May 17 2023

New ZIP domains spark debate among cybersecurity experts

Category: Security Professionaldisc7 @ 9:25 am
https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/

Cybersecurity researchers and IT admins have raised concerns over Google’s new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery.

Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses.

The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

While the ZIP and MOV TLDs have been available since 2014, it wasn’t until this month that they became generally available, allowing anyone to purchase a domain, like bleepingcomputer.zip, for a website.

However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications.

The concern

Two common file types seen online are ZIP archives and MPEG 4 videos, whose file names end in .zip (ZIP archive) or .mov (video file).

Therefore, it’s very common for people to post instructions containing filenames with the .zip and .mov extensions.

However, now that they are TLDs, some messaging platforms and social media sites will automatically convert file names with .zip and .mov extensions into URLs.

For example, on Twitter, if you send someone instructions on opening a zip file and accessing a MOV file, the innocuous filenames are converted into an URL, as shown below.

Twitter automatically linkifying .zip and .mov file names
Source: BleepingComputer

When people see URLs in instructions, they commonly think that the URL can be used to download the associated file and may click on the link. For example, linking filenames to downloads is how we usually provide instructions on BleepingComputer in our articles, tutorials, and discussion forums.

However, if a threat actor owned a .zip domain with the same name as a linkified filename, a person may mistakenly visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source.

While it’s very unlikely that threat actors will register thousands of domains to capture a few victims, you only need one corporate employee to mistakenly install malware for an entire network to be affected.

Abuse of these domains is not theoretical, with cyber intel firm Silent Push Labs already discovering what appears to be a phishing page at microsoft-office[.]zip attempting to steal Microsoft Account credentials.

ZIP domain used for Microsoft Account phishing
Source: Silent Push Labs

Cybersecurity researchers have also started to play with the domains, with Bobby Rauch publishing research on developing convincing phishing links using Unicode characters and the userinfo delimiter (@) in URLs.

Rauch’s research shows how threat actors can make phishing URLs that look like legitimate file download URLs at GitHub but actually take you to a website at v1.27.1[.]zip when clicked, as illustrated below.

https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip

Conflicting opinions

These developments have sparked a debate among developerssecurity researchersand IT admins, with some feeling the fears are not warranted and others feeling that the ZIP and MOV TLDs add unnecessary risk to an already risky online environment.

People have begun registering .zip domains that are associated with common ZIP archives, such as update.zipfinancialstatement.zipsetup.zipattachment.zipofficeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information.

Open source developer Matt Holt also requested that the ZIP TLD be removed from Mozilla’s Public Suffix List, a list of all public top-level domains to be incorporated in applications and browsers.

However, the PSL community quickly explained that while there may be a slight risk associated with these TLDs, they are still valid and should not be removed from the PSL as it would affect the operation of legitimate sites.

“Removing existing TLDs from the PSL for this reason would just be wrong. This list is used for many different reasons, and just because these entries are bad for one very specific use-case, they are still needed for (almost) all others,” explained software engineer Felix Fontein.

“These are legit TLDs in the ICP3 root. This will not proceed,” further shared PSL maintainer Jothan Frakes.

“Really, the expressed concerns are more of a glaring example of a disconnect between the developer and security community and domain name governance, where they would benefit from more engagement within ICANN.”

At the same time, other security researchers and developers have expressed that they believe the fears regarding these new domains are overblown.

https://twitter.com/ericlaw/status/1657377752779980804

When BleepingComputer contacted Google about these concerns, they said that the risk of confusion between file and domain names is not new, and browser mitigations are in place to protect users from abuse.

“The risk of confusion between domain names and file names is not a new one.  For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows.  Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip. 

At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip.  Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip.  We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users.” – Google.

What should you do?

The reality is that you do not need to do anything extra than you are already doing to protect yourself from phishing sites.

As everyone should already know, it is never safe to click on links from people or download files from sites you do not trust.

Like any link, if you see a .zip or .mov link in a message, research it before clicking on it. If you are still unsure if the link is safe, do not click on it.

By following these simple steps, the impact of the new TLDs will be minimal and not significantly increase your risk.

However, the exposure to these links will likely increase as more applications automatically turn ZIP and MOV filenames into links, giving you one more thing to be careful about when online.

InfoSec tools | InfoSec services | InfoSec books

Tags: ZIP domains


Dec 02 2022

Essential Business Knowledge for InfoSec Professionals

Category: Security ProfessionalDISC @ 11:14 pm

The role of InfoSec professionals has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at increasing higher levels of business structure up to board of directors. Understanding and speaking business language is more important than ever for the success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Lack of basic business knowledge and common business terminology hinders success and progress. 

I have started creating a body of knowledge for basic business skills required for success of security professionals and elevating their status in the business hierarchy. Following are eight major domains of essential business knowledge for information security professionals.

  • DOMAIN 1 – Essential Business Terminology for InfoSec Professionals
  • DOMAIN 2 – Business Communication for InfoSec Professionals
  • DOMAIN 3 – Funding Requests and Managing InfoSec Budget
  • DOMAIN 4 – Working with Vendors and Partners
  • DOMAIN 5 – Building Alliances, Collaboration to Advance InfoSec Goals
  • DOMAIN 6 – Excellence in InfoSec Customer Service, Knowing and Serving Customers
  • DOMAIN 7 – Creating Business Value with InfoSec
  • DOMAIN 8 – General Soft Skills to Succeed as InfoSec Professional

what are major skill gaps?

ISACA published a report on “State of Cybersecurity 2022” in which they presented their findings on the global workforce. The most striking of all the findings is Figure 14 of the report showing major skill gaps among security professionals.

At the top of these skill gaps is “soft skills” that includes communications, flexibility, leadership and others. This is similar to what we have been talking about creating a body of knowledge for Core Cybersecurity Skills and Practices. Please see a screenshot of Figure 14 from the ISACA report (the report is available for download at https://www.isaca.org/go/state-of-cybersecurity-2022).

Business Knowledge for Cybersecurity Executives

Business Analysis – Fourth Edition

Tags: Business Knowledge for Cybersecurity Executives, InfoSec Professionals


Oct 02 2020

How cyber security can protect your business

Christopher Wright is one of IT Governance Publishing’s most prolific writers, having released five books with us over the past six years.

His work covers many different topics, including advice on organizational cyber security, project management and risk management auditing.

In How Cyber Security Can Protect Your Business – A guide for all stakeholders, Wright provides an effective and efficient framework to help organizations manage cyber governance, risk and compliance.

How Cyber Security Can Protect Your Business

Businesses must protect themselves and their reputations, while reassuring stakeholders they take cyber security seriously. Wright’s pocket guide:

  • Explains in easy-to-understand terms what executives and senior managers need to know and do about the ever-changing cyber threat landscape;
  • Gives strategic, business-focused guidance and advice relevant to C-suite executives;
  • Provides an effective and efficient framework for managing cyber governance, risk and compliance; and
  • Makes clear what is required to implement an effective cyber security strategy.

Receive 15% off all of Christopher Wright’s books throughout October by entering the voucher code WRIGHT15 at the checkout.

How Cyber Security Can Protect Your Business - A guide for all stakeholders
 

            Buy now

 








Jul 20 2020

Black Hat USA Announces New Community Programs to Address the Needs of Information Security Professionals

Programs will address diversity and inclusion, mental health and career education.

“The technical content that is presented on the Black Hat stage each year is an important contribution to the industry, but we’ve found that more sensitive topics such as mental health and diversity within the information security community are often not highlighted enough,” said Steve Wylie, Black Hat General Manager.

Source: Black Hat USA Announces New Community Programs to Address the Needs of Information Security Professionals



Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Tags: Black hat, black hat 2020


Jul 01 2019

Don’t tell Alice and Bob: Security maven Bruce Schneier is leaving IBM

Category: Security ProfessionalDISC @ 2:52 pm

Says bye bye to #BigBlue

Source: Don’t tell Alice and Bob: Security maven Bruce Schneier is leaving IBM

 
Bruce Schneier: “Click Here to Kill Everybody” | Talks at Google


Enter your email address:

Delivered by FeedBurner




Tags: Hands down InfoSec genius, InfoSec leader, InfoSec trail blazer


Sep 04 2017

Information Security Certifications and Salaries

Category: CISSP,Information Security,Security ProfessionalDISC @ 2:54 pm

Is this a good time to be in the field of InfoSec, (ISC)2 report shows the skills shortage is getting worse.

 

Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released. Cybersecurity Faces 1.8 Million Worker Shortfall By 2022

 

Start learning InfoSec basic:

When planning to take on this career, at early stage of this career you may get as much practical experience as possible and achieve industry-standard qualifications offered by such as Microsoft, CISCO, Checkpoint, Symantec and HP. Also vendor-independent learning path A+, Network+, and Security+ qualifications are recommended.

When evaluating prospective InfoSec candidates, employers frequently look to certification as one of the measure of excellence in continuing education and commitment to learning. Below are the 7 most sought out InfoSec certifications.

 

InfoSec Salaries review:

Security Analyst Salaries in the United States
Information Security Analyst Salary Range
IT Security Certifications Salary Guide
Top Cyber Security Salaries In U.S. Metros Hit $380,000

 






May 27 2015

10 Facts Every Cyber Security Professional Should Know

Category: Security ProfessionalDISC @ 5:04 pm

Top10

If you hold any job related to security operations analysis and reporting, you’ve likely been inundated with news stories about data breaches and attacks by hackers on businesses of all sizes across numerous verticals. But with all that noise, it can be difficult to sort out the information that truly matters, like the hard data that helps you decide which solutions to adopt, gives you a powerful case to bring to your executive team for a larger cyber security budget next quarter, or simply reassures you that your peers are facing similar challenges.

For that reason, SwinLane.com have assembled some of the most impactful, telling statistics related to information security in one place

1. Cyber attacks cost businesses $400 billion every year—Lloyd’s of London, 2015

2. Some 42 percent of survey respondents said security education and awareness for new employees played a role in deterring a potential criminal. — “US cybercrime: Rising risks, reduced readiness; Key findings from the 2014 US State of Cybercrime Survey,” PwC

3. There are more than 1 million unfilled information security jobs globally; by 2017 that number may be as high as 2 million — “2014 Annual Security Report,” Cisco; UK Parliament Lords’ Digital Skills Committee witness interview

4. The malware used in the Sony hack would have slipped past 90 percent of defenses today. — Joseph Demarest, assistant director of the FBI’s cyber division, during a U.S. Senate hearing

5. The average U.S. business deals with 10,000 security alerts per day. — “State of Infections Report Q1 2014,” Damballa

6. A significant 90 percent of CISOs cite salary as the top barrier to proper staffing. — “State governments at risk: time to move forward,” Deloitte/NASCIO

7. About 43 percent of businesses experienced a data breach in 2014. — “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness,” Experian/Ponemon Institute

8. Just 21 percent of IT professionals are confident that their information security technologies can mitigate risk. — “2015 Vulnerability Study,” EiQ Networks

9. As many as 75 percent of breaches go undiscovered for weeks or months. — Michael Siegel, research scientist at MIT, at a recent cyber security conference

10. In an effort to combat the growing threat of cybercrime, the U.S. Department of Homeland Security increased its cyber security budget 500 percent during the past two years; and President Obama included $14 billion for cyber security spending in his 2016 budget. GCN.com, 2015