InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
A new way of sending powerful denial of service traffic emerged this week. Malefactors are now misusing servers that talk Datagram Transport Layer Security (D/TLS).
Typified by Cisco’s Netscaler ADC product, before a patch was released in January, some D/TLS servers don’t check for forged requests. That allows scrotes to misuse these high-bandwidth servers to deny internet service to people they want to extort money from.
This possibly includes Sony, whose LittleBigPlanet service has been AWOL for a week. In today’s SB Blogwatch, we ask the question.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: But is it art?
DDoSes are attacks that flood a website or server with more data than it can handle. The result is a denial of service to people trying to connect to the service. As DDoS-mitigation services develop protections … the criminals respond with new ways to make the most of their limited bandwidth. … In so-called amplification attacks, DDoSers send requests of relatively small data sizes to certain types of intermediary servers. … DDoS-for-hire services [are] adopting a new amplification vector … D/TLS, which (as its name suggests) is essentially the Transport Layer Security for UDP data packets. … The biggest D/TLS-based attacks Netscout has observed delivered about 45 Gbps of traffic. The people responsible for the attack combined it with other amplification vectors to achieve a combined size of about 207 Gbps. … Abusable D/TLS servers are the result of misconfigurations or outdated software that causes an anti-spoofing mechanism to be disabled. While the mechanism is built in to the D/TLS specification, hardware including the Citrix Netscaler Application Delivery Controller didn’t always turn it on by default.
A new report has emerged stating that average ransomware payments jumped by more than 171% in 2020, suggesting that cybercriminals have benefitted from an extremely lucrative period throughout the pandemic.
The numbers come from Palo Alto Networks, who noted an 171% increase in ransomware payments from organisations and individuals that had been hit by the malicious software.
In essence, malicious software like ransomware takes control of a user’s computer, and encrypts the data. This encryption leaves the data on that device locked up, and can only be made accessible again once a password – or decryption tool – is offered by the hacker in question.
Hackers are happy to make these tools available to their victims, so long as they pay a price.
According to the report in question, that price has been skyrocketing as cybercriminals look to exploit those impacted by ransomware software that often have sensitive private and corporate information stored on their device.
That report was published recently after analysing more than 19,000 network sessions, data from more than 250 ransomware leak websites and thanks to information provided by 337 organisations that had been hit by a ransomware attack.
The Ransomware Threat Report 2021 states that on average, ransoms paid by victims to hackers has increased from USD $115,123 to more than $312,000 in 2020.
Authors of the report say that they noted the largest ransomware payment paid to hackers had also doubled, from $5 million to more than $10 million.
It was a pirated and malware-tainted version of Apple’s XCode development app that worked in a devious way.
You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway.
Nevertheless, this redistributed version of Xcode seems to have been popular in China at the time – perhaps simply because it was easier to acquire the “product”, which is a multi-gigabyte download, directly from fast servers inside China.
The hacked version of Xcode would add malware into iOS apps when they were compiled on an infected system, without infecting the source code of the app itself.
The implanted malware was buried in places that looked like Apple-supplied library code, with the result that Apple let many of these booby-trapped apps into the App Store, presumably because the components compiled from the vendor’s own source code were fine.
As we said at the time, “developers with sloppy security practices, such as using illegally-acquired software of unvetted origin for production builds, turned into iOS malware generation factories for the crooks behind XcodeGhost.”
As you probably know, this sort of security problem is now commonly known as a supply chain attack, in which a product or service that you assumed you could trust turned out to have had malware inserted along the way.
If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk too.
Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, you may be uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or maybe you think you do know, but don’t realize what you’re doing wrong.
To defend against attackers, you must think like them. As a leader of ethical hackers, Ted Harrington helps the world’s foremost companies secure their technology. Hackable teaches you exactly how. You’ll learn how to eradicate security vulnerabilities, establish a threat model, and build security into the development process. You’ll build better, more secure products. You’ll gain a competitive edge, earn trust, and win sales.
Crooks devised a new method to hide credit card data siphoned from compromised e-stores, experts observed hackers hiding data in JPG files.
Cybercriminals have devised a new method to hide credit card data siphoned from compromised online stores, experts from Sucuri observed Magecart hackers hiding data in JPG files to avoid detection and storing them on the infected site.
The new exfiltration technique was uncovered while investigating a Magecart attack against an e-store running the e-commerce CMS Magento 2.
“A recent investigation for a compromised Magento 2 website revealed a malicious injection that was capturing POST request data from site visitors. Located on the checkout page, it was found to encode captured data before saving it to a .JPG file.” reads the post published by Sucuri.
The researchers discovered a PHP code that was found injected to the file ./vendor/magento/module-customer/Model/Session.php. The attackers use the getAuthenticates function to load the rest of the malicious code onto the compromised environment.
The code stored the siphoned data in the image file “pub/media/tmp/design/file/default_luma_logo.jpg,” in this way it is easy to hide, access, and download the stolen information without rising suspicious.
The PHP code injected into the site leverages the Magento function getPostValue to capture the POST data within the checkout page, then the captured POST data is encoded with base64 before the PHP operator ^ is used to XOR the stolen data.
“To successfully capture the POST data, the PHP code needs to use the Magento code framework. It relies on the Magento function getPostValue to capture the checkout page data within the Customer_POST parameter.” continues the post.
“Using the Magento function isLoggedIn, the PHP code also checks whether the victim that sent the POST request data is logged in as a user. If they do happen to be logged in, it captures the user’s email address.”
Customer_ parameter contains almost all of the information submitted by the victim on the checkout page, including full names and addresses, payment card details, telephone numbers, and user agent details.
Sucuri experts pointed out that captured data could be used for credit card fraud, spam campaigns, or spear-phishing attacks.
“Bad actors are always actively searching for new methods to prevent any detection of their malicious behavior on compromised websites.” concludes the post. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit card details for future use without gaining too much attention from the website owner.”
The exercise/event is called “Cyber Polygon” and it will take place this July. It is being sponsored by the WEF (World Economic Forum) and this is what they will focus on during the simulated cyber attack. This is from their website.
“Cyber Polygon 2021 will draw together leading global experts to discuss the key risks posed by digitalisation and share best practices in developing secure ecosystems. During the technical exercise, the participants will practise mitigating a targeted supply chain attack on a corporate ecosystem.”
Also from Technocracy news: Last year, the World Economic Forum teamed up with the Russian government and global banks to run a high-profile cyberattack simulation that targeted the financial industry, an actual event that would pave the way for a “reset” of the global economy. The simulation, named Cyber Polygon, may have been more than a typical planning exercise and bears similarities to the WEF-sponsored pandemic simulation Event 201 that briefly preceded the COVID-19 crisis.
“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security.
“The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.”
In addition to that, modern applications and tech stacks are evolving and becoming increasingly complex – applications are integrating more external dependencies and are becoming very interconnected through API calls. The increased complexity significantly increase the chance of security issues
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild.
The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email accounts, and install backdoors to maintain access to victim environments. According to Microsoft, the Hafnium APT exploited these vulnerabilities in targeted attacks against US organizations.
“The Storting has again been hit by an IT attack. The attack is linked to vulnerabilities in Microsoft Exchange, which affected several businesses.” reads a statement issued by the Storting.
“The Storting does not yet know the full extent of the attack. A number of measures have been implemented in our systems, and the analysis work is ongoing. The Storting has received confirmation that data has been extracted,”
Storting director Marianne Andreassen confirmed that the data breach.
“We know that data has been extracted, but we do not yet have a full overview of the situation. We have implemented comprehensive measures and cannot rule out that it will be implemented further.” said Andreassen.
“The work takes place in collaboration with the security authorities. The situation is currently unclear, and we do not know the full potential for damage.”
This isn’t the first time that Storting was hit by a cyber attack, in August 2020 the authorities announced that Norway ‘s Parliament was the target of a major attack that allowed hackers to access emails and data of a small number of parliamentary representatives and employees. Norway‘s government blamed Russia for the cyberattack.
When Rinki Sethi heard that her 7th grade daughter applied to take a technology innovation class as an elective, she was thrilled. Sethi, who joined Twitter in September as its chief information security officer, said one of her passions is getting more young women interested in technology.
But when her daughter found out that she didn’t get into the class, Sethi discovered a troubling statistic: 18 slots for the class went to boys, while only 9 were filled by girls. “I went and sat down with the principal and asked: ‘Why are we turning down girls if that’s what the ratio looks like?’” Sethi recounted Monday at a virtual panel centered around women in cybersecurity. “We need more women to enter this field, and I think that’s the biggest problem—how do we get more women and girls interested.”
After learning that only 9 out of 27 kids in a #STEM elective @KMSCupertino are girls, I met with principal to discuss how can we can make this ratio more equal. After my meeting, I am happy to announce the principal has agreed to balance this out. @CUSDK8@CityofCupertino
Get 50% Off Our ITIL Distance Learning Training Course
ITIL qualifications are in high demand! We’re currently offering 50% off our ITIL 4 Foundation distance learning training course with promo code ITIL50. https://tidd.ly/3eb99n8
Get 30% Off Distance Learning Training Courses
ITG distance learning courses let you train at a time and place that suits you! We’re currently offering 30% off all our distance learning training courses with promo code DL30. https://tidd.ly/3sNintQ
Get 20% Off Our Live-Online Training Courses
Train from home or the office with 20% off our Live-Online training courses with promo code ONLINE20. https://tidd.ly/3rhitcT
Get 15% Off Our Toolkits Speed up your implementation and compliance projects with 15% off all our toolkits with promo code Toolkit15. https://tidd.ly/3uUB0Op
CYBERSECURITY: It’s not just a good idea. Register to learn more.
Please join Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, CISO Sharevault from the safety of your desk on Thursday, March 4th at 9am PST as our experts explore this ongoing threat and offer best practices for mitigation.
If cybersecurity is part of your strategic plan for 2021, and it should be, then you might want to check out the National Cybersecurity Society (NCSS).
The National Cybersecurity Society is a community of participating technology professionals focused on helping small businesses stay safe online. The NCSS is a non-profit organization that provides cybersecurity education, awareness and advocacy to its small businesses members, specifically cybersecurity education tailored to the needs of the small business owner. The NCSS assists its small business members in assessing their cybersecurity risk, distributes threat information to members so that they will be more knowledgeable about the threats facing their business, and provides advice on the type of services needed to stay safe online. You know cybersecurity is important, but where do you start? What organizational assets do you need to protect? Is it only your IT assets? Is it your IP?
The NCSS website provides several helpful guides to get you started on your cybersecurity journey. At the top of the list is simply understanding and identifying what is vital to protect. It starts with employing a Risk Assessment Methodology This involves identifying your organizational assets (people, information, technology, facilities) and assigning the responsibility of those assets in order to protect them appropriately.
Once organizational assets are defined, the next step is to define the relationship between those assets and the high-value services they support. This requires a process that examines and validates this relationship through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets and high-value services. It’s important to keep this information up to date and modified when circumstances or events change.
STEP 1: INVENTORY
Create an inventory of your people – not just your employees, but your suppliers and partners, the data you need to run your business, the technology assets you need (computers, servers – the entire infrastructure), and the facilities needed to house and operate your business.
STEP 2: HIGH-VALUE SERVICES
Create a list of high-value services that keep your business functioning – logistics, financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that if lost, delayed or compromised would impact your business.
STEP 3: MAPPING
Create a mapping of people, data, technology and facilities to the high-value services they support. Define the relationship between these assets and the high-value services. Validate the relationship through periodic reviews. As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier to determine if anything has changed that would affect your service delivery? Leveraging your people to take responsibility for certain high-value services and keeping the critical information current is key to protecting your assets.
STEP 4: INVENTORY PLAN
A plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb: Once a year.
STEP 5: CONTINUITY PLAN
A sound business strategy includes continuity plans. For all your high-value services that depend on critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets is compromised. The NCSS also has helpful resources on how to develop a Continuity Plan.
If you’d like to learn more about The NCSS and best practices for cybersecurity for your business, please join ShareVault for our upcoming webinar on cybersecurity. For this webinar we’ve assembled a panel of cybersecurity experts (including the founder of The National Cybersecurity Society) to discuss the current cyberthreat landscape, the bad actors, and best practices for preventing a devastating breach that could cost your company millions.
The panel includes Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, ShareVault’s Chief Information Security Officer who formerly provided information security to NASA.
Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”
End-to-end encryption is pretty much what it says: encryption that starts on your computer, typically inside an individual app such as when browser submits a login form, and only gets stripped off at the far end when the data arrives at its final destination, such as when a website receives the login form with your username and password in it.
End-to-end encryption over the internet doesn’t just mean that your data is encrypted while it’s in transit from node to node along its network journey – it’s supposed to be a stronger guarantee than that.
It not only means that your data isn’t decrypted while it’s at any “rest stops” along the way, such as when an email message is held at your ISP for delivery later on, but also means that your data cannot be decrypted along the way, no matter whether you trust the person operating that “rest stop” or not.
In Stephen King’s 1994 made-for-TV movie “The Stand,” most of the human race is wiped out by a deadly virus. As a result, power stations are unmanned and Americans are left without electricity for months. That is, until a husband and wife team works engineering magic at a power plant, flipping the right switches to bring the entire grid back online.
Anyone familiar with the black start process knows that in real life, it doesn’t happen with quite so much Hollywood pizzazz. But black start is a remarkable process and the controls and instrumentation used during a black start must operate with the utmost precision and speed.
A black start unit is one that can start its own power without support from the grid in the event of a major system collapse or a system-wide blackout. In the U.S., every region within the North American Electric Reliability Corp. (NERC) has its own black start plan and procedures. Each region also designates certain plants as black start units. The controls used on a black start unit include a DC auxiliary support system, an ignition source, a gas turbine and a diesel generator.
Carlo Barrera, senior consulting engineer at PAL Turbine Services LLC, has overseen several conversions of gas turbines to have black start capabilities, including projects for Puget Sound Energy and Massachusetts Municipal Wholesale Electric Co. For the city of Gardner, Kan., PAL installed its own programmable logic controller for turbine control. At a later date, black start capability was incorporated and proved out using a load bank.
Barrera said the DC auxiliary support system is perhaps the most important part of the control system. The battery system must have enough capability to provide DC power for multiple start attempts in case the gas turbine fails to start or fire the first time. “The battery systems need to have the capability in reserve power for two or three firing attempts if a true blackout emergency happens, since gas turbines don’t always start on the first attempt in a blackout situation,” Barrera said.
When the loss of AC power in the grid is noticed on a black-start turbine, an undervoltage relay initiates the start of numerous DC motor-driven auxiliaries. Devices like the turbine lube oil pump, liquid fuel forwarding pump, atomizing air compressor, starting clutch, diesel starting motor and shaft turning ratchet all require DC power to operate. DC auxiliary support system suppliers include GE, Siemens and ABB.
Due to technology’s entertaining nature, you are likely to spend more than the recommended amount of time on it. If you find yourself taking more than 5 hours daily on social media websites, that is already a sign that you are leading towards technology addiction. In such a case, you may not focus on college academic work. Consequently, you may record unimpressive grades.
You need to find a way to deal with such an addiction. Create a plan with the specific hours you intend to spend on different daily activities. Stick to your routine and fight the urge to use your phone at inappropriate times. Ensure you have hit your daily targets before you use your tablet.
The trick is to ensure you maintain your focus. Besides, do not forget about face-to-face communication. Find time to spend with your friends. You can leave your technological devices in one location and travel to a different destination. It helps to ensure that you can live without these devices without feeling uncomfortable.
Safeguard Your Identity as You Surf Online
Although the internet has numerous advantages, there are also pitfalls to its use. For example, some tech-savvy people have the expertise to find people’s passwords within minutes. If you are a lazy person who prefers simple passwords, you may become a victim. They can use this information to your detriment.
How do you ensure your details are safe as you work online? For every account you sign up for, use a strong password. It could be a mixture of lower and uppercase letters, numbers, and special characters. Where possible, use the two-step authentication feature.
What are the additional tips that can help you? When entering an account password, ensure there is no one peeking over your shoulders. Do not allow untrustworthy people to use your devices. Additionally, do not click suspicious links.
