InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Someone at Microsoft has some explaining to do after a messed up DNS record caused emails sent from Hotmail accounts using Microsoft’s Outlook service to be rejected and directed to spam folders starting on Thursday.
Late on Thursday evening, Hotmail users began reporting that some emails were being returned with errors related to Sender Policy Framework (SPF), and thus recipient email services were unable “to confirm that [a] message came from a trusted location.”
SPF, for those unfamiliar with it, is a method of outbound email authentication that helps avoid email spoofing, impersonation and phishing. If, for example, a service like Hotmail were to have one of its subdomains removed from the DNS TXT record that stores its SPF list, then recipient services may assume it’s junk.
And that appears to be just what happened.
Reddit users posting to the Sysadmin subreddit verified they were experiencing SPF issues with Hotmail. One user pulled up Hotmail’s SPF record and found that Redmond had made two changes: removing spf.protection.outlook.com from the record, and changing the SPF failure condition from soft to hard. That meant any suspicious messages from Hotmail should be rejected rather than just sent to spam.
Microsoft support forum advisors confirmed that the issue was known, which was further confirmed by a look at the Office service status page. Per Microsoft: “Some users may receive non-delivery reports when attempting to send emails from hotmail.com.”
At time of writing, the status page indicated that “a recent change to email authentication” was the potential root cause of the outage. Microsoft said it made a configuration change to remediate impact, but shortly after said the problem may have been worse than it appeared at first glance.
“We’ve identified that additional configuration entries are impacted, and we’re implementing further configuration changes to resolve the issue,” Microsoft said. Not long after that was posted, Microsoft indicated configuration changes were complete and the problem was fixed.
Microsoft didn’t respond to our questions about the incident, only saying the issue had been resolved.
testssl.sh is a free command line tool, which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptography flaws on Linux servers, even it runs on macOS too.
It is also available in Kali Linux OS to test TLS/SSL encryption.
Key features
Clear output: you can tell easily whether anything is good or bad.
Machine readable output (CSV, two JSON formats)
No need to install or to configure something. No gems, CPAN, pip or the like.
Works out of the box: Linux, OSX/Darwin, FreeBSD, NetBSD, MSYS2/Cygwin, WSL (bash on Windows). Only OpenBSD needs bash.
A Dockerfile is provided, there’s also an official container build @ dockerhub.
Flexibility: You can test any SSL/TLS enabled and STARTTLS service, not only web servers at port 443.
Toolbox: Several command line options help you to run your test and configure your output.
Reliability: features are tested thoroughly.
Privacy: It’s only you who sees the result, not a third party.
Freedom: It’s 100% open source. You can look at the code, see what’s going on.
The development is open (GitHub) and participation is welcome.
License
This software is free. You can use it under the terms of GPLv2, see LICENSE.
Attribution is important for the future of this project — also in the internet. Thus if you’re offering a scanner based on testssl.sh as a public and/or paid service in the internet you are strongly encouraged to mention to your audience that you’re using this program and where to get this program from. That helps us to get bugfixes, other feedback and more contributions.
Compatibility
Testssl.sh is working on every Linux/BSD distribution out of the box. Latest by 2.9dev most of the limitations of disabled features from the openssl client are gone due to bash-socket-based checks.
As a result you can also use e.g. LibreSSL or OpenSSL >= 1.1.1 . testssl.sh also works on other unixoid systems out of the box, supposed they have /bin/bash >= version 3.2 and standard tools like sed and awk installed. An implicit (silent) check for binaries is done when you start testssl.sh . System V needs probably to have GNU grep installed. MacOS X and Windows (using MSYS2, Cygwin or WSL) work too.
Installation
You can download testssl.sh branch 3.2 just by cloning this git repository:
git clone –depth 1 https://github.com/drwetter/testssl.sh.git 3.2 is now the latest branch which evolved from 3.1dev. It’s in the release candidate phase. For the former stable version help yourself by downloading the ZIP or tar.gz archive. Just cd to the directory created (=INSTALLDIR) and run it off there.
Docker
Testssl.sh has minimal requirements. As stated you don’t have to install or build anything. You can just run it from the pulled/cloned directory. Still if you don’t want to pull the GitHub repo to your directory of choice you can pull a container from dockerhub and run it:
docker run –rm -ti drwetter/testssl.sh <your_cmd_line>
Or if you have cloned this repo you also can just cd to the INSTALLDIR and run
Currently in the release candidate phase for version 3.2. Bigger features will be developed in a separate branch before merged into a 3.3dev to avoid hiccups or inconsistencies.
Version 3.0.X receives bugfixes, labeled as 3.0.1, 3.0.2 and so on. This will happen until 3.2 is released.
Support for 2.9.5 has been dropped. Supported is >= 3.0.x only.
Documentation
See man page in groff, html and markdown format in ~/doc/.
https://testssl.sh/ will help to get you started for TLS/SSL encryption testing.
For the (older) version 2.8, Will Hunt provides a longer description, including useful background information.
Cloud misconfiguration — incorrect control settings applied to both hardware and software elements in the cloud — are threat vectors that amplify the risk of data breaches. A new report from cloud security vendor Qualys, authored by Travis Smith, vice president of the company’s Threat Research Unit lifts the lid on risk factors for three major cloud service providers.
About the report
Smith wrote that Qualys researchers, analyzing misconfiguration issues at Amazon Web Services, Microsoft Azure and Google Cloud Platform, found that within Azure, 99% of the disks are either not encrypted or aren’t using customer-managed keys that give users control of encryption keys that protect data in software as a service applications.
The study, which reviewed encryption, identity and access management and failures to monitor external-facing assets examined risks to unauthorized access due to:
The complexity of cloud environments
Lack of expertise in keeping up with evolving technologies
Insecure settings and permissions caused by human errors
Lack of control and visibility of cloud-resident unencrypted or sensitive data due to the dynamic nature of cloud environments
Smith wrote that the company’s reachers found that 85% of the keys aren’t rotated, meaning automatic key rotation isn’t enabled. Amazon offers automatic key rotation — generating new cryptographic material — on a 365 day cycle for keys.
Qualys also reported that in GCP environments, 97.5% of virtual machine disks for critical virtual machines lack encryption using customer-supplied encryption keys.
Qualys found poor implementation levels of IAM in all three major providers:
Multifactor authentication: AWS isn’t enabled for 44% of IAM users with console passwords. IAM Access Analyzer isn’t enabled in 96% of the accounts scanned by Qualys.
In Azure, scans for enabling authentication and configuring client certificates within Azure App Service fail 97% of the time.
Exposure of external-facing assets from leaky S3 buckets
Qualys noted that a common mistake by users across the three platforms is public exposure of data:
Qualys reported 31% of S3 buckets are publicly accessible.
The misconfiguration of leaving public network access enabled was seen in 75% of the Azure databases.
Center for Internet Security work offers insights to remediation
Recommendations by the firm included reviewing research by the Center for Internet Security including work Qualys participated in: mapping of individual controls to the MITRE ATT&CK tactics and techniques.
Qualys contributed to developing these CIS benchmarks for AWS, Azure and GCP. The benchmarks will help offer some valuable insight and context for defenders to better prioritize the hundreds of hardening controls available in cloud environments.
Qualys also looked at how firms are deploying controls to harden their cloud postures across the three major platforms, noting that privilege escalation (96.03%), initial access (84.97%) and discovery (84.97%) are passing at the highest rates.
Efforts to control attacks early are helping to ameliorate more harmful consequences further along the the kill chain:
Impact passed at only 13.67%
Exfiltration at only 3.70%.
Exploitation of public facing apps passed at only 28.54%.
Exploitation of remote services, at only 17.92%, are failing at high rates.
Resource hijacking is passing at just 22.83%.
Smith wrote that since crypto mining malware is a threat to cloud environments, organizations should consider mitigating such controls to reduce their organizational risk in the cloud.
“The lesson from these data points is that almost every organization needs to better monitor cloud configurations,” said Smith, adding that scans for CIS controls failed 34% of the time for AWS, 57% for Microsoft Azure and 60% for GCP (Figure A).
“Even if you believe your cloud configurations are in order, the data tells us that not regularly confirming status is a risky bet. Scan the configurations often and make sure the settings are correct. It takes just one slip-up to accidentally open your organization’s cloud to attackers,” wrote Smith.
The lack of resources can pose significant risks to security in various contexts, including personal, organizational, and national security. Here are some ways in which a lack of resources can impact security:
Cybersecurity: Inadequate resources for implementing robust cybersecurity measures can make systems and networks vulnerable to cyber threats. Without sufficient investments in cybersecurity tools, training, and personnel, organizations and individuals may become easy targets for cyberattacks, data breaches, and hacking incidents.
Physical Security: Insufficient resources for physical security measures, such as access control systems, surveillance cameras, and security personnel, can lead to vulnerabilities in critical infrastructure, public spaces, and private properties. This could result in increased risks of theft, vandalism, and unauthorized access.
National Security: Nations with limited resources may struggle to maintain a strong defense posture. A lack of funding for military and intelligence agencies can hinder efforts to protect against external threats, terrorism, and cyber warfare, potentially compromising national security.
Emergency Preparedness: When resources are scarce, emergency services and disaster response teams may face challenges in adequately preparing for and responding to crises. This can exacerbate the impact of natural disasters, pandemics, or other emergencies, potentially putting lives and property at risk.
Personal Safety: On an individual level, lack of resources can jeopardize personal safety. For example, individuals living in impoverished or unsafe neighborhoods may not have access to adequate home security systems, leading to increased risks of burglary and assault.
Public Health: In the context of public health, insufficient resources for medical facilities, research, and disease surveillance can hinder efforts to detect and respond to health threats effectively. This was particularly evident during the COVID-19 pandemic when some regions struggled to provide sufficient medical equipment, testing, and healthcare resources.
Information Security: In organizations, a lack of resources for employee training and awareness programs can result in employees being unaware of security best practices. This can lead to accidental data leaks, falling for phishing scams, or other security breaches caused by human error.
To mitigate these risks, it’s crucial for individuals, organizations, and governments to recognize the importance of investing in security measures and resource allocation. Proactive planning and strategic allocation of resources can help strengthen security and reduce vulnerabilities in various domains.
The General Data Protection Regulation (GDPR) has already raised many controversies, and one of the biggest ones is certainly which documents are required. For example, often you see companies who think having a privacy policy and a consent form on their website is enough; however, this is only a small part of the documents that are required to be fully compliant with this new privacy regulation.
Therefore, we created a list of GDPR documentation requirements to help you find all mandatory documents at one place . Please note that the names of the documents are not prescribed by the GDPR, so you may use some other titles; you also have a possibility to merge some of these documents.
Mandatory documents and records required by EU GDPR
Here are the documents that you must have if you want to be fully GDPR compliant:
Privacy Notice (Articles 12, 13, and 14) – this document (which can also be published on your website) explains in simple words how you will process personal data of your customers, website visitors, and others.
Employee Privacy Notice (Articles 12, 13 and 14) – explains how your company is going to process personal data of your employees (which could include health records, criminal records, etc.).
Data Retention Policy (Articles 5, 13, 17, and 30) – describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed.
Data Retention Schedule (Article 30) – lists all of your personal data and describes how long each type of data will be kept.
Parental Consent Form (Article 8) – if the data subject is below the age of 16 years, then a parent needs to provide the consent for processing personal data.
Supplier Data Processing Agreement (Articles 28, 32, and 82) – you need this document to regulate data protection with a processor or any other supplier.
Data Breach Register (Article 33) – this is where you’ll record all of your data breaches. (Hopefully, it will be very short.)
Data Breach Notification Form to the Supervisory Authority (Article 33) – in case you do have a data breach, you’ll need to notify the Supervisory Authority in a formal way.
Data Breach Notification Form to Data Subjects (Article 34) – again, in case of a data breach, you’ll have the unpleasant duty to notify data subjects in a formal way.
Since April, Sudan has been rocked by fighting between two factions of its army. At first, the violence was contained in the capital city, Khartoum, but in recent days fighting has flared up in western Darfur, ground zero for a genocide that started back in 2003 and left hundreds of thousands dead.
Arab militiamen, known as janjaweed, or “devils on horseback,” were able to kill so many in Darfur in such a short time because the area is so remote — there was no one to witness the atrocities or hold the perpetrators to account, so they continued apace.
That’s what makes this latest conflict so different: Technology is allowing third-party observers to document human rights abuses in near real time thanks to, among other things, low-orbit satellites.
Researchers like Nathaniel Raymond, the executive director of Yale’s Humanitarian Research Lab, have been using satellites not just to document the violence, but with the right on-the-ground intelligence, to predict attacks before they happen.
The team recently documented evidence of war crimes in Ukraine with a report that provided both photographic and other proof that Russia was behind the systematic relocation of thousands of children from Ukraine into Russia and Russian-controlled regions of Ukraine.
Now Raymond and the team are working with the U.S. State Department to document human rights abuses in Sudan. It is a bit of a homecoming for them — they pioneered the use of satellite analysis and open-source intelligence in Darfur more than a decade ago and now they are back with better tools and a focus on ending a crisis that is decades in the making.
This conversation has been edited for length and clarity.
This article gives some guidance on how to transition to ISO27001:2022 from the 2013 version.
This approach is tried and tested in that I have used it to successfully transition an organization to the new version. In the transition audit there were no nonconformities.
Insider attacks often catch organizations by surprise because they’re tricky to spot.
Banking on reactive solutions like antivirus software or a patch management solutionto avoid such attacks is not wise.
Understanding what contributes to the increasing number of insider threats and addressing these factors is the only way to secure your enterprise against such attacks.
An insider attack is often defined as an exploit by malicious intruders within an organization.
This type of attack usually targets insecure data. Insider threats might lurk within any company; in some industries, they can account for more than 70% of cyberattacks.
More often than not, insider attacks are neglected. Perhaps this is why they have been on a constant rise.
A survey by CA Technologies in 2018 found that about 90% of organizations feel vulnerable to insider attacks.
Organizations also feel that the data most vulnerable to insider attacks is sensitive personal information (49%), intellectual property (32%), employee data (31%), and privileged account information (52%).
Many insider attacks are associated with excessive access privileges. While it might be unpleasant or inconvenient not to trust employees, organizations must be vigilant.
This can be accomplished by monitoring possible sources of cyberattacks. A big problem is that many companies are unaware of how to identify and combat insider threats.
Questions then arise: Where can you find the best network security tools to gain more knowledge on combating insider attacks? What security standards should you follow to stay within your industry’s security compliance requirements and protect your digital assets better? How do you differentiate between a malicious insider and a non-malicious one?
Insider Threat Warnings That You Should Look Out For
Here are some tell-tale signs you can monitor to avoid an insider attack. Be on the lookout for anyone who:
Downloads large amounts of data on personal portable devices or attempts to access data they don’t normally use for their day-to-day work.
Requests network or data access to resources not required for their job, or searches for and tries to access confidential data.
Emails sensitive information to a personal email account or people outside your organization.
Accesses the network and corporate data outside of regular work hours.
Exhibits negative attitudes or behaviors—for instance, a disgruntled employee leaving the organization.
Ignores security awareness best practices, such as locking screens, not using USBs or external drives, not sharing passwords and user accounts, or does not take cyber threats seriously.
Once you have started monitoring, you can implement security measures to prevent attacks from occurring. We’ve put together a short list of solutions for curbing insider threats.
1. Zero Trust
Zero Trust, a new cybersecurity buzzword, is a holistic approach for tightening network security by identifying and granting access, or “trust”.
No specific tool or software is associated with this approach, but organizations must follow certain principles to stay secure.
More users, applications, and servers and embracing various IoT devices expands your network perimeter.
How do you exert control and reduce your overall attack surface in such cases?
How can you ensure that the right access is granted to each user?
IT security at some organizations reflects the age-old castle-and-moat defense mentality that everything inside an organization’s perimeter should be trusted while everything outside should not.
This concept focuses on trust too much and tends to forget that we might know little about the intentions of those we deem “insiders.”
The remedy is Zero Trust, which revokes excessive access privileges of users and devices without proper identity authentication.
By implementing Zero Trust, you can:
Understand your organization’s access needs.
Decrease risk by monitoring device and user traffic.
Lower the potential for a breach.
Profoundly increase your business’s agility.
2. Privileged access management
Privileged access management (PAM) means extending access rights to trusted individuals within an organization.
A privileged user hasadministrative access to critical systems and applications.
For example, if an IT admin can copy files from your PC to a memory stick, they are said to be privileged to access sensitive data within your network.
This also applies to accessing data via physical devices, logging in, and using different applications and accounts associated with the organization.
A privileged user with malicious intent might hijack files and demand your organization pay a ransom.
PAM takes some effort, but you can start simple. For instance, you can remove an employee’s access to the data associated with their previous role.
Consider an employee moving from finance to sales. In this case, the rights to access critical financial data must be revoked because we do not want to risk the organization’s financial security.
By implementing PAM, you can:
Make dealing with third-party devices and users safer and more accessible.
Protect your password and other sensitive credentials from falling into the wrong hands.
Eliminate excess devices and users with access to sensitive data.
Manage emergency access if and when required.
3. Mandatory Security Training for Existing & New Employees
Not all insider attacks are intentional; some happen because of negligence or lack of awareness.
Organizations should make it mandatory for all their employees to undergo basic security and privacy awareness training sessions regularly.
Employees can also be quizzed on these sessions to make the training more effective.
Ensuring employees are acquainted with the cost consequences that negligence can cause the organization can help prevent unintentional insider threats significantly.
With so much to lose, it’s a wonder more companies aren’t taking steps to reduce their chance of suffering from an insider attack.
As mentioned earlier, no particular software or tool is behind the security approaches mentioned above.
Rather, your organization must address these aspects while developing a homegrown security solution or utilizing a similar service or product from a vendor.
By doing so, you can protect your organization from bad actors within or outside of your organization.
However, to specifically tackle the threat posed by insiders who regularly misuse their access credentials or bring malicious plug-and-play devices to work, we recommend looking into other security protocols, such as identity and access management and user behavior analytics, to prevent internal security mishaps.
Predicting Insider Attacks: Using Machine Learning & Artificial Intelligence Algorithms
Today, API security company Salt Security announced it is now an Amazon Web Service (AWS) Web Application Firewall (WAF) Ready Partner. This service helps customers discover Partner solutions validated by AWS Partner Network (APN) Solutions Architects that integrate with AWS WAF to accelerate adoption of an enhanced and holistic security approach. AWS WAF is available to all AWS customers and all AWS Regions and can be deployed directly from the AWS console.
This partnership differentiates Salt Security as an APN member with a product that works with AWS WAF and is generally available for AWS customers. AWS WAF Ready Partners help customers quickly identify easy-to-deploy solutions that can help detect, mitigate, and analyse some of the most common internet threats and vulnerabilities.
Today, businesses of all shapes and sizes are focused on ensuring that websites and applications are protected from external threats that can lead to a loss of revenue, loss of customer trust, and loss of brand reputation. Implementing a WAF can be a challenging task that requires deep security experience that can be expensive and hard to find in-house. AWS WAF Ready Partners offer customers a simpler solution to deploying and maintaining their application layer security solution through easy-to-deploy solutions in order to detect, mitigate, and analyze some of the most common internet threats and vulnerabilities.
Gilad Barzilay, head of business development, Salt Security said: “As an AWS Software Path Partner and member of AWS ISV Accelerate Program, Salt is proud to expand our existing relationship with AWS by becoming an AWS WAF Ready Partner. Many of our customers rely on Salt to secure their APIs on AWS. By achieving these designations, we make it easier and faster for businesses to protect the APIs running on their AWS environments. Our customers benefit from our unique cloud-scale API data lake architecture, which applies AI and ML for API discovery and threat protection.”
“Deploying the Salt platform took almost no effort,” said Jason Weitzman, senior application security engineer at Xolv Technology Solutions. “It integrated quickly with our existing Cloudflare, AWS, Jira and other systems. It also started identifying errors and delivering insights on how to craft better APIs within minutes.”
The Salt platform deploys out of band, to avoid any interference with application performance or availability. The Salt platform pairs with AWS WAF as an API traffic collection point and to block detected attackers. To support the seamless integration and deployment of solutions such as the Salt platform, AWS established the AWS Service Ready Program. The program helps customers identify solutions integrated with AWS services and spend less time evaluating new tools, and more time scaling their use of solutions that are integrated with AWS services.
APIs are a hot topic among cybersecurity professionals and C-suites at the moment due to their increasingly vital business roles. Earlier this year Salt released a new API report that showed a 400% Increase in Attackers, demonstrating the prevalence.
BLACK HAT ASIA Threat groups have infected millions of Androids worldwide with malicious firmware before the devices have even been shipped from their manufacturers, according to Trend Micro researchers at Black Hat Asia.
The mainly mobile devices, but also smartwatches, TVs and more, have their manufacturing outsourced to an original equipment manufacturer (OEM), a process the researchers say makes them easily infiltrated.
“What is the easiest way to infect millions of devices?” posed senior threat researcher Fyodor Yarochkin, speaking alongside colleague Zhengyu Dong.
He compared infiltrating devices at such an early stage of their life cycle to a tree absorbing liquid: you put the infection at the root, and it gets distributed everywhere, out to every single limb and leaf.
The malware installation technique began as the price of mobile phone firmware dropped. Competition between firmware distributors became so furious that eventually the providers could not charge money for their product.
“But of course there’s no free stuff,” said Yarochkin, who explained that the firmware started to come with an undesirable feature – silent plugins. The team manually analyzed dozens of firmware images looking for malicious software. They found over 80 different plugins, although many of those were not widely distributed.
The plugins that were the most impactful were those that had built a business model around them and were selling underground services, marketing them out in the open on places like Facebook, in blog posts, and on YouTube.
The objective of the malware is to steal info or make money from information collected or delivered.
The malware turns the devices into proxies which are used to steal and sell SMS messages, social media and online messaging accounts, and used as monetization opportunities via adverts and click fraud.
One type of plugin, proxy plugins, allow the criminal to rent out devices for up to around five minutes at a time. For example, those renting the control of the device could acquire data on keystrokes, geographical location, IP address and more.
“The user of the proxy will be able to use someone else’s phone for a period of 1200 seconds as an exit node,” said Yarochkin. He also said the team found a Facebook cookie plugin that was used to harvest activity from the Facebook app.
Through telemetry data, the researchers estimated that at least millions of infected devices exist globally, but are centralized in Southeast Asia and Eastern Europe. A statistic self-reported by the criminals themselves, said the researchers, was around 8.9 million.
As for where the threats are coming from, the duo wouldn’t say specifically, although the word “China” showed up multiple times in the presentation, including in an origin story related to the development of the dodgy firmware. Yarochkin said the audience should consider where most of the world’s OEMs are located and make their own deductions.
“Even though we possibly might know the people who build the infrastructure for this business, its difficult to pinpoint how exactly the this infection gets put into this mobile phone because we don’t know for sure at what moment it got into the supply chain,“ said Yarochkin.
The team confirmed the malware was found in the phones of at least 10 different vendors, but that there was possibly around 40 more affected. For those seeking to avoid infected mobile phones, they could go some way of protecting themselves by going high end.
“Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said Yarochkin. ®
Trading or investing in cryptocurrencies can be highly lucrative. But the extreme price movements often discourage beginners to buy cryptocurrencies. However, with a carefully charted risk management plan, it is possible to make gains and minimize losses.
Here are the 7 golden rules of risk management for cryptocurrency traders
Diversify your portfolio
One of the effective risk management strategies for a cryptocurrency trader is to diversify your portfolio. You must ensure that you put only some of the investments in a few carefully chosen cryptocurrencies, instead of putting all your money in just one. For instance, you might consider buying Kusama along with Bitcoin or Ethereum, after checking the Kusama Priceon that day.
Set up your stop-loss orders
A stop-loss order, in simple terms, is a preset order that will sell a part or all of the holdings automatically if the cryptocurrency price drops to some extent. It works like a safety net that helps in minimizing the loss for you, provided the market moves against you. When you set stop loss orders, you can reduce the losses and protect the investments. You need to put stop-loss orders at the proper levels.
Use the proper position sizing
Position sizing plays a crucial role in risk management. Regarding position sizing, you need to allocate some specific trade amount in your portfolio. You have to use the correct position size to manage the risk well. You need to ensure that you do not take a lot of trouble on a single trade, as it can lead to a lot of losses. In simple terms, you need to raise only one to 2% of the complete portfolio on one trade, so even if there is a loss, it will not impact your portfolio to a great extent.
Set only realistic profit goals
When you have a clear profit goal at the back of your mind, you can manage risk to a great extent. You need to ensure realistic profit goals depending on the market trends and technical analysis. Avoid getting greedy when you are in the grade you set unrealistic high profits, which can lead to risky trading decisions. You have to ensure that you are disciplined, stick to the profit target, and lock in the gain at the right time.
Do your own research (DYOR)
Information and market sentiment play a crucial role in the cryptocurrency market, so you must have all the information regarding the trade and prices. When you have the correct information on the latest developments and news, you can trade well. To have the correct information, you must do some research on all the cryptocurrencies that you are trading, like the technology market capitalization trading volume and historical price performance.
Consider using leverage with care
Leverage makes it very easy for you to trade with a considerable capital amount, and it is eventually more than what you have. Leverage is both a boon and, of course, it can lead to huge profits and losses at the same time.
Even though leverage can help in improving your potential income, it can also increase the risk of losses to a great extent. You need to use leverage with a lot of care and thoroughly understand all the risks involved before you consider implementing it in your strategy.
Lastly, you need to ensure that you keep your leverage high and have the right stop-loss orders whenever you are trading with leverage. This will help you in managing your risk well.
Manage your emotions
Emotions like fear or greed can have a significant impact on your decision-making process, and they can also lead to impulsive trading decisions. This can lead to risks unnecessarily, so it is essential for you to keep a check on your emotions and maintain a rational approach while you are trading. You need to ensure that you avoid making any impulsive decisions based on fear or greed and stick to your risk management plan. It is OK to take a step back and reconsider your emotions when you feel that your emotions are taking over.
In short, risk management is a critical element of cryptocurrency trading, considering the volatile nature of the market. When you follow these rules for risk management, you can indeed reduce your potential losses.
Abu Dhabi and Dubai have have been ranked as the smartest cities in the Middle East and North Africa region.in the ‘Smart City Index 2021’. The index, by the Institute for Management Development (IMD), in collaboration with Singapore University for Technology and Design (SUTD) surveys residents in ranked cities to assess smart infrastructure and services covering health and safety, mobility, activities, opportunities, and governance.
What is a smart sustainable city?
According to ITU, a smart sustainable city is an innovative city that uses information and communication technologies (ICTs) and other means to improve quality of life, efficiency of urban operation and services, and competitiveness, while ensuring that it meets the needs of present and future generations with respect to economic, social and environmental aspects.
In 2016, the ITU, the United Nations Economic Commission for Europe (UNECE) and the UN Habitat launched the initiative ‘United for Smart Sustainable Cities’ (U4SSC). The U4SSC developed a set of key performance indicators (KPIs) for Smart Sustainable Cities (SSC) to establish the criteria to evaluate the contribution of ICT in making cities smarter and more sustainable, and to provide cities with the means for self-assessments in order to achieve the sustainable development goals (SDGs).
The State of Play of Sustainable Cities and Buildings in the Arab Region-2017
The State of Play of Sustainable Cities and Buildings in the Arab Region Report (PDF 26.19 MB) is a compilation of the main public policies, programmes, case studies, organisations and initiatives associated with sustainable city and building practices in twelve countries in the Arab region. Read about the UAE’s current situation with respect to sustainable cities from pages 79 to 86.
The UAE Government aims to ensure sustainable development while preserving the environment and to achieve a perfect balance between economic and social development. Abu Dhabi and Dubai are planning and developing several smart sustainable cities.
Smart city index
For the second year in a row, Abu Dhabi and Dubai have been ranked as the smartest cities in the Middle East and North Africa region, as per the Smart City Index 2021.
While Abu Dhabi is ranked 28, Dubai is closely behind at 29, out of 118 cities. Compared to 2020, both the emirates climbed up 14 places globally.
Security researchers discovered a new malicious browser extension called Rilide, that targets Chromium-based products like Google Chrome, Brave, Opera, and Microsoft Edge.
The malware is designed to monitor browser activity, take screenshots, and steal cryptocurrency through scripts injected in web pages.
Researchers at Trustwave SpiderLabs found that Rilide mimicked benign Google Drive extensions to hide in plain sight while abusing built-in Chrome functionalities.
The cybersecurity company detected two separate campaigns that distributed Rilide. One was using Google Ads and Aurora Stealer to load the extension using a Rust loader. The other one distributed the malicious extension using the Ekipa remote access trojan (RAT).
Two campaigns pushing Rilide(Trustwave)
While the origin of the malware is unknown, Trustwave reports that it has overlaps with similar extensions sold to cybercriminals. At the same time, portions of its code were recently leaked on an underground forum due to a dispute between cybercriminals over unresolved payment.
A parasite in the browser
Rilide’s loader modifies the web browser shortcut files to automate the execution of the malicious extension that is dropped on the compromised system.
Malicious extension on Edge(Trustwave)
If there’s a match, the extension loads additional scripts injected into the webpage to steal from the victim information related to cryptocurrencies, email account credentials, etc.
The extension also disables ‘Content Security Policy,’ a security feature designed to protect against cross-site scripting (XSS) attacks, to freely load external resources that the browser would normally block.
In addition to the above, the extension regularly exfiltrates browsing history and can also capture screenshots and send them to the C2.
Rilide’s capabilities graph(Trustwave)
Bypassing two-factor authentication
An interesting feature in Rilide is its 2FA-bypassing system, which uses forged dialogs to deceive victims into entering their temporary codes.
The system is activated when the victim initiates a cryptocurrency withdrawal request to an exchange service that Rilide targets. The malware jumps in at the right moment to inject the script in the background and process the request automatically.
Once the user enters their code on the fake dialog, Rilide uses it to complete the withdrawal process to the threat actor’s wallet address.
“Email confirmations are also replaced on the fly if the user enters the mailbox using the same web browser,” explains Turstwave in the report.
“The withdrawal request email is replaced with a device authorization request tricking the user into providing the authorization code.”
Replacing the legitimate email (right) while extracting the 2FA code(Trustwave)
Rilide showcases the growing sophistication of malicious browser extensions that now come with live monitoring and automated money-stealing systems.
While the roll-out of Manifest v3 on all Chromium-based browsers will improve resistance against malicious extensions, Trustwave comments that it won’t eliminate the problem.
