Dec 08 2020

U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers

Category: Hacking,Security BreachDISC @ 11:07 pm

The cybersecurity company said the attack compromised its software tools used to test the defenses of its thousands of customers.

“I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Kevin Mandia, the chief executive at FireEye and a former Air Force officer, said in a blog post published Tuesday. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.”

The company said the attacker also accessed some internal systems and primarily sought information about government clients. FireEye said it has seen no evidence so far that data belonging to its customers had been compromised from the primary systems used to store it.

FireEye declined to comment on who it believed was behind the breach of its hacking tools, which experts said could potentially be leveraged in future attacks against its customer base, including a diverse array of U.S. and Western national-security agencies and businesses.

Source: U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers



FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State
httpv://www.youtube.com/watch?v=EcBAuJoj2Ks

Fireeye shares plunge after it says it was breached by suspected hackers
httpv://www.youtube.com/watch?v=xYIK23FYiyM&ab_channel=CNBCTelevision

Dec 07 2020

Hacker opens 2,732 PickPoint package lockers across Moscow

Category: Security BreachDISC @ 4:57 pm

PickPoint says this is the world’s first targeted cyberattack against a post-gateway network.

The attack, which took place on Friday afternoon, December 4, targeted the network of PickPoint, a local delivery service that maintains a network of more than 8,000 package lockers across Moscow and Saint Petersburg.

Russians can order products online and choose to have any of their orders delivered to a PickPoint locker instead of their home address.

Once the package arrives, users receive an email or mobile notification, and they can show up and pick up their orders using the PickPoint app.

Source: Hacker opens 2,732 PickPoint package lockers across Moscow | ZDNet



A smart lockers terminal “PickPoint” in Moscow was hacked to unlock the storage boxes with goods
httpv://www.youtube.com/watch?v=shtcOIeiz_c&ab_channel=AmazingVideosOfTheWorld



Dec 04 2020

Open source vulnerabilities go undetected for over four years

Category: Security vulnerabilitiesDISC @ 6:01 pm

GitHub has analyzed over 45,000 active directories and found that open source vulnerabilities often go undetected for more than four years.

Source: Open source vulnerabilities go undetected for over four years – Help Net Security



The State of Open Source Security Vulnerabilities
httpv://www.youtube.com/watch?v=cphgicw6dZI



Resources for Searching and Analyzing Online Information


Advanced Sciences and Technologies for Security Applications

Tags: Open source, Open source intelligence, Open source security

Dec 01 2020

Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020

Category: Information PrivacyDISC @ 3:21 pm

Consumer Rights under the CALIFORNIA PRIVACY RIGHTS ACT (CPRA) OF 2020

Purpose and Intent. In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles:

Consumer Rights

  1. Consumers should know who is collecting their personal Information and that of their children, how it is being used, and to whom It is disclosed, so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children,
  2. Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal Information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
  3. Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
  4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
  5. Consumers should be able to exercise these rights without being penalized for doing so.
  6. Consumers should be able to hold businesses accountable for falling to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
  7. Consumers should benefit from businesses’ use of their personal information.
  8. The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act. It is the purpose and Intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023

Adds a right to opt out of automated decision-making technology, in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Opt-out right explicitly extends to sharing of PI used for cross-context behavioral advertising.

Strengthens opt-in rights for minors. Extends the opt-in right to explicitly include the sharing of PI for behavioral advertising purposes. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her PI after the minor has declined to provide it.

For all inclusive details, download a pdf of THE CALIFORNIA PRIVACY RIGHTS ACT OF 2020 (Amendments to Version 3)



California Privacy Rights Act (CPRA): 10 Big Impacts on Your Business
httpv://www.youtube.com/watch?v=bqC8kSSSV-A

Tags: CALIFORNIA PRIVACY RIGHTS ACT, CPRA

Dec 01 2020

List of data breaches and cyber attacks in November 2020 – 587 million records breached

Category: Data Breach,Security BreachDISC @ 11:06 am

We recorded 103 data breaches and cyber attacks in November, which accounted for 586,771,602 leaked records.

ITG recorded 103 cyber security incidents in November, which accounted for 586,771,602 leaked records.

The majority of those came from a credential-stuffing attack targeting Spotify and a data leak at the messaging app GO SMS Pro, which you can learn more about below.

Here is ITG complete list of November’s cyber attacks and data breaches.

Source: List of data breaches and cyber attacks in November 2020 – 587 million records breached – IT Governance UK Blog



Biggest Data Breaches of October 2020
httpv://www.youtube.com/watch?v=aB0PB5B266w


Self-assessment to help you achieve your cybersecurity or information security goals. ITG is offering 15% off selected toolkits and self-assessment tools until December 4 to help you achieve your cybersecurity or information security goals. Use promo code THANKFUL at checkout to receive the offer

Nov 29 2020

10 Best InfoSec Hacking Books

Category: Hacking,Information Security,Security trainingDISC @ 7:09 pm

10 Best InfoSec Hacking Books

To download 10 Best InfoSec Hacking Books pdf

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/11/10-best-InfoSec-hacking-books.pdf” title=”10 best InfoSec hacking books”]

 

To download 10 Best InfoSec Hacking Books pdf

 

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2020/11/Metsploit-cheatsheet.pdf” title=”Metsploit cheatsheet”]

Nov 24 2020

Black Friday deal:

Category: VPNDISC @ 10:37 pm

Get 68% off NordVPN + 3 months FREE

NordVPN’s Black Friday promotion is now live with 68% off a 2-year VPN subscription and an additional three months for free. This offer gives you a total of 27 months of VPN access for a monthly cost of $3.30!

NordVPN’s Black Friday promotion is now live with 68% off a 2-year VPN subscription and an additional three months for free. This offer gives you a total of 27 months of VPN access for a monthly cost of $3.30!

If you wish to stay anonymous on the Internet while browsing the web, streams movies or listen to music, then this NordVPN deal may be something that will interest you.

As part of this deal, you get a 27-month subscription to the NordVPN VPN service, which allows you to browse the Internet, send email, download files, or perform network requests anonymously.

 

Whether you want to explore a new topic, advance your career, or get a degree, you’ll find a place to start learning on edX. Choose from thousands of courses in over thirty subjects, all brought to you by the world’s best universities and industry leaders.

Use code CYBER2020 to save 20% on your next course or program purchase. https://lnkd.in/g_k_QHF

Image may contain: 1 person, text that says 'CYBER MONDAY edX Don't miss out! Save 20% on your purchase CODE: CYBER2020'

Your online bookshop with Free worldwide delivery.

Nov 24 2020

Zero Trust architectures: An AWS perspective

Category: AWS Security,Zero trustDISC @ 11:23 am

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework.)

Definition and guiding principles for Zero Trust

Let’s start out with a general definition. Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing security controls around digital assets that do not solely or fundamentally depend on traditional network controls or network perimeters. The zero in Zero Trust fundamentally refers to diminishing—possibly to zero!—the trust historically created by an actor’s location within a traditional network, whether we think of the actor as a person or a software component. In a Zero Trust world, network-centric trust models are augmented or replaced by other techniques—which we can describe generally as identity-centric controls—to provide equal or better security mechanisms than we had in place previously. Better security mechanisms should be understood broadly to include attributes such as greater usability and flexibility, even if the overall security posture remains the same. Let’s consider more details and possible approaches along the two dimensions.

Source: Zero Trust architectures: An AWS perspective | Amazon Web Services

SANS Webcast – Zero Trust Architecture
httpv://www.youtube.com/watch?v=5sFOdpMLXQg

Tags: Zero Trust, Zero Trust architectures, Zero Trust Network, Zero Trust Security

Nov 23 2020

LidarPhone Attack Transforms Smart Vacuum Cleaners Into Spying Tools

Category: HackingDISC @ 11:06 pm

LidarPhone attack targets the lidar sensors in smart vacuum cleaners transforming them into microphones to record sounds and eavesdrop.

Describing LidarPhone in brief, the researchers stated, The fundamental concept of LidarPhone lies in sensing such induced vibrations in household objects using the vacuum robot’s lidar sensor and then processing the recorded vibration signal to recover traces of sounds. This sensing method is inspired by the principles of laser microphones that use reflected laser beams to sense sounds from vibrating objects. Although laser mics require sophisticated setups, the rotating lidar sensors are equipped with at least a laser transmitter and reflection sensor. This enables the key possibility to transform a lidar into a microphone.

Source: LidarPhone Attack Transforms Smart Vacuum Cleaners Into Spying Tools

Nov 22 2020

How does the Schrems II ruling affect your organization?

Category: GDPRDISC @ 5:01 pm

GDPR compliance got even more complicated this summer when the CJEU (European Court of Justice) ruled the EU–US Privacy Shield invalid.

Organizations that had relied on the framework for transatlantic data transfers have been scrambling for a solution – with even some multinationals unsure how to proceed.

If you’re among those trying to understand how the ruling affects your data transfer processes, then ITGP updated books can help.

EU General Data Protection Regulation (GDPR) – An implementation and compliance guide

This comprehensive guide covers:

  • DPO (data protection officer) requirements, including which organizations need a DPO and what DPOs do;
  • When organizations must conduct DPIAs (data protection impact assessments);
  • GDPR implementation FAQs;
  • Guidance on how to create data protection processes that are in line with best practices; and
  • An index of the GDPR.
EU General Data Protection Regulation (GDPR) – An implementation and compliance guide, fourth edition
 

       Buy now

EU GDPR – An international guide to compliance

Ideal for those trying to understand the essentials of GDPR compliance, EU GDPR – An international guide to compliance:

  • Explains the terms and definitions used in the GDPR;
  • Sets out the circumstances under which organizations may receive fines;
  • Shows how to meet your compliance requirements; and
  • Provides guidance on the technologies and documentation you can use to protect the personal data that you process.
EU GDPR – An international guide to compliance
 

       Buy now

Tags: gdpr, Schrems II

Nov 22 2020

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

Category: AWS SecurityDISC @ 4:07 pm

Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says.

Nearly two dozen application programming interfaces (APIs) across 16 different Amazon Web Services offerings can be abused to allow attackers to obtain the roster and internal structure of an organization’s cloud account in order to launch targeted attacks against individuals.

All that a threat actor would require in order to carry out the attack is the target organization’s 12-digit AWS ID — something that is used and shared publicly — Palo Alto Networks said this week.

Source: Nearly Two Dozen AWS APIs Are Vulnerable to Abuse


Testing and Monitoring APIs on AWS – AWS Online Tech Talks
httpv://www.youtube.com/watch?v=VQM38CZyjFY



API Security in Action teaches you how to create secure APIs for any situation. By following this hands-on guide you’ll build a social network API while mastering techniques for flexible multi-user security, cloud key management, and lightweight cryptography.

Nov 19 2020

Japan Inc to begin experiments issuing digital yen

Category: CryptoDISC @ 5:48 pm

More than 30 major Japanese firms will begin experiments next year towards issuing a common, private digital currency to promote digitalisation in one of the world’s most cash-loving countries, the group’s organising body said on Thursday.

Source: Japan Inc to begin experiments issuing digital yen



Japan experimenting with digital yen!
httpv://www.youtube.com/watch?v=l-hK_rcL08o



Tags: cryptocurrency, digital yen, Japan

Nov 18 2020

Senate passes bill to secure internet-connected devices against cyber

Category: NIST CSF,NIST PrivacyDISC @ 11:40 pm

The Senate this week unanimously passed bipartisan legislation designed to boost the cybersecurity of internet-connected devices.

The Senate passes a bill that would require all internet-connected devices purchased by the US government to comply with NIST’s minimum security recommendations

The Internet of Things Cybersecurity Improvement Act would require all internet-connected devices purchased by the federal government — such as computers and mobile devices — to comply with minimum security recommendations issued by the National Institute of Standards and Technology.

The bill would require private sector groups providing devices to the federal government to notify agencies if the internet-connected device has a vulnerability that could leave the government open to attacks.

The legislation, which the Senate advanced on Tuesday, was passed unanimously by the House in September. It now heads to President Trump for a signature.

“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner noted in a separate statement. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks. Ensuring that our government has the capabilities and expertise to help navigate the impacts of the latest technology will be important in the coming years and decades.”

Source: Senate passes bill to secure internet-connected devices against cyber







Nov 17 2020

Microsoft’s Pluton chip upgrades the hardware security of Windows PCs

Category: Hardware Security,Information SecurityDISC @ 1:05 pm

Pluton chip

The next Windows PC you buy could come with an advanced security co-processor that will protect your data from being stolen by hackers.

The next Windows PC you buy could come with an advanced security co-processor that will protect your data from being stolen by hackers. Building on work it started with the Xbox One, on Tuesday Microsoft announced the existence of Pluton. It’s a new project the company is working on with both AMD and Intel, as well as Qualcomm, to create x86 and ARM CPUs that integrate a dedicated security component.

At its simplest, Pluton is an evolution of the existing Trusted Platform Module (TPM) you find in many modern computers. TPMs store security-related information about your operating system and enable features like Windows Hello. However, for all the additional security they add to PCs, they still have vulnerabilities. As security researchers have shown, it’s possible for hackers to attack the bus interface that allows the TPM and CPU to communicate with one another.

That’s where Pluton comes into the picture. By integrating the TPM into the CPU, Microsoft says it’s able to close off that avenue of attack. When the first slate of Pluton-equipped CPUs and computers start making their way out to consumers, Microsoft says they’ll emulate TPM chips so that they can take advantage of existing APIs and provide Windows users with immediate usefulness. The end goal is for Pluton-equipped CPUs to protect your credentials, encryption keys and personal data. In that way, it will be similar to the T2 and Titan M security chips Apple and Google offer, but with the added advantage of being there for the entire Windows ecosystem to use.

Source: Microsoft’s Pluton chip upgrades the hardware security of Windows PCs



Microsoft Pluton is a new security chip for Windows PCs
httpv://www.youtube.com/watch?v=f85ipqsOcqc&ab_channel=REFILLSOLUTIONS

Nov 16 2020

Dozens of ransomware gangs partner with hackers to extort victims

Category: RansomwareDISC @ 1:25 pm

Ransomware-as-a-service (RaaS) crews are actively looking for affiliates to split profits obtained in outsourced ransomware attacks targeting high profile public and private organizations. The more well-known ransomware gangs run private affiliate programs where affiliates can submit applications and resumes to apply for membership.

For affiliates that are accepted into the program, the ransomware developers receive a 20-30% cut, and an affiliate gets 70-80% of the ransom payments they generate.

REvil private affiliate program

Source: Dozens of ransomware gangs partner with hackers to extort victims



Ransomware-as-a-Service (RaaS)
httpv://www.youtube.com/watch?v=LKJXnIn3QVI&ab_channel=ZolderB.V.



Tags: Ransomware as a service

Nov 12 2020

Costaricto APT: Cyber mercenaries use previously undocumented malware

Category: MalwareDISC @ 3:28 pm

CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with an undocumented malware.

Blackberry researchers have documented the activity of a hackers-for-hire group, dubbed CostaRicto, that has been spotted using a previously undocumented piece of malware to target South Asian financial institutions and global entertainment companies.

“During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe.” reads the analysis published by BlackBerry. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”

Source: Costaricto APT: Cyber mercenaries use previously undocumented malware



Tim Maurer discusses “Cyber Mercenaries: The State, Hackers and Power”
httpv://www.youtube.com/watch?v=i8qi8cLKl4A&ab_channel=HooverInstitution



Cyber Mercenaries: The State, Hackers, and Power



Tags: Advanced persistent threat, APT, Cyber mercenaries

Nov 11 2020

Google patches two more Chrome zero-days

Category: Zero dayDISC @ 5:57 pm

Google has now patched five Chrome zero-days in three weeks.

Source: Google patches two more Chrome zero-days | ZDNet

URGENT Google Chrome Zero Day flaw security update
httpv://www.youtube.com/watch?v=8u5jGXbaF0w



Zer0 Days

Nov 08 2020

FBI: Hackers stole source code from US government agencies and private companies

Category: Cyber Attack,Cyber Espionage,Cyber Threats,Cybercrime,HackingDISC @ 2:22 pm

FBI blames intrusions on improperly configured SonarQube source code management tools.

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”

Source: FBI: Hackers stole source code from US government agencies and private companies | ZDNet


Nov 06 2020

Pwn2Own Tokyo Day one: NETGEAR Router, WD NAS Device hacked

Category: cyber security,Hacking,Information SecurityDISC @ 11:30 am

Pwn2Own Tokyo 2020 hacking competition is started, bug bounty hunters already hacked a NETGEAR router and a Western Digital NAS devices.

The Pwn2Own Tokyo is actually coordinated by Zero Day Initiative from Toronto, Canada, and white hat hackers taking part in the competition have to demonstrate their ability to find and exploit vulnerabilities in a broad range of devices.

On the day one of the competition, bug bounty hunters have successfully hacked a vulnerability in the NETGEAR Nighthawk R7800 router. The participants were the Team Black Coffee, Team Flashback, and teams from cybersecurity firms Starlabs and Trapa Security, and the Team Flashback earned $20,000 for a remote code execution exploit that resulting from the chaining of two bugs in the WAN interface.

“The team combined an auth bypass bug and a command injection bug to gain root on the system. They win $20,000 and 2 points towards Master of Pwn.” reads the post on the official site of the Pwn2Own Tokyo 2020.
The Trapa team successfully chained a pair of bugs to gain code execution on the LAN interface of the router, the experts earned $5,000 and 1 point towards Master of Pwn.

The STARLabs team earned the same amount after using a command injection flaw to take control of the device.

The Western Digital My Cloud Pro series PR4100 NSA device was targeted by The Trapa Security team also earned $20,000 for a working exploit for the Western Digital My Cloud Pro series PR4100 NSA device.

The exploit code chained an authentication bypass bug and a command injection vulnerability to gain root on the device.

Source: Pwn2Own Tokyo Day one: NETGEAR Router, WD NAS Device hacked



Pwn2Own Tokyo (Live from Toronto) 2020 – Day One
httpv://www.youtube.com/watch?v=jX0b8iKXnbI&ab_channel=ZeroDayInitiative

Tags: pwn2own, Pwn2Own Tokyo

Nov 05 2020

Spotting a Common Scam

Category: Cyber Threats,Identity Theft,Information Privacy,Information Security,Security AwarenessDISC @ 3:00 pm

Spotting a Common Scam 

Image
These scams seek to collect personal information about you, often appearing to come from a real business or agency. Someone may pose as an official disaster aid worker, or send you a fraudulent COVID contact tracing email. If you receive a message with a link, you should not click it as it may download malware to your device to steal passwords and personal information. Government agencies like FEMA or the IRS will never contact you asking for a FEMA registration number, a Social Security number, or a bank account or credit card number to give you a COVID or FEMA payment—or ask you to pay anything up front to fill out an application or to access state or federal resources.
Image

 

 

 

Before sharing, check that what you are reading is from a trustworthy source. Disinformation can be life threatening in a global pandemic.

 

Image

No cures or vaccines have been approved for COVID-19 yet. Online offers claiming to provide a medicine or device to treat or prevent COVID should be ignored. When there is a new breakthrough in the treatment and prevention of COVID, it will be widely reported on by reputable news sources.

 

Image

 

 

Fake charities often emerge following a crisis, soliciting donations, but not using them for the described purpose. Before donating, check out www.ftc.gov/charity  to research the organization and make sure it’s legitimate.

 

Image

If you receive a robocall, you should hang up instead of pushing any buttons or giving away any personal information. If a call claims to be from the IRS or FEMA, but demands immediate payment through debit card or wire transfer, it is fraudulent. Federal agencies will never demand immediate payment over the phone, threaten immediate arrest, or ask you to make a payment to anyone other than the U.S. Treasury.

Warning Signs that a Loved One may be the Victim of a Scam 
Victims to a scam may be embarrassed or uncomfortable asking for help. It’s not always obvious when someone has been scammed, so check in with your loved ones frequently, especially if they are older, live alone, or are otherwise high risk.

Warning signs include large ATM withdrawals, charges, or checks; secretiveness and increased anxiety about finances; large quantities of goods being delivered that they do not need; an unusual number of phone calls or visits from strangers; and a sudden lack of money, unpaid bills, or a change in daily habits.

 

For more information, and to get help with a potential FEMA fraud, you can call the National Center for Disaster Fraud Hotline at 866-720-5721 or FEMA’s Public Inquiry Unit at 916-210-6276. For questions about pandemic scams, go to www.ftc.gov/coronavirus or www.cdc.goc/coronavirus/2019-ncov .


Tags: common scam, scam

« Previous PageNext Page »