DoJ Launches Cybersecurity Fellowship Program as Threats Rise

The U.S. Department of Justice (DoJ) announced the creation of a cybersecurity fellowship program that will train prosecutors and attorneys to handle emerging national cybersecurity threats.

Fellows in the three-year Cyber Fellowship program will investigate and prosecute state-sponsored cybersecurity threats, transnational criminal groups, infrastructure and ransomware attacks and the use of cryptocurrency and money laundering to finance and profit from cybercrimes.

Cyber Fellowship Program

The program will train selected attorneys to deal with emerging cybercriminal threats and the ability to secure a top-secret security clearance is a prerequisite. All participants will be based in the Washington, D.C. area.

As part of the fellowship, participants will rotate through the multiple departments charged with protecting the country from cybersecurity threats, including the Criminal Division, the National Security Division and the U.S. Attorneys’ Offices.

The program is coordinated through the Criminal Division’s Computer Crime and Intellectual Property Section and the creation of the Fellowship is the result of a recommendation from the department’s ongoing comprehensive cybersecurity review, which was ordered by Deputy Attorney General Lisa Monaco in May 2021.

fellowship web app election security government

Enhancing Efforts Against Cybersecurity Threats

Leave a Comment

Threats Grow as Digital Wallets Gain Popularity

The pandemic, as well as users’ personal preferences, have helped enable the rapid emergence of digital payment applications and digital wallets, which compete with credit cards and cash as preferred payment options.

The growing popularity of digital wallets such as Google Pay, Samsung Pay and Apple Pay is making them a bigger target for malicious actors, according to a report from security analytics software specialist Cognyte.

The study, which collected and analyzed threat actors’ conversations about digital wallets from 2016 through 2020, found the number of threat actors’ interactions around the topic almost doubled from 2017 to 2018.

By 2019, this number grew by 456%, reaching 31,878 interactions and by 2020 it grew by another 292%, reaching 96,363 interactions.

Increase in Popularity and Threats

Next Generation Crypto Hardware Wallet

Trezor Model T - Next Generation Crypto Hardware Wallet with LCD Color Touchscreen and USB-C, Store your Bitcoin, Ethereum, ERC20 and more with Total Security

Leave a Comment

Feds Warn of Ransomware Attacks Ahead of Labor Day

Feds Warn of Ransomware Attacks Ahead of Labor Day

Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely won’t — which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.

Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.

While the agencies said they haven’t discovered “any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,” they are working on the idea that it’s better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.

Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.

“Modern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,” noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.

Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times “will be impacted,” he said.

That’s mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

“This additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,” he said in an email to Threatpost.

History of Holiday Attacks

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Leave a Comment

Skimming the CREAM – recursive withdrawals loot $13M in cryptocash

You must have had that happy feeling (happiest of all when it’s still a day or two to payday and you know that your balance is paper-thin) when you’re withdrawing money from a cash machine and, even though you’re still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up.

That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] you’ve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] you’re about to get the money.

Well, imagine that if you hit the [Cancel] button at exactly the right moment between the mechanism firing up and the money being counted out…

…and if your timing was spot on, then your card would stay in the machine, your account wouldn’t get debited, and you’d be asked if you wanted to try again, BUT YOU’D GET THE CASH FROM THE CANCELLED TRANSACTION ANYWAY!?!!?

And imagine that, as long as you kept pressing that magic button at just the right moment, you could loop back on yourself and layer ghost withdrawal on ghost withdrawal…

…until the machine finally ran out of money, or hit some internal software limit on recursive withdrawals, or you decided to quit while you were ahead and get clear of the ATM before an alarm went off.

Blockchain Bubble or Revolution: The Future of Bitcoin, Blockchains, and Cryptocurrencies

Leave a Comment

Windows 11 Security Scare—MS Nixes Fixes on Older PCs

Windows 11 won’t auto-update on slightly old PCs. It appears this includes security updates—although Microsoft PR is doing its usual trick of ghosting reporters who ask.

This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? That’s a recipe for disaster.

Stand by for Redmond to walk this one back in an embarrassing climbdown. In today’s SB Blogwatch, we hope against hope.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.

MSFT MBEC+HVCI FAIL

What’s the craic? Sean Hollister reports—“Microsoft is threatening to withhold Windows 11 updates if your CPU is old”:

Why leave us in the dark?”
Windows 11 won’t technically leave millions of PCs behind … so long as you download and manually install an ISO file. … But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows Updates … potentially even security updates.

It’s quite possible this is just a cover-your-ass measure. … But it’s also possible Microsoft genuinely does mean to withhold patches. … Microsoft declined to clarify things further.

Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. … Feature updates are probably less of a big deal. [But] why leave us in the dark?

Windows 11 Security Scare

Leave a Comment

Men, Executives Pose Higher Cybersecurity Risk

When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.

Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from men’s and women’s online behaviors.

According to SecurityAdvisor’s data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.

SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.

“Our partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,” SecurityAdvisor CEO Sai Venkataraman said. “Also, society tends to tolerate failures by dominant groups better, hence men don’t fear the consequences or fear consequences less.”

He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.

cybersecurity alert fatigue

C-Level Executives are Prime Targets

CYBER SECURITY FOR TOP EXECUTIVES: Everything you need to know about Cybersecurity by [Alejandra Garcia]
CYBER SECURITY FOR TOP EXECUTIVES

Leave a Comment

Operationalize AWS security responsibilities in the cloud

What do AWS Partners with Level 1 Managed Security Service (MSSP) Competency provide?

All AWS Level 1 MSSP Competency Partners provide at minimum the ten 24/7 security monitoring, protection, and remediation services as defined in the Level 1 Managed Security Services baseline. Those ten 24/7 services specifically are below.

Many of the Level 1 MSSP Competency Partners also provide additional security assessment and implementation professional services as well to assist customers in their AWS cloud journey.

  • AWS Infrastructure Vulnerability Scanning – Routine scanning of AWS infrastructure for known software vulnerabilities.
  • AWS Resource Inventory Visibility – Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
  • AWS Security Best Practices Monitoring – Track and detect misconfigurations of AWS resources to improve cloud security posture and reduce business risk.
  • AWS Compliance Monitoring – Scanning AWS environment for compliance standards such as: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT&CK, and SOC2.
  • Monitor, Triage Security Events – Gain visibility into security alerts with a consolidated list of security events and recommended remediation guidance.
  • 24/7 Incident Alerting and Response – Receive notification of high priority security events and expert guidance on recommended remediation steps 24/7.
  • DDoS Mitigation – Increase visibility and resilience to DDoS attacks and reduce the risk of availability, financial, and security impacts to applications.
  • Managed Intrusion Prevention System (IPS) – Add a layer of security for AWS-based endpoints, helping with defense against known threat patterns, to increase overall security posture.
  • Managed Detection and Response (MDR) for AWS-Based Endpoints – A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS-based endpoints.
  • Managed Web Application Firewall (WAF) – A firewall managed service designed to protect web-facing applications and APIs against common exploits.

What are the prerequisites for becoming an AWS Level 1 MSSP Competency Partner?

AWS Security Cookbook: Practical solutions for managing security policies, monitoring, auditing, and compliance with AWS

Leave a Comment

Big bad decryption bug in OpenSSL – but no cause for alarm

The bugs

OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.

Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity.

Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.

There are two bugs patched in the new version:

  • : SM2 decryption buffer overflow.
  • : Read buffer overruns processing ASN.1 strings.

Strings, long and short

Network Security with OpenSSL

Leave a Comment

Don’t Leave Security to the Network

Key Strategic Criteria

The solution is, instead, to focus on building applications that are secure by design, with zero-trust security baked-in rather than bolted-on. This is one of the three key strategic criteria we see for forward-looking enterprises that are accelerating the security of their applications.

  • Make applications secure by design – zero-trust is now the recommended security model.
  • Embrace tools that enable agility and efficiency and eliminate complexity.
  • Embrace open source for future-proofing, maximum visibility and to avoid proprietary lock-in.

Integrating security and the WAN is the next wave in network architecture. That means embedding zero-trust and access management capabilities in applications.

Zero-trust, to continue with the sporting event analogy, requires ticket checks before fans reach the stadium; it determines if they are authentic fans and therefore whether they can enter, where they can go once they’re inside the venue and which events they can watch. Zero-trust uses context as well as identity to authenticate users, and it enables policies that permit access only within a certain time window, a particular network segment or to a specific application. It removes the element of implicit trust that is so easily exploited, whether deliberately by bad actors or accidentally by careless users.

Zero-Trust Network Security

Zero Trust Networks: Building Secure Systems in Untrusted Networks

Leave a Comment

What is ISMS

Implementing an ISMS

There are numerous ways of approaching the implementation of an ISMS.  The most common method to follow is a ‘Plan Do Check Act’ process.

ISO 27001 is the international security standard that details the requirements of an ISMS.

ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. 

A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.

The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.

The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).

ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.

ISO 27001 Risk Assessment and Gap Assessment

Leave a Comment

T-Mobile Hacker Who Stole Data on 50 Million Customers

Their Security Is Awful’

A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier’s latest breach

The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s TMUS -1.63% systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and counting.

John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.

The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.

A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier’s latest breach

Leave a Comment

Samsung can remotely disable their TVs worldwide using TV Block

Samsung can remotely disable their TVs worldwide using TV Block

Samsung says that it can disable any of its Samsung TV sets remotely using TV Block, a feature built into all television products sold worldwide.

This was revealed by the South Korean multinational in a press release issued earlier this month in response to the July South African riots that led to large-scale looting, which also impacted Samsung warehouses and stores.

“TV Block is a remote, security solution that detects if Samsung TV units have been unduly activated, and ensures that the television sets can only be used by the rightful owners with a valid proof of purchase,” Samsung said.

“The aim of the technology is to mitigate against the creation of secondary markets linked to the sale of illegal goods, both in South Africa and beyond its borders. This technology is already pre-loaded on all Samsung TV products.”

As Samsung explains, the goal behind remotely disabling stolen TV sets is to limit looting and “third party purchases,” and ensuring that the TVs can only be used by “rightful owners with a valid proof of purchase.”

How TV Block works

Leave a Comment

Interesting Privilege Escalation Vulnerability

It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.

Privileged Attack Vectors

Razer DeathAdder Essential Gaming Mouse

Leave a Comment

APIs Create New Security Headaches

How APIs Create Security Risks

The proliferation of APIs that power applications, microservices, containers and serverless functions have created one of the greatest sources of security risk that businesses face today. The reason is simple: It’s not the development team’s responsibility to handle security. At the same time, however, security operations teams don’t have visibility into APIs. Because you can’t protect what you can’t see, Lebin Cheng, head of API security, office of the CTO at Imperva, pointed out three primary ways APIs create security risk for organizations:

  • A legacy application, initially deployed for internal use, is exposed externally using gateways that perform only fundamental authentication and authorization, with inadequate protection against sophisticated data exfiltration attempts. Because APIs are often connected directly to a data source, this can give attackers direct access to sensitive data.
  • Modern applications are increasingly built with outsourced components and/or services. This means that the majority of the application stack isn’t actually owned by the enterprise. What connects all these components is the API, but organizations often lack the visibility to monitor these API calls or the ability to secure the APIs in runtime.
  • The speed of software development is the Achilles’ heel of a security team. Developers need to move quickly and publish lines of code and APIs. However, the traditional approach of penetration testing for vulnerabilities isn’t feasible in today’s modern application workflow because it takes too long to conduct. This is creating a tug-of-war internally between the DevOps and SecOps teams.

“Data exfiltration through a compromised or vulnerable API is the risk organizations need to be most worried about,” said Cheng in an email interview. According to research by Imperva Research Labs, the number of new API vulnerabilities grew at the same time other vulnerabilities decreased; by 2024, it’s predicted that API abuses and related data breaches will nearly double in volume.

Enter the Hackers

API Security in Action

Leave a Comment

How to Reduce Risk with Runtime Application Self Protection

Instead of waning, cyber attacks continue to rise as the years pass. Several reasons contribute to this phenomenon, despite developing and deploying more robust network and data security platforms. First, the recent spate of disruptive cyberattacks hampering operations of organizations and government agencies proves that cybercriminals are becoming bolder in perpetuating their malicious activities.

These nefarious actors attack small, medium, and large corporations and organizations. Several attacks were publicized. Most of them are high-profile ransomware victims: Kaseya, JBS, SolarWinds, Colonial Pipeline, Acer, AXA, and CAN Financial. Many of them opted to pay the ransom demand not to disrupt operations that can affect thousands of businesses and consumers.

The nagging question is why cyberattacks are happening more often today. First, attackers are getting more sophisticated. Second, many are organized hacking groups, while some are already identified as government-backed hackers. The increase in cyberattacks can be attributed to several reasons, namely:

  • The willingness of many victims to pay the ransom;
  • Increased use of unregulated cryptocurrencies, which are harder to trace;
  • Publication of cyberattacks enticed other hackers to try the activity themselves, taking the publication of the attacks as successes of cybercriminals– this turned into a get-rich-quick scheme;
  • Increasing numbers of people going online, especially amid the pandemic.

Table of Contents

Alice and Bob Learn Application Security

Leave a Comment

Three reasons why ransomware recovery requires packet data

Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery that’s often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.

High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.

How far back should we restore from?

Ransomware Protection Playbook

Leave a Comment

This Mouse Gives you Admin on Windows

Razer gaming mice come with a buggy installer. It starts automatically when you plug in one of Razer’s devices.

The installer runs as SYSTEM. And it lets you start a shell—which also runs as SYSTEM. A classic elevation-of-privilege bug. And one that’s incredibly simple to exploit.

Déjà vu? It’s like PrintNightmare all over again. In today’s SB Blogwatch, we point the fingers of blame.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: A VHS player with a window.

Not This One, That One

What’s the craic? Lawrence Abrams reports—“Become a Windows 10 admin by plugging in a mouse”:

It took us about two minutes”
Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software.

A zero-day vulnerability in the plug-and-play Razer Synapse installation … allows users to gain SYSTEM privileges [which is] the highest user rights available in Windows. … It took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse.

Razer has contacted the security researcher to let them know that they will be issuing a fix. … Razer also told the researcher that he would be receiving a bug bounty reward.

O RLY? Surur Davids adds—“All you need to gain admin privileges on Windows 10 is to plug in a Razer mouse”:

This Mouse Gives you Admin on Windows

Mastering Windows Security and Hardening: Secure and protect your Windows environment from intruders, malware attacks, and other cyber threats

Leave a Comment

Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP

Google disclosed the details of a Windows ​​AppContainer vulnerability because Microsoft initially had no plans to fix it.

Google Project Zero experts disclosed the details of a Windows ​​AppContainer flaw after Microsoft announced it had no plans to fix it.

The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.

Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.

“Recently I’ve been delving into the inner workings of the Windows Firewall. This is interesting to me as it’s used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.” wrote Forshaw.

“I recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didn’t meet the bar for a security bulletin so it’s marked as WontFix.”

According to Google, Microsoft decided to label the issue as WontFix.

“The default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.” reads the security advisory published by Microsoft. “Connecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as “InternetClient Default Rule” which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the “Block Outbound Default Rule” rule if nothing else has which will block any connection attempt.”

Google discloses unpatched Microsoft WFP Default Rules AppContainer Bypass EoP

DevOps and Containers Security

Leave a Comment

Apple’s iPhone Backdoor

More on Apple’s iPhone Backdoor

In this post, I’ll collect links on Apple’s iPhone backdoor for scanning CSAM images. Previous links are here and here.

Apple says that hash collisions in its CSAM detection system were expected, and not a concern. I’m not convinced that this secondary system was originally part of the design, since it wasn’t discussed in the original specification.

Good op-ed from a group of Princeton researchers who developed a similar system:

Our system could be easily repurposed for surveillance and censorship. The design wasn’t restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.

Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices

Leave a Comment

The warning signs of burnout and how to deal with it

The consequences of such an action could prove dire for your business, though, so before you let another day of stress go by, read on to learn some warning signs and tips on how to deal with burnout. The goal is to get your team working at maximum capacity without overworking them.

Signs of burnout

Burnout is the word used to describe acute exhaustion when your work becomes overwhelming and too stressful. It can lead to poor performance, absenteeism, or resignations. It is a real problem in many industries, but it’s hugely prevalent in information security because of the long hours and high pressure.

Fortunately, burnout comes with early warning signs that you can spot and address. These include:

  • Anger at colleagues
  • A constant feeling of exhaustion that could manifest in team members getting lost in daydreams or even nodding off at their desk
  • Expressions of hopelessness or being overwhelmed by their responsibilities or current task
  • The team member isolating themselves from others, i.e., avoiding time out with colleagues or social events
  • Unhappiness in the role
  • An inability to stop and take breaks
  • An increase in working hours (coming in early, staying late, skipping lunch, or frequently emailing during out-of-office hours)

If any of your staff shows some of these symptoms, it’s time to act!

Taking steps to head off burnout

Time Off: A Practical Guide to Building Your Rest Ethic and Finding Success Without the Stress

Leave a Comment