Feb 15 2021
How one man silently infiltrated dozens of high-tech networks
We know what you’re thinking: “I bet you this is what they call a supply chain attack.”
And you’d be right.
The “one man” in the headline is cybersecurity researcher Alex Birsan, and his paper Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, which came out last week, will tell you how his “attack” worked.
Of course, Birsan didn’t literally do it alone and unaided (see the end of his paper for the section of shout-outs to others who helped directly or inspired him indirectly during his research), and he didn’t really attack anyone in the way that a criminal hacker or cracker would.
His work was done in accordance with bug bounty rules or pre-arranged penetration testing agreements, and Birsan actually includes bug bounties in his credits:
Source: How one man silently infiltrated dozens of high-tech networks
Feb 15 2021
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Training course outline
The CCPA (California Consumer Privacy Act) is a California data protection law that came into effect on January 1, 2020. Following the passing of Prop 24, the CPRA (California Privacy Rights Act) will take effect officially on January 1, 2023 and replace the CCPA. The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation).
Just like the GDPR, it gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
Once you have completed the California Consumer Privacy Act Foundation Online Training course, you will be able to:
- Demonstrate an understanding of privacy and cybersecurity law concepts, and basis of national/state jurisdiction
- Define terms used in the CCPA/CPRA and contrast to the GDPR
- Articulate the rights of consumers, and determine the duties of a business
- Examine the CPRA’s security requirements and prepare relevant responses
- Use the CPRA to determine what action(s) should be taken in the event of a breach
- Demonstrate an understanding of the CPRA’s penalty provisions
California Consumer Privacy Act (CCPA) Foundation Self-Paced Online Training Course
Feb 15 2021
Chinese Supply-Chain Attack on Computer Systems
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:
China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.
There’s lots of detail in the article, and I recommend that you read it through.
Feb 14 2021
Want to become a CISO
CISO role is not only limited to understanding infrastructure, technologies, threat landscape, and business applications but to sway people attitude and influence culture with relevant policies, procedures and compliance enforcement to protect an organization.
#CISO #vCISO
Explore more on CISO role:
Feb 14 2021
PayPal addresses reflected XSS bug in user wallet currency converter
PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.
The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform.
“An endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.” reads the summary published by PayPal.
PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.
According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.
An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser.
Feb 13 2021
Some of the must have titles to improve tactical level Cyber Security acumen
- Black Hat Go: Go Programming For Hackers and Pentesters
2) Real-World Bug Hunting: A Field Guide to Web Hacking
3) Web Security for Developers: Real Threats, Practical Defense
4) The Linux Command Line
5) The Car Hacker’s Handbook
6) Rootkits and Bootkits
7) Practical Malware Analysis
8) Metasploit
9) Hacking
Feb 13 2021
Court documents show FBI could use a tool to access private Signal messages on iPhones
Court documents related to a recent gun-trafficking case in New York and obtained by Forbes revealed that the FBI may have a tool to access private Signal messages.
The documents revealed that encrypted messages can be intercepted from iPhone devices when they are in “partial AFU (after first unlock)” mode.
“The clues came via Seamus Hughes at the Program on Extremism at the George Washington University in court documents containing screenshots of Signal messages between men accused, in 2020, of running a gun trafficking operation in New York.” states Forbes. “There’s also some metadata in the screenshots, which indicates not only that Signal had been decrypted on the phone, but that the extraction was done in “partial AFU.” That latter acronym stands for “after first unlock” and describes an iPhone in a certain state: an iPhone that is locked but that has been unlocked once and not turned off.”
Feb 12 2021
Microsoft warns of the rise of web shell attacks
Feb 11 2021
Cost Effective Cyber Security
DISC InfoSec provides cost effective Cybersecurity: CISO as a Service (CISOaaS)
A Chief Information Security Officer (CISO) is an executive responsible for cybersecurity. Many medium-sized organizations need a CISO but don’t have the budget for one. A Fractional CISO/ vCISO can deliver the value of a full-time CISO without the same level of investment.
Why do you may need one?
- Lower your organizational cybersecurity risk with industry expert leadership.
- Supplement your team with InfoSec program, policy and process experts to solve your most pressing needs.
- Prioritize your cybersecurity investments with quantitative decision making.
- vCISO for your Interim CISO needs.
- vCISO program can put you on a path to success with your compliance initiatives, such as a NIST CSF compliance or ISO 27001 certification.
DISC InfoSec also performs technical control assessment such as (Web Application testing) which is imperative to your compliance and ISO 27001 certification process.
In short, as a CISOaaS we do all the legwork so you can focus on running your business.
Our vCISO advisory services are available to support the security/ technology leadership of your organization to implement and improve security and risk posture in today’s heightened security averse landscape.
If you are interested to know more about how can we assist you in your latest InfoSec and compliance project, schedule a short call on our calendar.
Latest DISC InfoSec blog feed
Chief Information Security Officer
Contact DISC InfoSec for any question
Feb 11 2021
Is your business ready for the new world?
There is light at the end of the tunnel with Covid-19 and businesses will need to be ready for whatever it may bring. Perhaps not a business as usual or will it be a case of your customers may want to reduce their vendors and their services. In 2021 customers may want to do business with a vendor who secures their information and have a better chance of surviving disaster.
Embracing an ISO standard (ISO 27001/2) can help differentiate you from your competitors and show you as a business that can cope in this new world, using ISO standards as foundation will show the world what type of company you are, doing security stuff more efficiently, as well as effectively.
Working with DISC InfoSec who have 20 years’ experience in helping Businesses in the USA to successfully achieve ISO Certification by:
- Advice and Guidance throughout the implementation and certification process
- Risk assessment of existing Management System and Gap Analysis
- Design, build and assess a tailor-made compliant ISO Management System
- Write up all the Policies, Procedures and Flowcharts
- ISMS manual with all the relevant clauses
- Internal Auditor Instructions and training if required
- Registration and Certification with a certificating Body of your choice
At DISC InfoSec we use International Register of Certificating Auditors (QSA/BSI) qualified Lead Auditors to carry out your implementation to ensure successful Certification.
DISC InfoSec ISO 27001 Assessment
DISC InfoSec ISO 27001 Consultants
Contact DISC InfoSec for any question
ISO 27001 implementation Titles
Feb 11 2021
Top 10 events and conferences in cyber
Knowing which events to go to can be a bit of a minefield and the pandemic hasn’t helped matters. Remember when we could meet face-to-face and network? Seems like a long time ago. Despite this fact, the importance of conferences is vital for any industry and organisers are doing their upmost to ensure we are not deprived of the many opportunities these events can bring. Thankfully, most events have been made virtual and so the discussion and innovation of cybersecurity can continue. While there are hundreds of events to choose from, here is the IT Security Guru’s pick of the top 10 cybersecurity conferences that you shouldn’t miss, regardless if they are virtual or not:
RSA Conference
Virtual
May 17-20, 2021
Feb 11 2021
Digital Security and 5G Security Architecture
Normal day-to-day life was brought to a halt by the COVID-19 pandemic, which greatly impacted the lives of virtually all people worldwide in unprecedented fashion. As people have stayed home and isolated themselves to avoid contracting and spreading the virus, there has been increased reliance on virtual connectivity due to a sharp increase in remote work and people performing their daily transactions over the internet.
This situation is now leading to an accelerated adoption of 5G architecture, resulting in a 5G-based Internet of Things (IoT) ecosystem. The 5G-based IoT ecosystem is a system of connected devices that reside on the 5G network. The benefits of the 5G network include providing new technology capabilities, allowing for higher productivity compared to previous mobile technologies, transferring and delivering 1,000x higher mobile data volume per area between devices, connecting a higher number of devices with a higher user data rate, providing 10x longer battery life for low power massive machine communications, and 5x reduced End-to-End (E2E) latency.
Due to the increased digital usage and the already existing risks and threats associated with current and previous cellular network technologies, there has been a higher number of data breaches and cyberattacks, with malicious actors taking advantage of citizens and businesses during the pandemic. Some of these identified risks/threats that lead to data breaches and cyber-attacks include:
- Bidding down attacks, which weaken existing authentication mechanisms
- Malicious network connections to networks by rogue user devices
- Pretense of user devices roaming on networks
- Sensitive data vulnerability due to poor data encryption or no encryption
- Higher risk of attackers due to new remote access threats
- Authentication traffic spikes due to acts by malicious actors
Source: Digital Security and 5G Security Architecture
Feb 11 2021
Singtel hit by third-party vendor’s security breach, customer data may be leaked
Singapore telco says it has pulled back all use of Accellion’s file-sharing system FTA and is investigating the impact of a cybersecurity attack, having ascertained on February 9 that “files were taken” and customer data “may have” been compromised.
Singtel says it is investigating the impact of a cybersecurity breach that may have compromised customer data, after it ascertained on February 9 that “files were taken”. The attack had affected a file-sharing system developed two decades ago by a third-party vendor Accellion, which the Singapore telco had used internally and with external stakeholders.
Singtel revealed in a statement Thursday it was notified by Accellion that the file-sharing system, called FTA (File Transfer Appliance), had been breached by unidentified hackers. The telco said the tool was deployed as a standalone system and used to share information within the organisation and with external stakeholders.
All use of the system had been pulled back and relevant authorities, including Singapore’s Cyber Security Agency and local police, were notified. Singtel added that it currently was assessing the nature and impact of the breach, and the extent of data that might have been illegally accessed.
“Customer information may have been compromised,” the telco said. “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Source: Singtel hit by third-party vendor’s security breach
« Previous Page — Next Page »
