InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Many organizations have maintained heavy investment in cybersecurity over the last year, even in an unpredictable time when other spending has faltered. Gartner estimates that IT security and risk management spending still grew 2.6 percent even as IT spending as a whole fell by 8 percent.
However, while businesses have continued to fortify their networks against remote invaders, most have overlooked the potential for cyber threats from physical intruders. With very few exceptions such as government facilities, organizations tend to be extremely vulnerable to cyberattacks that involve a threat actor gaining direct access to the infrastructure.
While such attacks are extremely rare in comparison to the endless virtual attacks launched every day, physical security gaps can allow threat actors to circumvent otherwise strong defenses to inflict serious damage. Unlike an ordinary burglary, the threat is not what is stolen by the intruder, but what they leave behind – anything from keyloggers to backdoor malware. It’s especially important that organizations that are in high-risk sectors such as finance be prepared for such attacks.
Fortunately, however, with the right precautions it is possible to minimize the risk of a physical intruder, and spot incursions based on digital and physical evidence left behind.
Network monitoring is essential for any organization with a network. Requirements may vary, but in general any IT team is going to need a single, comprehensive solution that shows the entire network in context and makes diagnosing network issues fast and easy.
An effective solution should be able to discover every device connected to the network, automatically generate a network map showing connections and give administrators an easy way to run device inventories and determine what should be monitored.
The solution should generate alerts for a myriad of network issues and support customizable thresholds, so the IT team can proactively respond before end users are impacted. It should monitor the entire network infrastructure (physical, virtual and cloud) while also supporting network traffic analysis, network and application performance monitoring, configuration management and log management. As well, the ability to automate common administrative tasks or implement self-healing actions will drastically reduce the workload of the IT team.
The importance of ease-of-use cannot be overstated! The solution also needs to be able to scale to meet future needs and should support widely geographically distributed networks. Integration with 3rd-party systems is also a key requirement, whether by out-of-the-box connectors or via a robust API.
AWS offers multiple services around logging and monitoring. For example, you have almost certainly heard of CloudTrail and CloudWatch, but they are just the tip of the iceberg.
CloudWatch Logs is the default logging service for many AWS resources (like EC2, RDS, etc.): it captures application events and error logs, and allows to monitor and troubleshoot application performance. CloudTrail, on the other hand, works at a lower level, monitoring API calls for various AWS services.
Although listing (and describing) all services made available by AWS is out of scope for this blog post, there are a few brilliant resources which tackle this exact problem:
“Logging in the Cloud: From Zero to (Incident Response) Hero” are the annotated slides (131 pages!) of a good talk delivered at RSA 2020 by the Secureworks team which tries to answer questions like “What Should I Be Logging?”, “How Specifically Should I Configure it?”, and “What Should I Be Monitoring?”. Especially interesting since it doesn’t cover only AWS, but also GCP and Azure.
“Overview of AWS Logs” lists main AWS logging sources with a summary table, format, example and a Grok regex to parse log and ingest into a tool like Elastic Stack (ELK).
In the remainder of this section I’ll provide a summary of the main services we will need to design our security logging platform. Before doing so, though, it might be helpful having a high-level overview of how these services communicate (special thanks to Scott Piper for the original idea)
Keybase, owned by online meeting and teleconferencing behemoth Zoom, is a secure messaging and file sharing service that describes itself as providing “end-to-end encryption for things that matter.”
End-to-end encryption is pretty much what it says: encryption that starts on your computer, typically inside an individual app such as when browser submits a login form, and only gets stripped off at the far end when the data arrives at its final destination, such as when a website receives the login form with your username and password in it.
End-to-end encryption over the internet doesn’t just mean that your data is encrypted while it’s in transit from node to node along its network journey – it’s supposed to be a stronger guarantee than that.
It not only means that your data isn’t decrypted while it’s at any “rest stops” along the way, such as when an email message is held at your ISP for delivery later on, but also means that your data cannot be decrypted along the way, no matter whether you trust the person operating that “rest stop” or not.
How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?
Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.
I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.
Let me give you an example:
Let’s say your company receives a California Consumer Privacy Act data access request.
First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.
You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).
In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.
To help put this process into perspective, we like to ask six simple questions:
1. Do you know where your data is? 2. Do you know who owns your data? 3. Do you know what regulations govern your data? 4. Do you know what third parties have access to your data? 5. Can you forensically prove data integrity throughout all the processes that use your data? 6. Can you easily and quickly respond to requests for your data?
New casinos launch online often and as the choice for these sites grows, so does the variety of payment options. Not long ago, many online casinos were limited to credit/debit cards and very few e-Wallets. Today, there is a broad range of payment options accepted by online casinos.
One payment method, nonetheless, has become quite popular; pay by phone. With more people accessing online casinos from their mobile, it’s easy to see why mobile payments are becoming widespread. Besides, the option has several advantages, as highlighted below.
Play on Credit
When paying using your phone, you can choose to pay through telephone bills. This means that you can add money to your casino even when you don’t have money and pay the bill later. Operating more like a credit card, you get a form of credit when you choose this option.
The money is usually credited into your account immediately, yet you will only pay for it when paying your phone bill. The great thing about this is that it gives you float since you don’t have to immediately pay for your deposit.
Again, if you don’t have money at a particular moment or want to track how much you use in gaming, this option allows you to do this with ease. However, you should note that you will eventually pay the bill, probably at the end of each month.
No Additional Costs
Most phone providers don’t charge extra fees to deposit at the casino using a phone bill. Nonetheless, you will incur the usual rates that your provider charges for mobile payments in most cases.
However, it is worth checking with the provider to confirm if additional charges apply. Further, online casinos don’t impose any fees on your phone bill deposits. Again, it is essential to confirm this from your specific casino.
The goal is to find a provider and a casino that don’t impose extra fees for the service. According to this guide, there are many such casinos that don’t charge you for phone deposits. Thus, you won’t have a hard time finding a perfect site that meets your gaming expectations.
High Level of Security
Depositing using your phone is exceptionally safe and secure. The added security level is because you never enter your credit/debit card details or banking information like is the case with some traditional payment options.
Although rare, some sites get hacked, especially those that don’t have up-to-date security measures such as SSL data encryption and robust firewalls. If this happens, the information you have shared with your casino can be compromised.
Fortunately, if you choose this option, you will never worry about your bank information being stolen. Besides security, the method also enhances the privacy of your banking information since the casino doesn’t have access to your banking details.
Nvidia, the graphics chip company that wants to buy ARM, made a unusual announcement last week.
The company is about to launch its latest GeForce GPU (graphics processing unit) chip, the RTX 3060, and wants its users know that the chip is “tailored to meet the needs of gamers and those who create digital experiences.”
Our GeForce RTX GPUs introduce cutting-edge technologies — such as RTX real-time ray-tracing, DLSS AI-accelerated image upscaling technology, Reflex super-fast response rendering for the best system latency, and many more.
Ray-tracing is an algorithm used in generating synthetic images that are almost unbelievably realistic, correctly modelling complex optical interactions such as reflection, transparency and refraction, but this sort of realism comes at huge computational cost.
You can therefore see why gamers and digital artists might be very keen to get their hands on the latest special-purpose hardware that can speed up the creation of images rendered in this way.
The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.
Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.
In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with sophisticated zero-day malware.
The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware.
Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.
Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant.
In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.
One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,
“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”
A Nigerian Instagram star conspired with North Korean hackers to steal more than $1.3 billion from companies and banks in the U.S. and other countries, federal prosecutors said.
Ramon Olorunwa Abbas, 37, also known as “Ray Hushpuppi,” is being accused of helping three North Korean computer hackers steal the funds from companies and banks, including one in Malta, in February 2019, according to the Justice Department.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Assistant Attorney General John Demers of the Justice Department’s National Security Division said in a statement on Feb. 17.
The hack was caught before anyone was hurt by it, but KX wanted to know: how safe is our local water supply from cybersecurity threats? So, we went to the Bismarck Water Treatment Plant to find out.
“We’re well aware of what happened in Florida, it definitely reached the news nationwide and it really is relevant for drinking water systems. Our drinking water system, it would not be possible to do the same type of activity.”
Ethical hacking refers to gaining unauthorized access to a system through different strategies. An ethical hack is carried out by following the footsteps of real hackers who mean harm to the system. By duplicating their strategies ethical hackers can identify vulnerabilities in the system. Once these activities are identified there is a better chance of resolving the issues before actual hackers find a way to gain access to your system or application.
What do Ethical Hackers Do?
Ethical hackers are also known as “white hats“, they can be thought of as experts who perform security assessments to ensure that an organization’s security is not at risk. Companies hire teams of ethical hackers who help to identify system vulnerabilities and ensure that the security of the company is not compromised in any way. They generally follow four key protocols listed and explained below:
A privacy bug in the Brave Browser caused the leak of the Tor onion URL addresses visited in the Tor mode by the users.
A bug in the Private Window with Tor implemented in the Brave web browser could reveal the onion sites visited by the users.
The Tor mode implemented in the Brave web browser allows users to access .onion sites inside Brave private browsing windows.
When users are inside a Private Window with Tor, Brave doesn’t connect directly to a website, instead, it connects to a chain of three different computers in the Tor network.
An anonymous researcher initially reported that the Brave’s Tor mode was sending queries for .onion domains to public internet DNS resolvers, other experts confirmed his findings.
“If you’re using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.” explained the researcher.“Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time.”
OneLogin’s recent research into remote working practices shows it is proving to be fertile ground for hackers – Here’s how to stay safe
How to stay secure
Another key step to keep your business safe from breaches is to ensure that your employees are following security best practices. To celebrate Data Privacy Day, we’ve provided some practical steps to do this. For example:
Don’t share your work computer with friends, housemates or family members: 26% of respondents admitted doing this
Don’t download personal applications onto a company device: 23% of respondents admitted doing this
Don’t work on a public wifi that is not protected: 22% of respondents admitted doing this
Don’t share your corporate password with others: 12% of respondents admitted doing this
Don’t leave your corporate devices unattended in a public space:10% of respondents admitted doing this
Do encourage your company to engage with multi-factor authentication (MFA), which gives you multiple layers of protection: Only 36% of respondents suggested that MFA had been implemented
Two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home, according to a new study from Go Shred.
The confidential shredding and records management company discovered that 66% of home workers have printed work-related documents since they began working from home, averaging five documents every week. Such documents include meeting notes/agendas (42%), internal documents including procedure manuals (32%), contracts and commercial documents (30%) and receipts/expense forms (27%).
Furthermore, 20% of home workers admitted to printing confidential employee information including payroll, addresses and medical information, with 13% having printed CVs or application forms.
The issue is that, to comply with the GDPR, all companies that store or process personal information about EU citizens within EU states are required to have an effective, documented, auditable process in place for the collection, storage and destruction of personal information.
However, when asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven’t disposed of them yet as they plan to take them back to the office and a further 24% said they used a home shredding machine but disposed of the documents in their own waste. This method of disposal is not recommended due to personal waste bins not providing enough security for confidential waste and therefore still leaving employers open to a data breach and potential fines, Go Shred pointed out.
Most concerning of all, 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven’t done so because they do not know how to.
Due to the recent rise in cryptocurrency trading prices, most online systems these days are often under the assault of crypto-mining botnets seeking to gain a foothold on unsecured systems and make a profit for their criminal overlords.
The latest of these threats is a botnet named WatchDog. Discovered by Unit 42, a threat intelligence division at Palo Alto Networks, this crypto-mining botnet has been active since January 2019.
Written in the Go programming language, researchers say they’ve seen WatchDog infect both Windows and Linux systems.
The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:
Apple launched its M1 chip and cybercriminals developed a malware sample specifically for it, the latest generation of Macs are their next targets.
The popular security researcher Patrick Wardle discovered one of the first malware designed to target latest generation of Apple devices using the company M1 chip.
The discovery suggests threat actors are tailoring their malware to target the latest generation of Mac devices using the own processors.
Wardle discovered a Safari adware extension, tracked as GoSearch22, that was initially developed to run on Intel x86 chips, and now it was adapted to run on M1 chips.
“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.” reads the analysis published by Wardle. “Looking at the (current) detection results (via the anti-virus engines on VirusTotal), it appears the GoSearch22.app is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware:”
‘We identified that it was possible to compromise any account on the application within a 10-minute timeframe’
Critical zero-day vulnerabilities in Gaper, an ‘age gap’ dating app, could be exploited to compromise any user account and potentially extort users, security researchers claim.
The absence of access controls, brute-force protection, and multi-factor authentication in the Gaper app mean attackers could potentially exfiltrate sensitive personal data and use that data to achieve full account takeover within just 10 minutes.
More worryingly still, the attack did not leverage “0-day exploits or advanced techniques and we would not be surprised if this had not been previously exploited in the wild”, said UK-based Ruptura InfoSecurity in a technical write-up published yesterday (February 17).
Despite the apparent gravity of the threat, researchers said Gaper failed to respond to multiple attempts to contact them via email, their only support channel.
GETting personal data
Gaper, which launched in the summer of 2019, is a dating and social networking app aimed at people seeking a relationship with younger or older men or women.
Ruptura InfoSecurity says the app has around 800,000 users, mostly based in the UK and US.
Because certificate pinning was not enforced, the researchers said it was possible to obtain a manipulator-in-the-middle (MitM) position through the use of a Burp Suite proxy.
This enabled them to snoop on “HTTPS traffic and easily enumerate functionality”.
RIPE NCC announced to have suffered a credential stuffing attack attempting to gain access to single sign-on (SSO) accounts.
The RIPE NCC is a not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE community supporting the Internet through technical coordination.
It has over 20,000 members from over 75 countries who act as Local Internet Registries (LIRs) and assign blocks of IP addresses to other organizations in their own country.
The organization mitigated the attack and its investigation confirmed that not SSO accounts have been compromised.
“Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime,” reads a statement published by the organization.
“We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised.”
