InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
According to a recent security report, Chinese government has decided to resort to hacking, cyberwarfare and corporate espionage tactics to boost its ambitious defense program, compromising the systems of firms like Lockheed Martin in order to access classified information useful for their own purposes.
Peter Suciu, a renowned researcher, says China is an actor that should be taken seriously, especially on military issues. This is not the first such report, as since 2019 the Pentagon had accused the Chinese military of resorting to what they defined as “cyber theft” and other methods to achieve great improvements in military terms.
It all went back to 2007, when the firm Lockheed Martin discovered that a Chinese hacking group had been stealing technical documents related to the F-35 program, while a similar theft occurred when cybercriminals working for Beijing managed to compromise a network of an Australian subcontractor to the F-35.
These reports lead experts to believe that the Chinese have acquired a wealth of crucial information and data for these programs, including the development of the Chinese J-20 fighter jet, also known as “Mighty Dragon.” Suciu himself claims that the creation of these aircraft would have been impossible without the information stolen from Lockheed Martin.
In connection with these reports, Business Insider published a report detailing the clear similarities in appearance and engineering between American aircraft and those created by the Chinese government. In addition, the report not only emphasizes the similarity of these aircraft, but also states that the sensor systems used by the Chinese government are virtually identical to the electro-optical guidance employed by Lockheed Martin in the Lightning II model, further evidence of espionage against the company.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
In 2007, Chinese Advanced Persistent Threat (APT) hackers targeted the computer networks of defense contractor Lockheed Martin, which was working on the development of the F-35 Lightning II fighter jet. The APT hackers gained access to the networks by using spear-phishing attacks to trick employees into downloading malware or providing their login credentials. Once inside the network, the hackers used various techniques to move laterally and gain access to sensitive data.
The hackers were able to steal large amounts of data related to the F-35 program, including design plans, testing results, and software source code. The stolen data allowed China to gain a significant advantage in its own stealth fighter program, the J-20.
The J-20 first flew in 2011, and it bears striking similarities to the F-35. Both aircraft are designed to be stealthy, with angular shapes and features that minimize their radar signature. The J-20 also features advanced avionics and sensor systems, which are similar to those used in the F-35.
The theft of the F-35 data was part of a larger campaign by Chinese APT hackers to steal sensitive information from Western companies and governments. The campaign, which has been ongoing for many years, is believed to be part of China’s broader efforts to modernize its military and develop advanced technologies.
The theft of the F-35 data was a significant blow to U.S. national security, as it gave China valuable insights into one of the most advanced fighter jets in the world. It also highlighted the need for stronger cybersecurity measures and better protection of sensitive data.
The ongoing cybersecurity skills shortage is a critical issue plaguing organizations and causing serious problems. The lack of trained and qualified professionals in the field has resulted in numerous security breaches, leading to the loss of large amounts of money.
In this Help Net Security video, José-Marie Griffiths, President of Dakota State University, discusses how this shortage is not just a mere inconvenience but a major threat compromising the safety and security of companies and putting the sensitive information of their clients and customers at risk.
With each passing day, the consequences of this shortage become more and more severe, making it imperative for organizations to take immediate action and find ways to address this critical challenge.
Advancing cyber education can help fill workforce gaps in several ways:
Meeting the growing demand for cybersecurity professionals: With the increasing number of cyber threats and attacks, there is a growing demand for cybersecurity professionals. Advancing cyber education can help produce more skilled professionals to fill the gap.
Increasing the number of qualified candidates: Cybersecurity positions often require specific skills and certifications. Advancing cyber education can help increase the number of qualified candidates by providing them with the necessary skills and certifications.
Addressing the skills gap: The skills gap in cybersecurity is a major challenge for employers. Advancing cyber education can help address the skills gap by providing education and training programs that are tailored to the needs of the industry.
Encouraging diversity: Cybersecurity has historically been a male-dominated field, and there is a lack of diversity in the workforce. Advancing cyber education can help encourage diversity by providing opportunities for underrepresented groups to enter the field.
Preparing for future threats: Cyber threats are constantly evolving, and it is essential to have a workforce that is prepared to face new challenges. Advancing cyber education can help prepare the workforce to address future threats by providing them with the necessary knowledge and skills.
Overall, advancing cyber education is crucial to fill workforce gaps in cybersecurity and to ensure that the workforce is prepared to address current and future threats.
The leaked data includes email addresses, password hashes, names, phone numbers, and more.
Hackers obtained login credentials for several mainstream corporate giants, including Microsoft, Samsung, Uber and Apple, etc. and gained remote access to the entities’ surveillance cameras after attacking two data centers in Asia.
A screenshot from the leaked data shows login credentials for Samsung, Amazon, Uber, Alibaba and more. (Credit: Hackread.com)
This was revealed by the cyber security firm Resecurity. The company originally identified the data breach in September 2021; however, details of it were only revealed to the media now as on February 20th, 2023, hackers leaked the stolen login credentials online.
It is worth noting that these credentials were leaked on Breachforums by a threat actor going by the handle of “Minimalman.” For your information, Breachforums is a hacker and cybercrime forum that surfaced as an alternative to the popular and now-seized Raidforums.
According to Resecurity, hackers accessed two of the largest data center operators in Asia that were being used by several mainstream companies and technology giants. From there, the hackers could obtain customer support logins for high-profile companies, including Amazon and Apple, BMW, Microsoft, Alibaba, Walmart, Goldman Sachs, etc.
As seen by Hackread.com on the hacker forum, the threat actors managed to obtain and leak credentials from over 2,000 firms and a Chinese foreign-exchange platform.
The data centers have been identified as Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global. Both data centers reportedly forced all customers to change their passwords in January 2023.
Dangers
The dangers of hackers obtaining login credentials of tech giants such as Apple, Amazon, Microsoft, Samsung and others are numerous and severe. Firstly, such credentials allow hackers to access sensitive customer data, including payment information and personal details, which can lead to identity theft and financial fraud.
Secondly, hackers can use these credentials to gain access to the company’s networks, potentially compromising intellectual property and trade secrets. Additionally, with access to company accounts, hackers can launch cyber attacks against other organizations, amplifying the damage caused by their actions.
Furthermore, a breach of a tech giant’s login credentials can have far-reaching consequences, impacting not only the company and its customers but the wider economy and society as a whole. For instance, if a company like Amazon were to suffer a significant data breach, it could lead to a loss of consumer trust, which could in turn affect the confidence of investors and the stock market.
Moreover, a successful hack of a tech giant’s credentials could inspire copycat attacks, leading to an escalation in cybercrime and potentially destabilizing the digital infrastructure that underpins much of our daily lives.
To mitigate these risks, tech giants must remain vigilant in their cybersecurity measures, ensuring that their systems are regularly updated and that their employees are trained to detect and prevent security breaches.
Companies must also invest in advanced technologies such as machine learning and artificial intelligence to detect and respond to cyber threats in real time. Finally, companies must ensure that they comply with industry standards and regulations related to cybersecurity, such as the General Data Protection Regulation (GDPR), to protect the privacy and security of their customers.
How to protect from Data Breach?
There are several steps you can take to protect yourself from a data breach:
Use strong, unique passwords: Use different passwords for each of your accounts and make sure they are strong and difficult to guess. Consider using a password manager to keep track of your passwords.
Enable two-factor authentication: Two-factor authentication adds an extra layer of security to your accounts by requiring you to provide a second form of identification, such as a code sent to your phone, in addition to your password.
Keep your software up to date: Keep your operating system, web browser, and antivirus software up to date to ensure that they have the latest security updates.
Be cautious of suspicious emails: Be wary of emails from unknown senders or emails that contain suspicious links or attachments. These could be phishing emails designed to trick you into giving away your personal information.
Limit your personal information online: Be cautious about sharing personal information online, and only provide it when necessary. Consider using privacy settings on social media to limit who can see your information.
Monitor your accounts: Keep an eye on your accounts for any suspicious activity and report anything out of the ordinary to the appropriate authorities or financial institutions.
By taking these steps, you can help protect yourself from a data breach and minimize the impact if one occurs.
Europol has dismantled a gang linked to a $40 million CEO scam. Find out more about how this international criminal syndicate was uncovered and who was involved.
The email scam gang behind France’s largest-ever CEO scam has been dismantled after a coordinated police operation across multiple countries was successful in arresting six people in France and two in Israel.
The Europe-wide operation to track down the Franco-Israeli criminal organization involved the Croatian National Police, the Croatian Anti Money Laundering Office, the French National Police, the French Gendarmerie, the Hungarian Budapest Metropolitan Police, the Israel Police, the Portuguese Judicial Police, and the Spanish National Police.
Law enforcement authorities involved in the operation (Image: Europol)
In early December 2021, one of the gang members, now arrested as a suspect, impersonated the CEO of a metallurgy company in northeastern France and tricked the accountant into making an urgent and confidential transfer of €500,000 ($530,000) which was subsequently spotted and blocked.
In late December 2021, according to Europol’s press release, Sefri-Cime, a real-estate developer, fell victim to the same group after its members impersonated lawyers working for a well-known French accounting firm. According to Europol, they persuaded the Chief Financial Officer (CFO) to transfer almost €38 million ($40 million) altogether.
The criminal network, consisting of French and Israeli nationals, used a pre-existing money laundering scheme that laundered the funds via European countries, China, and then Israel. An investigation that followed revealed the money mules working for the gang in Croatia, Portugal, and Hungary.
The police were able to seize electronic equipment and vehicles, €3 million from Portuguese bank accounts, €1.1 million from Hungarian bank accounts, €600,000 from Croatian bank accounts, €EUR 400,000 from Spanish bank accounts and €350,000 in virtual currencies.
The operation continued for five days between January 2022 and 2023 in France and Israel, leading to eight house searches and eight arrests, including the alleged Israeli gang leader, according to Europol.
Social engineering techniques are becoming increasingly sophisticated and are exploiting multiple emerging means, such as deep fakes.
The increasing use of videoconferencing platforms and the various forms of remote work also adopted in the post-emergency covid make interpersonal collaborations increasingly virtual. This scenario must undoubtedly force organizations to prepare adequately to be able to recognize impersonation attempts based on social engineering attacks, which are also proving increasingly sophisticated due to the rapid advancement of deepfake technology.
Deepfake technology, what’s it?
The word deepfake, which originates from a combination of the terms “deep learning” and “fake,” refers to digital audio/video products created through artificial intelligence (AI) that could allow one to impersonate an individual with likeness and voice during a video conversation. This is done through deep learning methodologies such as the Generative Adversarial Network (GAN) i.e., a group of neural network models for machine learning, deputed to teach computers how to process information by emulating the human brain.
Deepfake and phishing
The accessibility and effectiveness of deepfake technology have led cybercrime to use it for sophisticated social engineering attacks for the purpose of extortion, fraud, or to cause reputational damage. Consider the impact of a voice phishing attack that replicates the voices of a company’s stakeholders to persuade employees to take a series of actions that could harm security and privacy, or the effectiveness of a phone call with simulated voices for the purpose of convincing an employee to send funds to an offshore bank account.
Aggravating factors
Further aggravating the situation is also the availability of both deepfake tools, made available as a service on clandestine web forums, which make it easier and more convenient for criminal actors with limited technical skills to set up these fraud schemes, and a large number of images and videos posted by users of social media platforms that can be processed by deep learning algorithms to generate precisely deepfake content.
Mitigation
Although there is still no simple and secure way to detect deepfakes, there are still some best practices that can be adopted:
Add additional security and protection processes. Having secondary verification methods, such as a dual approval process for financial transactions, correspondence monitoring, and 2FA, should always be considered an indispensable prevention solution;
Use artificial intelligence itself to recognize deepfakes. An artificial intelligence system might be able to recognize whether an audio/video content has been manipulated by quickly comparing it with known original reference samples or converting an audio track to text to recognize possible malfeasance and decide whether or not to approve a payment transaction;
Integrate the concept of deepfake into the risk assessment process and planning for possible crisis scenarios;
Outlook
Although technology will continue to evolve and it will become increasingly difficult to detect deepfakes, fortunately detection technologies will also improve. But the task for insiders to better protect themselves and their organizations from a variety of cyberattacks will have to be not only to keep abreast of evolving counter techniques and implement them in a timely manner, but also, and most importantly, to raise awareness in their organizations by focusing on training employees of all ranks. The human factor must always be considered as the first bastion of defense, even and especially against the most sophisticated cyber attacks.
About the author: Salvatore Lombardo
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
This article covers Active directory penetration testing that can help for penetration testers and security experts who want to secure their network.
“Active DirectoryPentesting” Called as “AD penetration Testing” is a directory service that Microsoft developed for the Windows domain network. Using it you can to control domain computers and services that are running on every node of your domain.
In this section, we have some levels, the first level is a reconnaissance of your network. every user can enter a domain by having an account in the domain controller (DC).
All this information is just gathered by the user that is an AD user. In the username, there are two parts the first is the domain name and the second part is your username. like below :
Reconnaissance Commands:
+ c:\ > net user
By running this command in CMD (Command Prompt) you can easily see local users on your PC.
+ c:\ >whoami
This command can help you to see the current user associated with Active Directory logged in.
+ c:\ >whoami /groups
This command helps you to show you the current group
+ c:\ > net user \domain
This command shows you all users from any group in the active directory. also, you can see every user’s group by running this command :
+ c:\ > net user [username] domain.
To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of Security“.
It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.
You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:
Picture2 – List of AD GroupsPicture3 – List of DNS Record Zones
When you get all AD users, now you should take a look at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy, you can see environment policy such as”Account Lockout Policy“.
It is a method that provides you networks users to be secure from password-guessing attacks. Also, you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
When you get all the data that you need, now you can execute different attacks on users like :
Brute Force Active Directory
To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use below auxiliary:
msf > use auxiliary/scanner/smb/smb_login
The options of this auxiliary you can set username file and password file. and set an IP that has SMB service open.
then you can run this auxiliary by entering “run” command.
If you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.
If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you can see in Password Policy, you can set your password list to brute-force.
All hashes are stored in a file named “NTDS.dit” in this location :
C:\Windows\NTDS
You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below : mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv
Then you can see hashes and password (if the password can be found).
The active directory includes several services that run on Windows servers, it includes user groups, applications, printers, and other resources.
It helps server administrators to manage devices connected with the network and it includes a number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.
Active directory penetration testing is required for any organization, nowadays APT groups actively targeting Active Directories using different techniques.
In this Help Net Security video, Daniel Dos Santos, Head of Security Research at Forescout, talks about recent research, which has revealed how attackers can move laterally between vulnerable networks and devices found at the controller level of critical infrastructure. This would allow them to damage assets such as movable bridges physically.
This lateral movement lets attackers access industrial control systems and cross often-overlooked security perimeters to cause physical damage. From sensors that measure and detect pressure, temperature, flow and levels of liquids, air, and gases, to analyzers that determine chemical compositions and actuators that enable machines to move. Moving through these devices at the lowest levels, attackers can circumvent built-in functional and safety limitations to cause significant damage or disruption to services, or worse, pose a potential threat to life.
To demonstrate the potential implications, Forescout has built an industry-first proof-of-concept (PoC) which shows how attackers can move laterally on the controller level (Purdue level 1) to cause cyber and physical impact, as illustrated through the scenario of damaging a movable bridge during a closing sequence.
As part of the research, two new vulnerabilities are also being disclosed for the first time – CVE-2022-45788 and CVE-2022-45789 – which allows for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon Unity Programmable Logic Controllers (PLCs).
Modicon PLCs are used in a wide range of industrial processes and critical infrastructure, including in industries such as water and wastewater, mining, manufacturing, and energy. Whilst these devices should not be accessible online, Forescout has found that close to a thousand PLCs have been exposed, with France (33%), Spain (17%), Italy (15%), and the United States (6%) revealed as the countries with the most exposed devices.
The number of devices visible is just a small indication of the popularity of these PLCs, but these devices also highlight some of the critical facilities that rely on them. For example, several devices were connected to hydro power plants, solar parks and airports.
ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.
To generate income for the attackers, “ProxyShellMiner” deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.
“After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO”, Morphisec reports.
Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.
“Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services”, according to Morphisec.
Technical Analysis of the ProxyShellMiner Malware
The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.
“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec
The parameter serves as an anti-analysis technique and as a password for the XMrig miner
The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with “InMemory” compile parameters.
The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.
By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.
The deobfuscated scheduled task
Using a technique called “process hollowing,” that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.
Picking a mining pool
Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.
“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.
Adding a firewall rule to block all outgoing traffic
Final Thoughts
ProxyShellMiner doesn’t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.
“Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations”, Morphisec
Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.
In this article, I will explain how to use Nikto on Kali Linux .
Firstly we will install the Nikto tool from Github or Using apt install command on terminal.
Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.
Firstly we will use the basic syntax to check the vulnerability of the website.
However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.
If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.
So by using this tool we can analyze the vulnerability of the website.
A large number of e-commerce payment platforms use effective payment gateway tools and effectively integrate them with an acceptable payment strategy. Today’s e-commerce websites need to integrate anti-fraud tools, renew bank cards, integrate multiple gateways, and manage alternative payment methods.
It is important to get these complex integrations right and bring them together into one functioning system; choosing the right tokenization partner is the key to success in these processes.
What is the tokenization process and why is it needed?
Tokenization is an important process of replacing sensitive data, such as credit card numbers, with unique identifying information while preserving all important data information; a tokenization solution is a form of using a unique security key to provide an appropriate level of security to important confidential data.
Think of tokenization as a secret code that uses a key to retrieve an encrypted message. Some versions of the credit card number store the last four digits; however, the remaining digits of the credit number are random.
In this case, you can safely store the token in the database. Anyone with access to this token cannot use it to compromise your credit card account. For these tokens to be used to process credit card transactions, they must be re-linked to the original credit card numbers. Typically, this mapping is performed by a secure third party. All this is done to ensure full security.
Blockchain technology is a technology that most people associate only with cryptocurrencies. This attribution is not entirely incorrect, as the blockchain was created for the Bitcoin cryptocurrency. However, much has changed since 2009 (the year Bitcoin appeared), and the scope of blockchain technology continues to actively expand.
One of the key applications of this technology today is tokenization, a secure form of digitization based on the blockchain technology mentioned above. The process of tokenization consists of assigning a specific value to a symbol, which can exist materially or immaterially, and is a digital “token” that stores data. With this efficient solution, you can securely buy and sell your assets online.
Examples of this use of tokens include the value of the stock market. Most of us associate stocks and bonds with paper-based notices of ownership of those assets, but tokenization allows us to replace those paper notices with digital versions. The implementation of traditional solutions in the digital world simplifies and optimizes a large number of important processes, making them significantly more efficient.
The terms “token” and “cryptocurrency” are often confused and used interchangeably; not surprisingly, both concepts are closely related to blockchain technology. The key difference between cryptocurrencies and tokens is that cryptocurrencies are a means of payment, whereas tokens cannot; they can be compared to a kind of chip.
A token is created using smart contracts on a specific blockchain network and can perform various key functions. Each blockchain network can contain an unlimited number of tokens.
On the other hand, a smart contract is a kind of computer program embedded in a certain blockchain network that automatically enforces the terms contained in it. Both tokens and cryptocurrencies can be transferred on the blockchain network; however, token transaction fees depend on the cryptocurrency.
What information must be provided for tokenization?
Tokenization is commonly used to protect credit card numbers, a process mandated by the Payment Card Industry Council (PCI). However, there are many different use cases, tokenization terminology allows you to learn a variety of effective tools that provide active growth in the field of security for business organizations for which it is important to reliably protect confidential data.
Consider personal or personally identifiable information. HIPPA, General Data Protection Regulation (GDPR) requires confidential processing, anonymization, and secure storage of personal data. Organizations and various business environments should use tokenization capabilities when the business needs to securely store confidential information, such as:
ID number;
Date of birth;
Gender or race;
Driver’s license;
Credit card number;
Valid phone number;
Bank account number;
Social insurance number;
Current residential address of clients;
Due to the universality of tokens, they are divided into several types that perform different functions. One of the key differences is between mutual tokens and non-splitting tokens. For example, payment tokens are used to make payments. Their function is mainly to ensure the safety of investors. Issued security tokens are protected by law and represent specific stocks, bonds, or other assets of genuine interest.
Are my tokens safe?
Undoubtedly, there are many advantages to using tokens, but is it safe to store data? Security is considered one of the most important benefits of tokenization. Stability, irreversibility of transactions, and elimination of intermediaries are just some of the characteristics that affect security when using blockchain technology.
In addition, the security of tokenization is provided by smart contracts that allow parties to trade directly. For example, selling real estate in the form of tokens does not require a notary or a real estate agent. Everything is done quickly and directly.
Note that each contracting party must ensure that personal tokens are properly stored and protected from loss to properly act as guarantors of successful transactions. Tokenization is a form of business digitization based on blockchain technology.
The potential of tokenization is huge and has yet to be fully explored. Tokens are divided into different types. The most common use of tokens is to digitize different types of assets, such as physical assets, digital assets, projects, company shares, shares, or loans.
What are the different types of tokenization processes?
When it comes to PCI tokens, there are three key types of tokenization: gateway tokenization, end-to-end tokenization, and payment service tokenization. Gateway tokenization. When you do e-commerce, you most likely get paid through a payment gateway.
Most gateways have technology that allows you to securely store your credit card in the system, then issue a refund and delete your card data. The downside is that each gateway provides its token scheme. This means that you cannot use this gateway. Changing gateways is often a time-consuming and expensive process of moving customer data to a new gateway for secure processing.
In some cases, the gateway may not allow these actions. End-to-end tokenization. Some independent tokenization providers have their technology that sits between your e-commerce site and the gateway. These end-to-end token providers allow you to use your existing gateway integration code.
One of the key advantages of this type of tokenization is that it uses existing technology and can be adapted at a very fast pace. It also has the advantage of modularity. Unlike gateway tokenization, modularity can be actively used for more than just credit card payments. You can use the tokenization model to connect to most APIs and tokenize data other than credit card data.
End-to-end tokenization is an evolution of gateway tokenization. This gives payment solutions the freedom to route transactions to different gateways in real-time, avoiding costly and time-consuming transfers of card data between different payment platforms.
Tokenization processes of various important payment services
A key tokenization strategy is the payment service model. This model offers a single API that, when integrated, can route payments to multiple gateways. The payment service model is best suited for companies with more complex payment needs.
This model works well when a company needs to pay in several regions or several different currencies or through several gateways. A disadvantage of the payment service model is that existing gateway embed code cannot be reused.
In addition to reduced PCI coverage and increased security, the tokenized payment service model has unique key benefits from its active use. The payment services model not only simplifies your embed code but also takes control of your tokens away from the payment gateway. Unlike gateway tokenization, tokens provided by third parties can be actively used with supported gateways.
Tokens issued by payment gateways cannot be used against competing alternative gateways. Security and compliance alone are reasons enough to implement a popular solution like the tokenization of various assets that are important to you, your company, and your customers.
The truth is that key security requirements for online payments are difficult to implement on your own. In particular, startups often choose to sacrifice security for time to market. Accepting online payments makes your business a target for cybercriminals. Hiring security experts and implementing effective tokenization processes can save your business environment valuable time and money in the long run.
Keep these practical tips in mind. Choose a reliable tokenization partner, test the tokenization, what level of protection you can achieve by working on the integration, and find a vendor that can integrate multiple gateways, methods, and services into a single integration. One of the key technologies needed to connect all payment solutions is tokenization.
A trusted provider fully controls tokens, provides redundancy, reduces PCI coverage, and improves the security standards in place in your business environment.
What can be tokenized?
The use cases for tokenization can grow endlessly. Since anything can be digitized, tokenization is often used in professional life. These are various business projects that can demonstrate the most practical examples of using tokenization.
Digitization of the company involves the creation of tokens that are closely related to a specific project. Tokenization techniques that add value to tokens can be used as an indispensable tool for automating processes in companies and as a means of financing them. Real estate tokenization is becoming more and more popular worldwide due to the following features: transaction speed, lack of intermediaries, and security.
The process of property tokenization involves issuing tokens on the blockchain network and linking them to certain properties. Thus, the investor becomes a co-owner or owner of a certain asset, the shares of which can be represented in tokens.
Using blockchain technology and a specially designed platform, it is also possible to assign unique numbers to gems and certain forms of ore to determine their authenticity.
Raw materials registered with digital numbers can then be identified by verifying their origin, properties, and associated processes. NFT tokens have the unique potential to revolutionize both the physical and digital art markets. Each NFT token has a unique, non-tradable value that allows you to express your interest in the rights to a work of art, making investing in art an easy and fast process.
The Linux Distros is generally acknowledged as the third of the holy triplet of PC programs, simultaneously with Windows and macOS. Here we have provided you with a top 10 best Linux distros list 2023 for all professionals.
Hence Linux can be defined as the most rebellious among the three, as it’s flexible and customization, including a bunch of various Best Linux distros designed by unique associations for various values.
Moreover, the Linux “core” (kernel) and most distros are free, which is a significant trading point for the OS when it is compared to Windows and macOS.
As there are several Linux distros are available for various situations. Even if you are behind an OS that is customized for desktops, workstations, laptops, servers, gaming, or A/V editing, there is a distro over there for everyone.
Hence, we are trying to give you a summary of the most reliable and popularLinux distros accessible, each of which is customized for desktop use.
Therefore, you can install those Linux distros on a Chromebook, PC, or Mac as a substitute for your prevailing operating system, utilize both in a dual-boot scenario, or utilize them in combination with one of the best practical tools out there.
Well, if you want a Linux distro similar to windows? Or do you like to apply commands rather than click? Or do you want something special on privacy? Each of these and several other determinants will conclude which would be the most suitable Linux Distros for you.
Usually, the top Linux distros list is customized to meet the requirements of users. For example, Kali Linux is specifically created for digital forensics and penetration testing. Hence, here in this article, we have selected the top 10 best Linux distros list and we have updated this list from PopularLinux distro 2022.
What is Linux Distro?
As we have said before that Linux is flexible and customizable, which includes a bunch of unique features for different uses.
Moreover, we can also say that Linux is a house to nearly each programming language, and it is a Unix-like operating system.
Hence, this open-source operating system is basically designed as per the Linux kernel and is usually collected in multiple Linux distributions.
Thus the Linux distributions, traditionally known as a distro, are operating systems that progressed from a software compilation based on the Linux kernel.
Various users use Linux by downloading one of the various Linux distros. Linux operating systems are most common to coders, programmers, and gamers.
Thus, we can say that Linux is a worldly gift that has formed our modern life. Well, in today’s world, we can’t imagine a particular moment outwardly technology.
Dynamic firewall Better end-user software Virtual desktop support
Elementary OS
Easy image resizing Keyboard shortcuts cheat sheet Bold use of color
Kali Linux
Full customization Full disk encryption Metapackages
MX Linux
One-click enabling event sound. Hibernation is now enabled by default. Easy and flexible installation.
Therefore, Linux has produced the most significant and meaningful innovations in the creation of modern technology.
At first, Linux was not like the form as now it is, it has evolved a long way through varied crafting and drafting from an open-source friendly association.
Thus, with no doubt, we can say that Linux does not only appear with a delicate-looking desktop manager, but it also contributes a wide range of beneficial and productive sets of free and open-source software for performing all the basic and necessary needs of the users.
Now without wasting much time, let’s get started and simply explore the whole list that we have mentioned below.
Using technology powered by AI (Artificial Intelligence), scammers can now take advantage of potential victims looking for love online by deceiving them by using modern hooks.
With the rapid advancement of AI technology, scammers now have a powerful ally in the form of popular AI tools such as ChatGPT. These tools allow scammers to create anything from seemingly harmless intro chats to elaborate love letters in a matter of seconds, making it easier than ever for them to deceive unsuspecting victims.
By leveraging the impressive capabilities of these AI tools, scammers can quickly generate custom-made content designed to prey on their target’s emotions. The use of AI-generated content has made it increasingly difficult to identify and avoid scams.
One of the most common tactics used in online dating and romance scams is the practice of “catfishing.” This involves the creation of a fake online persona to lure unsuspecting victims into a relationship with the sole intention of extracting financial gain.
The term “catfishing” derives from the act of using a fake profile to hook a victim, much like fishing with a bait hook.
Convincing Scam Messages
In a recent research report titled “Modern Love” by McAfee, over 5,000 people from around the world were presented with a sample love letter and asked to determine if it was written by a person or generated by artificial intelligence (AI).
“My dearest, The moment I laid eyes on you, I knew that my heart would forever be yours. Your beauty, both inside and out, is unmatched and your kind and loving spirit only add to my admiration for you. You are my heart, my soul, my everything. I cannot imagine a life without you, and I will do everything in my power to make you happy. I love you now and forever. Forever yours …”
According to a research report by McAfee, when presented with the above sample love letter and asked to determine if it was written by a person or generated by AI, one-third of respondents (33%) believed it was written by a person, while 31% believed it was written by an AI.
While the remaining 36% of participants were unable to determine if the letter was written by a human or a machine. The study aimed to investigate the extent to which AI-generated content is perceived as authentic and genuine in the context of romantic relationships.
User Interaction Data Analysis
A recent survey found that a majority of people (66%) have been contacted by a stranger through social media or SMS and subsequently began chatting with them. Facebook and Facebook Messenger (39%) and Instagram and Instagram direct messages (33%) were cited as the most common platforms used by strangers to initiate conversation.
Unfortunately, many of these interactions eventually led to requests for money transfers. In fact, 55% of respondents reported being asked to transfer money by a stranger.
While the majority of these requests (34%) were for less than $500, a significant number (20%) involved amounts exceeding $10,000.
More concerning, 9% of respondents were asked to provide their government or tax ID number, while 8% were asked to share their account passwords for social media, email, or banking.
Scam Detection
It has been reported that people discovered they had been catfished when they experienced the following scenarios:-
Neither a face-to-face meeting nor a video conference could be arranged. (39%)
Upon finding the scammer’s photo online, they immediately realized that it was a false representation of the scammer. (32%)
During the conversation, the person asked for personal information. (29%)
The individual did not wish to speak on the telephone. (27%)
Several typographical errors and illogical sentences were present. (26%)
If the scammer is asking for money, that is the one and only telling sign that he or she is performing an online dating or romance scam.
This kind of scam usually entails a little story as part of the request, often focusing on a hardship experienced by the scammer.
Mitigations
Here below we have mentioned all the mitigations to avoid getting tangled up in an online dating or romance scam:-
The best way to know if this new love interest is right for you is to speak with someone you trust.
It’s important to take your relationship slowly in the beginning.
If the individual uses a profile picture, try a reverse image search.
Make sure that you do not send money or gifts to anyone who you have not met personally before.
Whenever you receive a friend request from a stranger, say no.
If you have any personal information on any unwanted website, make sure you clean it up.
It is strongly advised that you do not click on any malicious links that have been sent to you by a scammer.
A chatbot like ChatGPT is a very powerful tool, but it is important to keep in mind that it is only a tool, and inherently, there is neither good nor bad about it.
As long as the user decides how to use it, it is then up to them to decide how they will be able to make use of it.
YOUR DEVICES AND apps really, really want to know where you are—whether it’s to tell you the weather, recommend some restaurants you might like, or better target advertising at you. Managing what you’re sharing and what you’re not sharing, and when, can quickly get confusing.
It’s also possible that you have inconsistencies in the various location histories logged by your devices: Times when you thought you’d switched off and blocked location sharing but you’re still being tracked, or vice versa.
Here we’ll cover everything you need to consider when it comes to location tracking, and hopefully simplify it along the way. Whether you want to give out access to your current location or not, you should be in control of these settings, and not be caught unawares by additional options that you missed.How Location Tracking Gets Confusing
What happens if you distinctly remember turning location tracking off on a device, yet your position is still popping up on a map? Or maybe you thought you’d left the feature on, yet you’re seeing gaps in your location history? There are a few explanations, but essentially you need to remember all the different ways your location can be logged: by your devices, by your apps, and by websites you visit.
For example, you might have disabled location tracking on a phone but left it enabled on a tablet. Alternatively, you might have a laptop that’s tracking where you are in the background, even though you thought you’d disabled the feature in the apps you use. If you want location tracking completely enabled or disabled, you need to factor in all these different ways of keeping tabs on where you are.
If you have a Google account, this is a good illustration. Head to your account settings on the web, then choose Data and Privacy and Location History. Select Devices on This Account, which may reveal some phones, tablets, and laptops that you’d forgotten about—any device with a check next to it in this list is saving your movements to your Google account for future reference.
You can click Turn Off to disable this, but note the caveats that are listed in the confirmation box that appears onscreen: Your location might still be logged by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you’re navigating or searching around the area you’re in. This Location History setting is more of an overall toggle switch, affecting features such as the Google Timeline and the ability to quickly look up places you visit regularly.
From the main Google account screen, there are several more places where your location gets logged and shared: Click Data and Privacy then Web & App Activity to manage location data saved by Google Maps and other apps and websites, and click People andSharing then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.Managing Location Tracking on Mobile
The steps to manage your location on Android vary slightly depending on the manufacturer of your phone, but the menus and instructions involved are broadly similar. On Google Pixel devices, you can open up Settings then select Location: You’ll see the Use Location toggle switch, and if you turn this off, none of your apps will be able to know where you are, nor will Google.
If you leave the Use Location toggle switch on, you can customize location access for individual apps further down on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground—tap on any app in the list to make changes.
Over on iOS, it’s a similar setup. If you select Privacy & Security from Settings, and then tap Location Services, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose to restrict apps to knowing your location only when the particular app itself is running, or allow them to monitor it in the background too.MOST POPULAR
Erasing the location data that’s been collected on you is a complex process, as you need to check the records and the settings of every app that’s ever had access to your location. For Google and Google’s apps, you can head to your Google account on the web, then choose either Location History or Web & App Activity under Data and Privacy to wipe this data from the record. You’ll also find options for automatically deleting this data after 3, 18, or 36 months.
Apple doesn’t log your movements in quite the same way, but it does build up a list of places you visit frequently (like your home and perhaps your office) so you can quickly get to them again. To clear this list on your iPhone, open Settings then choose Privacy & Security, Location Services, System Services, and Significant Locations. You can clear this list and stop it from populating in the future.Managing Location Tracking on Desktop
Your laptop or desktop computer is unlikely to be fitted with GPS capabilities, so it won’t track your location in quite the same way as your phone, but applications, websites, and the operating system will still have some idea where you are—primarily through the locations that you sign into the web from (via your home Wi-Fi, for example).
On Windows, you can open up Settings and then choose Privacy & Security and Location. As on Android and iOS, you’ll see you can turn location tracking off for individual applications (via the toggle switches on the right) or shut it down for the entire computer (the option at the top). The same screen lets you see which apps have been using your location, and enables you to wipe the log of your travels—click Clear next to Location History to do this.
When it comes to the same process on macOS, you need to click the Apple menu and select System Settings, Privacy & Security, and Location Services. The next screen looks very similar to the Windows one, with toggle switches for individual applications as well as for macOS itself—turn off any of the switches where you don’t want location access to be given. If you click Details next to System Services on this screen, you can clear the list of “significant locations” Apple has saved for you, just like on iOS.
If location tracking is on for your computer and your browser of choice, that means individual websites such as Facebook, Amazon, or the Google Search can know where you are as well. Sometimes this is useful, of course (for getting the right weather forecast), but there might be times when you want to turn it off if you’re trying to keep your whereabouts private.
Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.
Here below we have mentioned the packages that are published by Core1337:-
3m-promo-gen-api
Ai-Solver-gen
hypixel-coins
httpxrequesterv2
httpxrequester
Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description.
However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks.
Technical Analysisof the Packages
First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-
There is a similar code in each package’s setup.py file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware.
This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”
Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the setup.py script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.
Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function.
According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.
In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.
The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.
As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:-
https[:]//transfer[.]sh
All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.
Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudsters’ national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online – often using Facebook, LinkedIn or the website of the target’s employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSC’s advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The program’s advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group – scammers – could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
“The first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, ‘OK, how can I use this for bad things?’ I’m going to play to see what bad things I can do with it,” Wisnieski told TechTarget.
One of those ‘bad things’ that he considered was the ability for ChatGPT to create phishing scams.
“If you start looking at ChatGPT and start asking it to write these kinds of emails, it’s significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,” he said.
“Most humans who are writing phishing attacks don’t have a high level of English skills, and so because of that, they’re not as successful at compromising people.
“My concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way we’re detecting them right now is we can tell that they’re not a professional business.
“ChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.”
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
The field of computer Forensics Analysis involves identifying, extracting, documenting, and preserving information that is stored or transmitted in an electronic or magnetic form (that is, digital evidence).
Forensics Analysis – Volatile Data:
The data that is held in temporary storage in the system’s memory (including random access memory, cache memory, and the onboard memory of system peripherals such as the video card or NIC) is called volatile data because the memory is dependent on electric power to hold its contents.
When the system is powered off or if power is disrupted, the data disappears.
After the capture of live data of RANDOM ACCESS MEMORY, we will analyze it with Belkasoft Evidence Center Ultimate Tool.
Acquisition of live Volatile Memory:
Run the tool as an administrator and start the capture.
Belkasoft RAM Capture
Dump File Format:
After the successful capture of live Ram memory. The file is will be saved in the .mem extension.
Dumping File
Evidence File Analyser:
Belkasoft Evidence Center Ultimate Tool to analyze volatile memory.
Evidence Analyzer
A forensic examiner or Incident Responder should record everything about the physical device’s appearance, Case number, Model Number of Laptop or Desktop, etc.
Data Storage
Click the Ram Image and enter the path of the .mem file which is a live ram dump file.
Malicious Activities on the Public website
In the above picture, the attacker is trying for SQL Injection on Public Website.
Anonymous Vpn
In the above figure attacker installed and executed for hiding the source ip address.
Mail Inbox
The attacker has logged on with some public mail servers, and now forensic examiners are able to read inbox emails.
Recent File Accessed
Attackers last accessed file directory paths. The Forensics examiner will have priority to investigate this path for suspicious files.
Pictures
Recent Pictures downloaded from websites will be stored in the cache memory.
There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory.
This is a relatively new and fast-growing field many forensic analysts do not know or take the advantage of these assets.
Volatile memory may contain many pieces of information relevant to a forensic investigation, such as passwords, cryptographic keys, and other data.
Identity isn’t a security problem — it’s the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”
API security is an undervalued but crucial aspect of information security. Some of the most common cyber attacks exploit APIs and web applications, and if organisations are to stay secure, they must test their systems to identify and eradicate weaknesses.
Organisations can achieve this with API penetration tests. An ethical hacker (or ‘penetration tester’) will examine your applications using the same techniques that a cyber criminal would use. This gives you a real-world insight into the way someone might compromise your systems.
Web application and API tests look specifically at security vulnerabilities introduced during the development or implementation of software or websites. There is no single checklist of how exactly the test should be conducted, but there are general guidelines.
Benefits of API penetration testing
The primary purpose of an API penetration test is to protect your organisation from data breaches. This is crucial given the increased risk of cyber attacks in recent years; according to a UK government report, 39% of surveyed organisations said they suffered a security breach in the past year.
By conducting an API penetration test, you will gain a real-world overview of one of the biggest security threats that organisations face. The tester will use their experience to provide guidance on specific risks and advise you on how to address them.
But penetration tests aren’t only about closing security vulnerabilities. Mitigating the risk of security incidents has several other benefits. For instance, you protect brand loyalty and corporate image by reducing the likelihood of a costly and potentially embarrassing incident.
Penetration testing also helps you demonstrate to clients and potential partners that you take cyber security seriously. This gives you a competitive advantage and could help you land higher-value contracts.
Perhaps most notably, penetration testing is a requirement for several laws and regulations. Article 32 of the GDPR (General Data Protection Regulation), for example, mandates that organisations regularly test and evaluate the effectiveness of their technical and organisational measures employed to protect personal data.
Likewise, if your organisation is subject to the PCI DSS (Payment Card Industry Data Security Standard), you must conduct external penetration tests at least once per year and after any significant changes are made to your systems.
API penetration testing checklist
IT Governance has its own proprietary checklist when conducting API and web application penetration tests.
The system is modelled on the OSSTMM (Open Source Security Testing Methodology Manual) and the OWASP (Open Web Application Security Project) methodologies.
A high-level overview of our process is outlined below, with a brief description of what is assessed during each section.
1. Authentication
The penetration tester ensures that appropriate mechanisms are in place to confirm a user’s identity. They then review how the authentication process works, using that information to circumvent the authentication mechanism.
2. Authorisation
The tester verifies that access to resources is provided only to those permitted to use them.
Once roles and privileges are understood, the tester attempts to bypass the authorisation schema, finding path-traversal vulnerabilities and ways to escalate the privileges assigned to the tester’s user role.
3. Session management
The tester ensures that effective session management configurations are implemented. This broadly covers anything from how user authentication is performed to what happens when logging out.
4. Input validation and sanitisation
The tester checks that the application appropriately validates and sanitises all input from the user or the environment before using it.
This includes checking common input validation vulnerabilities such as cross-site scripting and SQL injection, as well as other checks such as file uploads, antivirus detection and file download weaknesses.
5. Server configuration
The tester analyses the deployed configuration of the server that hosts the web application. They then verify that the application server has gone through an appropriate hardening process.
6. Encryption
The tester assesses encryption security around the transmission of communication. This includes checking for common weaknesses in SSL/TLS configurations and verifying that all sensitive data is being securely transferred.
7. Information leakage
The tester reviews the application configuration to ensure that information is not being leaked.
This is assessed by reviewing configurations and examining how the application communicates to discover any information disclosure that could cause a security risk.
8. Application workflow
The tester determines whether the application processes and workflows can be bypassed.
Tests are conducted to ensure that application workflows cannot be bypassed by either tampering with the parameters or forcefully browsing. This ensures the integrity of the data.
9. Application logic
The tester analyses how the application uses, stores and maintains data. They do this by checking the underlying technology and any mitigating controls that may affect the risk to the application.
10. Report
The tester documents their findings. Their reports contains an executive summary, which provides a high-level, non-technical summary of any identified vulnerabilities, alongside a summary of the organisation’s business risks and an overall risk rating.
It also contains a comprehensive review of testing details, such as the scope of the assessment, descriptions of the vulnerabilities identified and their impact, plus proofs of concept that support the findings.
Finally, the report provides the tester’s commentary, where they discuss the issues identified and how the vulnerabilities could be linked within an attack chain. This is supplemented with remediation advice and supporting references.
