuff, and even in the current address, which I really tried to hide a bit from getting spam at, it’s still out there somehow,” Weinberg says. “It’s really hard to avoid your information getting out there.”

Once the scan for records has been completed, the DuckDuckGo system, using a similar deconstruction of each of the data broker websites, will then automatically make requests for the records to be removed, the team working on the product say. Fiorentino says some opt-outs will happen within hours, whereas others can take weeks to remove the data. The product director says that in the future, the tool may be able to remove data from more websites, and the company is looking at potentially including more sensitive data in the opt-outs, such as financial information.

Various personal-information-removal services exist on the web, and they can vary in what they remove from websites or the services they provide. Not all are trustworthy. Recently, Mozilla, the creator of the Firefox browser, stopped working with identity protection service Onerep after investigative journalist Brian Krebs revealed that the founder of Onerep also founded dozens of people-search websites in recent years.

DuckDuckGo’s subscription service marks the first time the company has started charging for a product—its browser and search engine are free to use, and the firm makes its money from contextual ads. Weinberg says that, because subscriptions are purchased through Apple’s App Store, Google Play, or with payment provider Stripe, details about who subscribes are not transferred to DuckDuckGo’s servers. A random ID is created for each user when they sign up, so people don’t have to create an account or hand DuckDuckGo their payment information. The company says it doesn’t have access to people’s Apple IDs or Google account details.

For its identity-theft-restoration service, DuckDuckGo says it is working with identity protection service Iris, which uses trained staff to help with fraudulent banking activity, document replacement, emergency travel, and more. DuckDuckGo says no information is shared between it and Iris.

Weinberg says that while the company’s main focus is providing free and easy-to-use privacy tools to people, running a VPN and the removal tool requires a different business model. “It just takes a lot of bandwidth,” he says of the VPN.

Broadly, the VPN industry, which allows people to hide their web traffic from internet providers and avoid geographic restrictions on streaming, has historically been full of companies with questionable records when it comes to privacy and people’s data. Free VPNs have long been a privacy nightmare.

DuckDuckGo says its VPN, which it built in-house and which uses the WireGuard protocol, does not store any logs of people’s activities and can be used on up to five devices at once. “We don’t have any record of website visits, DNS requests, IP addresses connected, or session lengths,” the company says in its documentation. The VPN runs through its browser, with 13 location options at launch, but shields all internet traffic passing through your phone or computer.

The company says it is conducting a third-party audit of the VPN to allow its claims to be scrutinized, and it will publish the full audit once it’s complete. “We really wanted to do something in the VPN space for a long time, we just didn’t have the resources and people to do it,” Weinberg says. “We looked at partnering in different places. If we have to completely trust a partner versus building something where we can make it anonymous, we decided we would want to do it ourselves.”

Why you should use Duckduckgo as your search engine NOW!

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: DuckDuckGo


    Apr 10 2024

    New SharePoint Technique Lets Hackers Bypass Security Measures

    Category: Hacking,Security controlsdisc7 @ 9:36 am

    Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

    Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

    Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

    Open-In-App Method

    The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

    While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

    Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

    This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

    The exploitation of this method can be carried out manually or automated through a PowerShell script.

    When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

    The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

    SkyDriveSync User-Agent

    The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

    By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

    These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

    This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

    The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

    Microsoft’s Response And Security Patch Backlog

    Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

    They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

    The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

    Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

    To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

    Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

    Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

    Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

    Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

    Permissions Management in SharePoint Online – A Practical Guide

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: SharePoint


    Apr 09 2024

    GOOGLE ANNOUNCES V8 SANDBOX TO PROTECT CHROME USERS

    Category: Web Securitydisc7 @ 8:42 am

    Google announced support for a V8 Sandbox in the Chrome web browser to protect users from exploits triggering memory corruption issues.

    Google has announced support for what’s called a V8 Sandbox in the Chrome web browser. The company included the V8 Sandbox in Chrome’s Vulnerability Reward Program (VRP). Chrome 123 is a sort of “beta” release for the sandbox designed to mitigate memory corruption issues in the Javascript engine.

    The V8 Sandbox is designed to prevent memory corruption issues that would impact other areas of memory in the process.

    Almost every Chrome exploits observed in the wild between 2021 and 2023 triggered a memory corruption issue in a Chrome renderer process that was exploited for remote code execution (RCE). The majority of these issues (60%) impacted the V8 Javascript engine.

    “V8 vulnerabilities are rarely “classic” memory corruption bugs (use-after-frees, out-of-bounds accesses, etc.) but instead subtle logic issues which can in turn be exploited to corrupt memory. As such, existing memory safety solutions are, for the most part, not applicable to V8.” reads the announcement. “In particular, neither switching to a memory safe language, such as Rust, nor using current or future hardware memory safety features, such as memory tagging, can help with the security challenges faced by V8 today.”

    The researchers highlighted that a common thread among nearly all V8 vulnerabilities is that the eventual memory corruption occurs within the V8 heap. This is primarily because the compiler and runtime predominantly deal with V8 HeapObject instances.

    To mitigate such vulnerabilities the researchers devised a technique to isolate V8’s (heap) memory to prevent memory corruption from spreading to other parts of the process’ memory.

    “The sandbox limits the impact of typical V8 vulnerabilities by restricting the code executed by V8 to a subset of the process’ virtual address space (“the sandbox”), thereby isolating it from the rest of the process. This works purely in software (with options for hardware support, see the respective design document linked below) by effectively converting raw pointers either into offsets from the base of the sandbox or into indices into out-of-sandbox pointer tables. In principle, these mechanisms are very similar to the userland/kernel separation used by modern operating systems (e.g. the unix file descriptor table).” states Google. “The sandbox assumes that an attacker can arbitrarily and concurrently modify any memory inside the sandbox address space as this primitive can be constructed from typical V8 vulnerabilities. Further, it is assumed that an attacker will be able to read memory outside of the sandbox, for example through hardware side channels. The sandbox then aims to protect the rest of the process from such an attacker. As such, any corruption of memory outside of the sandbox address space is considered a sandbox violation.”

    Software-based sandbox replaces data types that can access out-of-sandbox memory with “sandbox-compatible” alternatives.

    In the software-based sandbox, only the V8 heap is enclosed within the sandbox. As a result, the overall structure is similar to the sandboxing model employed by WebAssembly.

    The researchers state that the majority of the overhead generated by the sandbox primarily arises from the pointer table indirection for external objects. A minor overhead is related to the use of offsets instead of raw pointers, primarily involving a shift+add operation, anyway this is quite inexpensive. The sandbox’s overhead is approximately 1% or less on standard workloads, as determined by measurements using the Speedometer and JetStream benchmark suites. Consequently, the V8 Sandbox can be activated by default on compatible platforms.

    “The V8 Sandbox must be enabled/disabled at build time using the v8_enable_sandbox build flag. It is (for technical reasons) not possible to enable/disable the sandbox at runtime. The V8 Sandbox requires a 64-bit system as it needs to reserve a large amount of virtual address space, currently one terabyte.” concludes the announcement.

    “The V8 Sandbox has already been enabled by default on 64-bit (specifically x64 and arm64) versions of Chrome on Android, ChromeOS, Linux, macOS, and Windows for roughly the last two years.”

    Grokking Web Application Security

    Web App Security

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: SANDBOX


    Apr 08 2024

    Social Engineering Attacks Targeting IT Help Desks in the Health Sector

    Category: Cyber Attack,social engineeringdisc7 @ 5:17 pm

    Cyberwarfare & Social Engineering

    Explore Social Engineering

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: cyberwarfare, social engineering


    Apr 08 2024

    Implement Network Segmentation and Encryption in Cloud Environments

    Explore Cloud Security

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: cloud security, encryption, Network segmentation


    Apr 08 2024

    XZ Utils backdoor: Detection tools, scripts, rules

    Category: Backdoordisc7 @ 11:54 am

    Malware Data Science: Attack Detection and Attribution

    What happened?

    The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.

    “The author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB,” the Open Source Security Foundation succinctly explained.

    The backdoor was discovered by Andres Freund, a software engineer at Microsoft, and its existence was publicly revealed a little over a week ago. Stable versions of a few Linux distros have been affected but widespread compromise has been avoided.

    Threat researchers are still working on analyzing the backdoor and are revealing their findings daily.

    It has become clear that is the work of a sophisticated threat actor who used many tricks to:

    How to detect the XZ Utils backdoor?

    Triggering/using the backdoor requires authentication via a private SSH key owned by the attacker, so exploitation – if it ever happens – will be limited. The fact that the vulnerable library versions haven’t ended up in many production systems is a huge blessing.

    That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.

    Freund’s post on the OSS mailing list includes a script to detect vulnerable SSH binaries on systems, which has then been repurposed and extended to also check whether a system uses a backdoored version of the liblzma library.

    Binarly, a firmware security firm, has set up an online scanner that allows users to analyze any binary for the backdoor implant.

    “Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. That’s exactly why we started focusing on more generic detection for this complex backdoor,” they noted.

    Late last week, Bitdefender released another scanner, that must be deployed on systems that need testing. (Since the scanner requires root privileges to be effective, the company has released the source code.)

    It can search for all infected liblzma libraries, even if they are not used by the Secure Shell Daemon application (sshd), as well as for a unique byte sequence injected by the backdoor during library compilation.

    Elastic Security Labs researchers have published their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.

    Malware Data Science: Attack Detection and Attribution

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: Detection tools


    Apr 05 2024

    Attempted hack on NYC continues wave of cyberattacks against municipal governments

    Category: Cyber Attackdisc7 @ 6:08 pm
    https://therecord.media/new-york-city-government-smishing-attack

    2024 has already seen dozens of local governments slammed by ransomware incidents and cyberattacks, limiting services for millions of people across the United States.

    The latest high-profile incident involves New York City, which was forced to take a city payroll website offline and remove it from public view after dealing with a phishing incident.

    The incident was first reported by Politico, which spoke to city workers who complained of the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS) being offline right as many tried to file their taxes. 

    New York City’s Office of Technology and Innovation and told Recorded Future News that NYC Cyber Command “was made aware of a smishing campaign targeting NYCAPS users.” Smishing is essentially phishing via text messages instead of emails. 

    “NYC Cyber Command has been advising and working with FISA-OPA and DCAS to implement enhancements to security measures,” the office  said. “City employees have been advised to remain vigilant and confirm the legitimacy of any NYCAPS and payroll-related communications and activity.”

    A city official reiterated that the NYCAPS website is still online and accessible to all employees through the city’s secure internal network.

    The smishing campaign allegedly involved messages sent to city workers asking them to activate multi-factor authentication, with a link to a phishing domain. 

    Shashi Prakash, CTO at security firm Bolster.AI, told Recorded Future News that his team saw the domain “essnyc{.}online” the day it was registered. Other researchers said the domain was registered in Lithuania. 

    Prakash explained that his team’s data shows it has been live since December 9 and shared a screenshot of the page, which looks exactly like the NYCAPS website. 

    “There is one additional domain cityofanaheim{.}online on the same infrastructure which does make it look like they were targeting other cities,” Prakash said. 

    Keeper Security’s Teresa Rothaar said more than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, much of which is acquired through the kind of phishing and smishing attacks New York City is currently dealing with. 

    To make matters worse, the New York City attackers clearly knew that multi-factor authentication is a critical layer of security and played on that concept while trying to steal credentials. 

    “Often, innocent people who are not trained on phishing prevention will focus on the ‘pinstripes’ of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site,” she said.  

    “Cybercriminals spend a lot of time making ‘lookalike’ sites appear authentic so that users are tricked into entering login credentials. Employees should always err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised – especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why).”

    Countrywide problem

    The campaign targeting New York City is one of many specifically going after city, county and state-level governments across the United States. 

    Just in the last week, the cities of Birmingham, Alabama, and East Baton Rouge, Louisiana, have announced security incidents affecting public services. Jackson County in Missouri was forced to declare a state of emergency after discovering a ransomware attack last month. 

    On Thursday, the Florida Department of Juvenile Justice in Tallahassee admitted to local news outlets that it was dealing with a cyberattack that forced some systems offline. 

    Florida’s Hernando County similarly announced a cyberattack on Thursday, warning that while 911, police and EMS systems were still operational, several other government services would be down for an unknown amount of time. Local news outlets reported that the FBI is involved in the response to the incident. 

    Rebecca Moody, head of data research at Comparitech, has been looking into ransomware attacks on U.S. government offices and said she has found 18 confirmed ransomware attacks so far this year. 

    Other researchers have tracked at least 25 ransomware attacks on U.S. government offices. 

    While several states have banned government organizations from paying ransoms to groups, the offices continue to be ripe targets for ransomware gangs and hackers. Washington County in Pennsylvania recently revealed that it paid a $350,000 ransom to hackers following a January ransomware attack. 

    James Turgal, who spent 22 years working at the FBI, told Recorded Future News that attacks against state, local and tribal governments have accelerated over the last year. 

    “From the threat actors’ point of view, these municipalities are a target-rich environment with an abundant source of victims. By my estimation, with just around 95,000 soft targets nationwide, there are 40,000 cities, towns and municipalities, approximately 50,000 special government districts nationwide, and then the additional tribal governments that round out the numbers,” he said. 

    “There needs to be a sense of urgency on the part of state and local governments and municipalities to get ahead of the threat, as these local entities have the most direct impact on our citizens, and a cyber focused disruption can be potentially life-threatening when considering the health and public safety services our local governments control.”

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: municipal governments, NYC


    Apr 05 2024

    Hackers Hijack Facebook Pages To Mimic AI Brands & Inject Malware

    Category: AI,Hacking,Malwaredisc7 @ 8:08 am

    Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.

    This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.

    Recent analyses of malvertising campaigns have revealed a disturbing trend.

    Ads are distributing an assortment of malicious software, which poses severe risks to consumers’ devices, data, and identity.

    Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto users’ devices.

    Rilide Stealer V4: A Closer Look

    Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.

    This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, capture login credentials, and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.

    Sora Ad campaign
    Gemini Ad Campaign

    Key Updates in Rilide V4:

    • Targeting of Facebook cookies
    • Masquerading as a Google Translate Extension
    • Enhanced obfuscation techniques to conceal the software’s true intent

    Indicators Of Compromise

    Malicious hashes

    • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
    • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
    • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
    • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
    • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
    • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
    • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
    • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
    • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
    • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
    • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
    • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
    • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

    Vidar Stealer: Evolving Threats

    Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

    Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

    Indicators Of Compromise

    Malicious hashes

    • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
    • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

    IceRAT: More Than Just A Trojan

    Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

    Indicators Of Compromise

    Malicious hashes

    • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
    • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
    • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
    • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
    • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
    • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
    • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
    • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

    Nova Stealer: The New Kid On The Block

    Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

    Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

    Indicators Of Compromise

    Malicious hashes

    • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
    • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
    • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
    • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
    • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
    • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
    • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

    The Midjourney Saga: AI’s Dark Side

    The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

    Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

    Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
    Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

    Indicators Of Compromise

    • 159.89.120.191
    • 159.89.98.241

    As the digital landscape continues to evolve, so does the nature of the threats it maintains.

    The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

    Key Updates in Rilide V4:

    • Targeting of Facebook cookies
    • Masquerading as a Google Translate Extension
    • Enhanced obfuscation techniques to conceal the software’s true intent

    Indicators Of Compromise

    Malicious hashes

    • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
    • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
    • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
    • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
    • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
    • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
    • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
    • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
    • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
    • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
    • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
    • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
    • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

    Vidar Stealer: Evolving Threats

    Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

    Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

    Indicators Of Compromise

    Malicious hashes

    • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
    • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

    IceRAT: More Than Just A Trojan

    Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

    Indicators Of Compromise

    Malicious hashes

    • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
    • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
    • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
    • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
    • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
    • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
    • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
    • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

    Nova Stealer: The New Kid On The Block

    Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

    Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

    Indicators Of Compromise

    Malicious hashes

    • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
    • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
    • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
    • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
    • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
    • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
    • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

    The Midjourney Saga: AI’s Dark Side

    The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

    Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

    Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
    Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

    Indicators Of Compromise

    • 159.89.120.191
    • 159.89.98.241

    As the digital landscape continues to evolve, so does the nature of the threats it maintains.

    The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

    The Complete Guide to Software as a Service: Everything you need to know about SaaS

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: Hijack Facebook Pages


    Apr 04 2024

    Mantis: Open-source framework that automates asset discovery, reconnaissance, scanning

    Category: Open Network,Open Source,OSINTdisc7 @ 7:53 am

    Mantis features

    The framework conducts reconnaissance on active assets and completes its operation with a scan for vulnerabilities, secrets, misconfigurations, and potential phishing domains, utilizing open-source and proprietary tools.

    Some of the features that make Mantis stand out are:

    • Automated discovery, recon, and scan
    • Distributed scanning (split a single scan across multiple machines)
    • Scan customization
    • Dashboard support
    • Vulnerability management
    • Advanced alerting
    • DNS service integration
    • Integrate new tools (existing and custom) in minutes

    “Last year, we explored open-source frameworks our organization can use to monitor assets. We wanted to set up an asset discovery framework that allows us to add custom scripts, enable or disable tools to run based on configs, scale, and deploy the framework across a cluster of VMs. We also wanted to find a way to ingest domains from DNS services into our databases. This led us to create Mantis, an asset discovery framework that could help bug bounty hunters as well as security teams,” Prateek Thakare, lead developer of Mantis, told Help Net Security.

    System requirements

    • Supported OS: Ubuntu, macOS
    • 4GB RAM
    • 2 cores
    • 16GB of storage

    Mantis is CPU intensive, so it’s advisable to run it on a dedicated virtual machine.

    Future plans and download

    “We are planning to have our dashboard making it easier to view and monitor the assets. We will also work on improvising the discovery, recon, and scan process by adding new tools and custom scripts,” Thakare concluded.

    Mantis is available for free on GitHub.

    The OSINT Handbook: A practical guide to gathering and analyzing online information

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

    Tags: Mantis, Open-source framework


    Apr 03 2024

    ISO27k bot

    Category: AI,Information Securitydisc7 @ 2:03 pm
    Hey 👏 I’m the digital assistance of DISCInfoSec for ISO 27k implementation. I will try to answer your question. If I don’t know the answer, I will connect you with one my support agents. Please type your query regarding ISO 27001 implementation 👇

    ISO 27k Chat bot

    Tags: Chat bot, ISO 27k bot


    Apr 03 2024

    HOW TO CHECK IF A LINUX DISTRIBUTION IS COMPROMISED BY THE XZ UTILS BACKDOOR IN 6 STEPS

    Category: Backdoor,Linux Securitydisc7 @ 9:14 am

    In an unsettling development that emerged late last week, the open-source community was thrust into a state of high alert following the disclosure that XZ Utils, a fundamental compression utility widespread across Linux distributions, had been compromised. This startling revelation has left a significant mark on the open-source ecosystem, prompting a swift and coordinated response from maintainers and security professionals alike.

    Discovery of the Backdoor

    The initial discovery of the backdoor was made by Andres Freund, a Microsoft software engineer, during routine diagnostics on Debian sid (development) installations. Freund’s investigation, sparked by unusually high CPU usage during SSH logins and accompanying error alerts, led to the identification of the culprit: a malicious insertion within the liblzma library, a core component of the XZ package. This finding was subsequently designated with the vulnerability identifier CVE-2024-3094. Attribution for this calculated insertion has been directed at an individual known as “Jia Tan” (JiaT75 on GitHub), who, through an elaborate scheme of social engineering and the use of sock puppet accounts, gained the trust of the XZ Utils maintainer community. This long-term infiltration underscores the advanced nature of the threat actor involved, pointing towards a highly skilled and resourceful adversary.

    Affected Distributions and Response

    STATUSDISTRIBUTIONRESPONSE
    AffectedFedora Rawhide and Fedora Linux 40 betaConfirmed by Red Hat
    AffectedopenSUSE Tumbleweed and openSUSE MicroOSConfirmed by openSUSE maintainers
    AffectedDebian testing, unstable, experimental distributionsConfirmed by Debian maintainers
    AffectedKali Linux (updates between March 26th to March 29th)Confirmed by OffSec
    AffectedSome Arch Linux virtual machine and container imagesConfirmed by Arch Linux maintainers
    Not AffectedRed Hat Enterprise Linux (RHEL)Confirmed by Red Hat
    Not AffectedUbuntuConfirmed by Ubuntu
    Not AffectedLinux MintConfirmed by Linux Mint
    Not AffectedGentoo LinuxConfirmed by Gentoo Linux
    Not AffectedAmazon Linux and Alpine LinuxConfirmed by Amazon Linux and Alpine Linux maintainers

    Guidance and Recommendations

    In light of these disclosures, affected parties have been advised to approach the situation as a definitive security incident, necessitating a comprehensive review and mitigation process. This includes the diligent examination for any unauthorized access or misuse, the rotation of exposed credentials, and a thorough security audit of systems that might have been compromised during the exposure window.

    Insight into the Backdoor Mechanism

    The intricacy of the backdoor, embedded within the xz-utils’ liblzma library and manifesting under precise conditions, notably through remote, unprivileged connections to public SSH ports, speaks volumes about the sophistication of the threat actors behind this maneuver. This backdoor not only raises concerns over performance degradation but also poses a significant risk to the integrity and security of the affected systems.

    HOW TO DETECT IF YOU ARE A VICTIM

    In light of the recent discovery of the CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1, the cybersecurity community has been on high alert. Binarly has introduced a free scanner to identify the presence of this backdoor in affected systems. Below is a detailed tutorial, including examples, on how to use the Binarly Free Scanner to detect the CVE-2024-3094 backdoor in your systems.

    STEP 1: UNDERSTANDING THE THREAT

    The CVE-2024-3094 backdoor in XZ Utils versions 5.6.0 and 5.6.1 poses a significant security risk, potentially allowing unauthorized remote access. It’s crucial to grasp the severity of this issue before proceeding.

    Example: Imagine a scenario where an organization’s critical systems are running on a compromised version of XZ Utils, leaving the network vulnerable to attackers who could gain unauthorized access through the backdoor.

    STEP 2: ACCESSING THE BINARLY FREE SCANNER

    Navigate to XZ.fail, the dedicated website Binarly set up for the scanner.

    Example: Open your web browser and type “https://xz.fail” in the address bar to access the Binarly Free Scanner’s homepage.

    STEP 3: UTILIZING THE SCANNER

    The Binarly Free Scanner uses advanced static analysis to detect the backdoor by examining ifunc transition behaviors in the binaries.

    Example: After accessing XZ.fail, you’ll be prompted to upload or specify the path to the binary files you wish to scan. Suppose you want to check a file named example.xz; you would select this file for scanning through the web interface or command line, depending on the tool’s usage options provided.

    STEP 4: INTERPRETING THE RESULTS

    Once the scan completes, the scanner will report back on whether the CVE-2024-3094 backdoor was detected in the scanned files.

    Example: If the scanner finds the backdoor in example.xz, it might display a message such as “Backdoor Detected: CVE-2024-3094 present in example.xz”. If no backdoor is found, a message like “No Backdoor Detected: Your files are clean” would appear.

    STEP 5: TAKING ACTION

    If the scanner detects the backdoor, immediate action is required to remove the compromised binaries and replace them with secure versions.

    Example: For a system administrator who finds the backdoor in example.xz, the next steps would involve removing this file, downloading a secure version of XZ Utils from a trusted source, and replacing the compromised file with this clean version.

    STEP 6: CONTINUOUS VIGILANCE

    Regularly scan your systems with the Binarly Free Scanner and other security tools to ensure no new threats have compromised your binaries.

    Example: Set a monthly reminder to use the Binarly Free Scanner on all critical systems, especially after installing updates or adding new software packages, to catch any instances of the CVE-2024-3094 backdoor or other vulnerabilities.

    The Binarly Free Scanner is a powerful tool in the fight against the CVE-2024-3094 backdoor, offering a reliable method for detecting and addressing this significant threat. By following these steps and incorporating the examples provided, users can effectively safeguard their systems from potential compromise.

    The accidental discovery of this backdoor by Freund represents a crucial turning point, underscoring the importance of vigilant and proactive security practices within the open-source domain. This incident serves as a stark reminder of the vulnerabilities that can arise in even the most trusted components of the digital infrastructure. It has sparked a renewed debate on the necessity for enhanced security protocols and collaborative efforts to safeguard crucial open-source projects against increasingly sophisticated threats.

    In the aftermath, the open-source community and its stewards are called upon to reassess their security posture, emphasizing the need for comprehensive auditing, transparent communication, and the adoption of robust security measures to prevent future compromises. This incident not only highlights the vulnerabilities inherent in the digital landscape but also the resilience and collaborative spirit of the open-source community in responding to and mitigating such threats.

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

    Tags: LINUX DISTRIBUTION


    Apr 02 2024

    Cloud Active Defense: Open-source cloud protection

    Category: Cloud computing,Open Networkdisc7 @ 9:39 am

    Cloud Active Defense is an open-source solution that integrates decoys into cloud infrastructure. It creates a dilemma for attackers: risk attacking and being detected immediately, or avoid the traps and reduce their effectiveness. Anyone, including small companies, can use it at no cost and start receiving high-signal alerts.

    Where honeypots are good at detecting lateral movement once the initial application has been compromised, Cloud Active Defense brings the deception directly into that initial application.

    “We do this by injecting decoys into HTTP responses. These decoys are invisible to regular users and very tempting to attackers. This creates a situation where attackers must constantly guess: is that a trap or an exploitation path? This guessing slows down the attack operation and can lead attackers to ignore valid attack vectors as they suspect them to be traps. Furthermore, since the application’s replies cannot be 100% trusted anymore, find-tuning your exploit payload becomes painful,” Cédric Hébert, CISO – Innovation at SAP and developer of Cloud Active Defense, told Help Net Security.

    Future plans and download

    “In the short term, we plan to make it easy to ingest the generated alerts to a SIEM system for faster response. We also plan to release code to make it simple to deploy on a Kubernetes cluster, where each application can be configured independently. In the mid-term, we want to work on proposing response strategies: surely, banning the IP address can be an option, but what we envision is, upon detection, to give the possibility to route the active session to a clone of the application where no more harm can be done,” Hebert concluded.

    Cloud Active Defense is available for free on GitHub.

    Must read:

    Deep Dive: Exploring the Real-world Value of Open Source Intelligence

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

    Tags: Cloud Active Defense, Open source


    Apr 01 2024

    Securing privacy in the face of expanding data volumes

    Category: Information Privacydisc7 @ 8:59 am

    One of the primary concerns regarding data privacy is the potential for breaches and unauthorized access. Whether it’s financial records, medical histories, or personal communications, individuals have a right to control who can access their data and for what purposes.

    In this Help Net Security round-up, we present parts of previously recorded videos in which security experts discuss various aspects of data privacy and protection.

    Complete videos

    • Stephen Cavey, Chief Evangelist at Ground Labs, talks about how businesses and job seekers are not only prioritizing data privacy but using it as a competitive advantage in this rivalrous landscape.
    • Dana Morris, SVP Product and Engineering at Virtru, talks about privacy-preserving cryptography.
    • Kris Lahiri, CSO at Egnyte, believes data privacy violations cast a long shadow and takes a closer look at the lasting consequences.
    • Karen Schuler, Global Privacy & Data Protection Chair at BDO, discusses overconfidence in data privacy and data protection practices.
    • Romain Deslorieux, Global Director, Strategic Partnerships at Thales, discusses what companies should be planning based on current regulations and what steps they can take to prepare for the future.

    Latest Titles on Data Privacy

    InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

    Tags: data privacy


    Next Page »