InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Computer Forensics tools are more often used by security industries to test the vulnerabilities in networks and applications by collecting the evidence to find an indicator of compromise and take appropriate mitigation Steps.
Here you can find the Comprehensive Computer Forensics tools list that covers Performing Forensics analysis and responding to incidents in all Environments.
Digitial Forensics analysis includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.
Collections of Computer Forensics Tools
DFIR β The definitive compendium projectΒ β Collection of forensic resources for learning and research. Offers lists of certifications, books, blogs, challenges, and more
dfir.trainingΒ β Database of forensic resources focused on events, tools, and more
Packers are becoming an increasingly important tool for cybercriminals to use in the commission of illegal acts. On hacker forums, the packer is sometimes referred to as βCrypterβ and βFUD.β Its primary function is to make it more difficult for antivirus systems to identify malicious code. Malicious actors are able to disseminate their malware more quickly and with fewer consequences when they use a packer. It doesnβt matter what the payload is, which is one of the primary qualities of a commercial Packer-as-a-Service, which implies that it may be used to pack a variety of different harmful samples. This opens up a lot of opportunities for cybercriminals. Another key quality of the packer is that it is transformational. Because the packerβs wrapper is changed on a frequent basis, it is able to avoid detection by devices designed to enhance security.
According toΒ Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.
Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including βTrickGate,β βEmotetβs packer,β βnew loader,β βLoncom,β and βNSIS-based crypter.β
At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate,
including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.
Becoming verified on well-known platforms such as Instagram, Twitter, or the Apple AppStore has become the standard for determining oneβs standing in the current online social scene. As users, we trust verified accounts more than those that arenβt. In the business sector, the situation is exactly the same with third-party OAuth app publishers who have been validated by Microsoft. Unfortuitously, threat actors have noticed the significance of the verified status in the Microsoft environment as well.
ResearchersΒ from Proofpoint found a new malicious third-party OAuth app campaign that used the Microsoft βcertified publisherβ status in order to meet certain of Microsoftβs criteria pertaining to the distribution of OAuth apps. This raised the likelihood that users would be duped into giving authorization when a malicious third-party OAuth app (from this point forward, referred to as a βOAuth appβ or a βmalicious appβ) asks access to data that is available through a userβs account. Researchers found that the malicious applications had extensive delegated rights, such as the ability to read emails, change mailbox settings, and obtain access to files and other data that were associated with the userβs account.
According toΒ Microsoft, a Microsoft account can achieve the status of βpublisher verifiedβ or βverified publisherβ when the βpublisher of the app has verified their identity using their Microsoft Partner Network (MPN) account and has associated this MPN account with their app registration.β Other terms for this achievement include βverified publisherβ and βverified publisher.β (Just so there isnβt any misunderstanding, a βcertified publisherβ has absolutely nothing to do with the desktop program known as Microsoft Publisher, which is available in some levels of Microsoft 365.)
The material provided by Microsoft goes on to provide more clarification, stating that βafter the publisher of an app has been confirmed, a blue verified badge displays in the Azure Active Directory (Azure AD) authorization prompt for the app and on other websites.β Note that when Microsoft discusses third-party OAuth applications, it is talking to apps that have been developed by companies that fall into this category. These businesses are referred to as βpublishersβ in the Microsoft environment.
Researchers were able to identify three malicious applications that were developed by three distinct malicious publishers. The same firms were singled out for attack by these applications, and they are connected to the same malicious infrastructure. Multiple people were seen giving permission to the malicious applications, which put the environment of their firm at risk.
According to the findings of their investigation, the majority of the participants in this campaign seemed to originate from the United Kingdom (UK). Individuals from the finance and marketing departments, as well as high-profile users such as managers and executives, were among those whose accounts were compromised. Beginning on December 6th, 2022, we made our first observation of this particular avatar of malicious third-party OAuth applications. In every instance, the specialized backend infrastructure that supports the applications was only put in place a few days or weeks before December 6th.
When users give their permission, malicious applicationsβ default delegated permissions allow threat actors to access and manipulate mailbox resources, calendar events, and meeting invitations that are linked to accounts that have been compromised. This access and manipulation is only possible when users give their consent. After receiving approval, gaining access does not need further action on the part of the user since the permissions also allow βoffline access.β The given token, also known as the refresh token, often has a lengthy expiration time that is more than one year. This provided threat actors with access to the data associated with the hacked account as well as the potential to utilize the compromised Microsoft account in later BEC attempts or other types of attacks.
In addition to the possibility of user accounts being hijacked, firms that have been impersonated run the risk of having their brand abused. It is quite difficult for firms in this situation to determine whether or not their reputation is being sullied by one of these assaults. There is no necessary contact that must take place between the entity that is being impersonated and the malicious verified publisher.
Even though an OAuth third-party app has been validated by Microsoft, it is imperative to proceed with extreme care when allowing access to the app. OAuth applications are not reliable and should not be trusted only on the basis of their verified publisher status. End users are likely to become victims of sophisticated social engineering approaches because of the complexity of the assaults that are being carried out.
Microsoft has been strongly encouraging its customers to keep updating their Exchange servers, in addition to taking steps to ensure that the environment remains secured with robust security implementations.
While doing so, users can do the following things:-
Configure certificate-based signing of PowerShell serialization payloads
The number of attacks against unpatched Exchange servers will not diminish as long as unpatched servers remain unpatched. The unpatched environment of on-premises Exchange provides threat actors with too many opportunities for exfiltrating data and committing other illegal activities.
Numerous security flaws in Exchange Server have been uncovered in the past two years, leading to widespread exploitation in some cases.
Updating Unpatched Exchange Servers
Microsoft stresses that their security measures are temporary fixes and may not defend against all attack variations, thus requiring users to update security through provided updates.
Recent years have seen Exchange Server become an advantageous target for attackers due to numerous security vulnerabilities that have been exploited as zero-day attacks to penetrate systems.
Ensure the protection of your Exchange servers from exploits targeting recognized vulnerabilities by installing the latest cumulative update and the most recent security update that is supported.
The cumulative updates are available for:-
CU12 for Exchange Server 2019
CU23 for Exchange Server 2016
CU23 for Exchange Server 2013
The available security update:-
January 2023 SU
The cumulative updates and security updates for Exchange Server are cumulative, which means that only the most recent one needs to be installed.
Itβs crucial to run Health Checker post-update installation to identify any manual tasks required by the admin. Using Health Checker, you can access step-by-step guides and articles that provide you with all the information you need.
Always pay attention to the blog post announcements that Microsoft publishes, to keep informed of known issues and any manual actions Microsoft recommends or requires.
Make sure that you always review the FAQ before installing an update.
If you are looking for ways to inventory your servers and find out which of them need to be updated, then the Exchange Server Health Checker may help you.
Use the Exchange Update Wizard to upgrade your environment by selecting your current and target Cumulative Updates (CU) after determining the required updates.
The SetupAssist script can assist you in troubleshooting any errors that may occur during the update installation process.
There might be certain updates that you need to install on your Exchange server(s) in order to keep them up-to-date, so you should make sure that you do so.
Ensure to update dependent servers, such asΒ Active Directory, DNS, and other servers utilized by Exchange, prior to installing necessary updates.
There is never an end to the amount of security work that needs to be done in order to keep your Exchange environment secure. However, the Exchange Server update process is constantly being reviewed by Microsoft in order to find ways to simplify it and make it more reliable.
According to reports, a group of hackers has launched a massive cyberattack on Israeli chemical companies operating in the occupied territories. The hackers have warned the companiesβ engineers and workers to resign their positions before they suffer severe repercussions as a result of theΒ Tel Aviv regimeβs unrelenting violence against Palestinians.
βOur advice to scientists working in the chemical plants is to quit their job, hunt for a new one, and find sanctuary in a location where we are not present,β the message reads. βLeave their employment. Look for a new one.β This is while we have a strong presence anyplace,β the statement sent by the Electronic Quds Force was reported by the Arabic-language television news network RT Arabic.
In addition, the statement said, βWe confirm that your job in chemical factories presents a threat to your life; but, we will never hesitate to melt your bodies with chemicals the next time an act of violence is performed against Palestinians.β
Under the guise of apprehending Palestinians whom Tel Aviv considers to be βwanted,β Israeli soldiers virtually daily conduct raids in a variety of localities located inside the territory of the West Bank that is now under Israeli occupation. The raids almost often result in violent clashes between law enforcement and locals.
Israel has significantly stepped up its assaults on Palestinian villages and cities throughout the whole of the territory it occupies during the last several months. As a direct consequence of these assaults, the lives of dozens of Palestinians have been taken, and many more have been taken into custody.
According to the United Nations, 2022 was the deadliest year for Palestinians living in the West Bank in the previous 16 yearsβ worth of data.
After a group of pro-Palestinian hackers from Bangladesh took the websites of two commercial Israeli ports offline several weeks earlier, the websites of four major ports in the Israeli-occupied territories were taken offline by a massive cyber attack carried out by a group of Iraqi hackers at the end of August of last year.
It was stated by Sabereen News, a Telegram news channel affiliated with the Iraqi Popular Mobilization Units (PMU) or Hashd al-Shaβabi, that a hacking gang calling itself βALtahrea Teamβ knocked down the websites of the ports of Jaffa, Haifa, Acre, and Eilat on August 31.
Back on August 8, ALtahrea Team carried out a large cyber assault on hundreds of Israeli websites, one of which was the website of the municipality of the city of Sderot, which is located in the western part of the Negev.
Today, the specialists of the Cyber Security 360 course of the International Institute of Cyber Security (IICS) will show us in detail the use of Fuzz Faster U Fool (ffuf), a free and easy-to-use fuzzing tool, using the command line method for configuration on web servers.
Created by Twitter user @joohoi, cybersecurity professionals around the world have praised ffuf for its advanced capabilities, versatility, and ease of use, making it one of the top choices in fuzzing.
Before keep going, as usual, we remind you that this article was prepared for informational purposes only and does not represent a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.
INSTALLATION
According to the experts of the Cyber Security 360 course, ffuf runs on a Linux terminal or Windows command prompt. Upgrading from the source code is no more difficult than compiling, except for the inclusion of β-uβ.
1
go get-ugithub.com/ffuf/ffuf
For this example Kali Linux was used, so you will find ffuf in the apt repositories, which will allow you to install it by running a simple command.
1
apt install ffuf
After installing this program, you can use the β-hβ option to invoke the help menu.
1
ffuf βh
ENTRY OPTIONS
These are parameters that help us provide the data needed for a web search of a URL using word lists.
NORMAL ATTACK
For a normal attack, use the parameters β-uβ for the target URL and β-wβ to load the word list.
1
ffuf-uhttp://testphp.vulnweb.com/FUZZ/-wdict.txt
After you run the command, you will need to focus on the results.
First, itβs worth noting that by default it works on HTTP using the GET method
You can also view the status of the response code (200, 204, 301, 302, 307, 401, 403, and 405). You can track the progress of the attack being performed
USING MULTIPLE WORD LISTS
The experts of the Cyber Security 360 course mention that a single list of words is not always enough to get the desired results. In these cases, you can apply multiple word lists at the same time, one of the most attractive functions of ffuf. In this example, we have granted the program access to two dictionaries (txt:W1 and txt:W2), which the tool will run at the same time:
Usually, the default word list has some comments that can affect the accuracy of the results. In this case, we can use the β-icβ parameter to delete the comments. Also, to remove any banners in the tools used, use the β-sβ parameter:
1
ffuf-uhttp://testphp.vulnweb.com/FUZZ/-wdict.txt
Here we can notice that some comments are shown in the results if the above command is executed. After using the β-sβ and β-icβ parameters, all comments and banners will be removed.
It is also possible to search for a file with a specific extension on a web server using the β-eβ option. All you need to do is specify the extension and name of the file along with the parameter in the appropriate command format:
Burp Suite is a professional platform for monitoring the security of web applications. The βcluster bombβ function allows using multiple payloads, mention the experts of the Cyber Security 360 course. There is a separate payload package for each given location; the attack goes through each payload packet one by one, checking all possible options.
There are several parameters of this tool that make it easy to use the script. For example, the β-requestβ parameter allows you to use the request in an attack, while β-request-protoβ allows you to define the parameter itself, and β-modeβ helps you choose the attack mode.
First, random credentials are used on the target URL page and the proxy server is configured to capture the request in interception mode in Burp Suite.
Now, on the Intercept tab, you need to change the credentials provided by adding HFUZZ and WFUZZ. HFUZZ is added before βunameβ and WFUZZ before βpassβ. Then, you need to copy and paste this query into the text and name according to the purposes of the project. In this case, the file was named as brute.txt.
Later we will move to the main attack mode, where the β-requestβ parameter contains a β-request-protoβ text file that will help you create a prototype of http, and β-modeβ will be responsible for the βcluster bombβ attack. The lists of words in question (users.txt and pass.txt) consist of SQL injections. By entering the following command, an attack will be launched:
As you can see from the results of the attack, SQL injections have been successfully found to be effective for this specific purpose.
MAPPING OPTIONS
If we want the ffuf to show only the data that is important for web fuzzing, we must pay attention to these parameters. For example, it can be HTTP code, strings, words, size and regular expressions, mention the experts of the Cyber Security 360 course.
HTTP CODE
To understand this configuration, you should consider a simple attack on which you will be able to see which HTTP codes appear in the results.
1
ffuf-uhttp://192.168.1.12/dvwa/FUZZ/-wdict.txt
It is clear that the codes 302 HTTP and 200 HTTP were received.
If you want to see specific attacks, such as HTTP code 200, you must use the β-mcβ parameter along with a specific number. To verify that this parameter works, you just need to run the following command:
Similarly, since the above options correspond to a function, you can provide a result with a certain number of words. For this, use the β-mwβ parameter along with the number of words you want to see in the results.
This is the last of all the mapping options available in ffuf. LFI fuzzing will be applied by matching the string to the subsequent βroot:xβ pattern for this dictionary.
A URL is used that can provide this functionality, and with the β-mrβ parameter, the corresponding string βroot:xβ is defined. This is what a special list of words looks like.
Using this list of words, we enter the following command to add the β-mrβ parameter to the attack script:
We received the http 200 response for /etc/passwd for this list of words.
FILTERING OPTIONS
Filtering options are the exact opposite of matching parameters. The experts of the Cyber Security 360 course recommend using these options to remove unnecessary elements during web fuzzing. It also applies to HTTP code, strings, words, size, and regular expressions.
HTTP CODE
The β-fcβ parameter requires a specific HTTP status code that the user wants to remove from the results.
Below are the general parameters of this tool, which are completely related to the web fuzzing process.
AUTOMATIC CUSTOM CALIBRATION
Calibration is the process of providing a measuring instrument with the information it needs to understand the context in which it will be used. When collecting data, calibrating your computer ensures that the process works accurately, mention the experts of the Cyber Security 360 course.
We can adjust this function according to the needs in each case using the β-accβ parameter, which cannot be used without the β-acβ parameter.
If you want to apply fuzzing for a limited period of time, you can use the β-maxtimeβ parameter. You must enter a command to specify the selected time interval.
Using the β-max time-jobβ parameter, the user can set a time limit for a specific job. With this command, you can limit the time it takes to complete a task or query.
Using the β-pβ parameter, the user will add a slight delay for each request offered by the attack. According to the experts of the Cyber Security 360 course, with this feature the consultation becomes more efficient and provides clearer results.
1
ffuf-uhttp://192.168.1.12/dvwa/FUZZ/-wdict.txt-p1
QUERY SPEED
We can select the request speed you need for each of the attacks using the β-rateβ parameter. For example, we can create one request per second according to the desired attack.
There are three parameters that support the error function. The first parameter is β-seβ, a βfalse errorβ that says whether the next request is genuine or not. The second β-sfβ parameter will stop the attack when more than 95% of the requests are counted as an error. The third parameter is β-saβ, a combination of the above parameters.
In the example shown below, we will use the β-seβ parameter:
Verbose Mode is a feature used in many operating systems that provide additional information about what the computer does and what drivers and applications it loads when initialized. In programming, this mode provides accurate output for debugging purposes, making it easier to debug the program itself. To access this mode, the β-vβ parameter is applied.
The β-tβ parameter is used to speed up or slow down the process. By default, it is set to 40. If you want to speed up the process, you need to increase its value.
We may save the results of attacks carried out in order to keep records, improve readability and find possible links. Enter the β-oβ parameter to save the output, but you must specify its format using the β-ofβ parameter.
Once the attack is complete, it should be checked whether the file with the output data corresponds to this format or not, mention the experts of the Cyber Security 360 course. As you can see, the file itself refers to HTML.
OUTPUT DATA IN CSV FORMAT
Similarly, we can create CSV files using the β-ofβ parameter, where csv are comma-separated values. For example:
When the attack is complete, you need to check whether the file with the output data corresponds to this format or not. As you can see, the file itself belongs to the CSV.
DATA OUTPUT IN ALL AVAILABLE FORMATS
Similarly, if you want to recover data in all formats, use the β-of allβ parameter. For example, it can be json, ejson, html, md, csv, ecsv.
Now, once the attack is complete, you need to check all the files. We can see that they were saved in various formats.
HTTP OPTIONS
Sometimes the fuzzing process requires details such as an HTTP request, cookies, and an HTTP header, mention the experts of the Cyber Security 360 course.
TIME-OUT
This feature acts as a deadline for the event to complete. The β-timeoutβ parameter helps to activate this option.
According to the experts of the Cyber Security 360 course, this is a mechanism for reusing objects; if a program requires the user to access a function within another function, this is called a recursive call to the function. Using the β-recursionβ parameter, the user can implement this functionality in their attacks.
There are times when fuzzing is not effective on a site where authentication is required. In these cases, we may use the β-bβ parameter to use session cookies.
There are speed limits when using the Intruder feature in the free version of Burp (Community Edition). The attack slowed down a lot, and each new βorderβ slowed it down even more.
In this case, the user uses the Burp Suite proxy server to get the results and evaluate them. First, you need to install the localhost proxy server on port number 8080.
Now letβs use β-replay-proxyβ, which helps to get the local proxy server of the host, installed in the previous step on port number 8080.
This attack will show results on two platforms. The first platform is in the Kali Linux terminal and the second is in the βHTTP historyβ tab in Burp Suite. With the help of various methods, you will be able to better understand the target and analyze the results of the attack.
It is common to compare ffuf with other tools such as dirb or dirbuster. While ffuf can be used for deploying brute-force attacks, its real appeal lies in simplicity.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, information technologies, and to know more details about the Cyber Security 360 course
The MAC address is (should be) unique to each network interface. By the way, if the device has several network interfaces, then each of them has its own MAC address. For example, laptops have at least two network interfaces: wired and Wi-Fi β each of them has an MAC address. Desktop computers are usually the same. When we talk about βchangingΒ MAC addressesβ, we need to understand that there are several of these addresses. By the way, each port has its own unique MAC address, if the device supports wireless networks, then each wireless interface (2.4 GHz and 5 GHz) also has its own MAC address.
So, since the MAC address must be unique, it allows you to uniquely identify the network device. And since this network device is part of your computer, this allows you to uniquely identify your computer. Moreover, the MAC address (also called a hardware, physical address) does not change when the operating system changes.
In short, the replacement of the MAC address is needed so that it is not possible to track and identify the device by the MAC address. But there is a more important reason (than paranoia) to learn about MAC addresses and about methods from substitution, or prohibiting changes in your system. Based on MAC addresses, user identification can be performed when connected via the Intercepting Portal. A few words about the Intercepting Portal. Captive Portal). This is a way to force the user to comply with certain conditions for providing Internet access. You can most often encounter examples of Intercepting Portals in public places that provide Internet access services via Wi-Fi to an indefinite circle of people, but who want to identify the user and / or allow access only to persons with credentials. For example, at the airport you may need to confirm your phone number via SMS to access the free Wi-Fi network. The hotel will provide you with a username and password for accessing the Internet via Wi-Fi β this ensures that only hotel customers can use Wi-Fi services.Β
Due to the features of the Intercepting Portal, user identification is based on MAC addresses. And starting with NetworkManager 1.4.0 (a popular program for managing network connections on Linux), an automatic MAC-address spoofing is now present. And in case of incorrect settings, you may encounter an Internet access problem running through the Intercepting Portal. There are also problems with customized filtering by MAC on the router.
Well, for pentesting experts , of course, there are reasons to change the MAC address: for example, to pretend to be another user, and take advantage of its open access to the magical world of the Internet, or to increase anonymity.
Who can see my MAC address?
The MAC address is used to transfer data on a local network. That is, it is not transmitted when connecting to websites and when accessing the global network. Although there are exceptions: some vulnerabilities allow a person who is not on your local network to find out your MAC address.
If you connect to the router via the local network, then the router knows your MAC address, but if you open the site on the Internet, the site owner cannot find out your MAC address.Β
All devices located on the local network can see each otherβs MAC addresses (there are many scanners that can get this data). An example of a local network scan made using arp-scan. A slightly different situation with wireless network interfaces. If you are connected to an access point (router), then all the rules of the local network work: the router and other devices can find out your MAC address. But also any person who is within the reach of your Wi-Fi signal (from the phone, laptop) can find out your MAC address.
SPOOFING MAC ADDRESSES IN NETWORKMANAGER
NetworkManager may reassign MAC installed by other programs
Starting with NetworkManager 1.4.0, this program supports MAC spoofing, and has many different options.
So that we can understand them, we need to understand some concepts
First, network adapters are :
wired (ethernet);
wireless (wifi).
For each group, MAC rules are customized separately.
Secondly, a wireless adapter can be in two states:
scanning (search, not connected to the network) β is set using the property wifi.scan-rand-mac-address, default set to yes, which means that during scanning it sets an arbitrary MAC address. Another acceptable value is no;
connected to the network β installed using the property wifi.cloned-mac-address, the default value is preserve.
For wired interface (installed by property ethernet.cloned-mac-address) and the wireless interface in the connection state (installed by the property wifi.cloned-mac-address) the following values are available (regimes):
clearly specified MAC address (t.e. you can write the desired value that will be assigned to the network interface)
permanent: use the MAC address sewn into the device
preserve: do not change the deviceβs MAC address after activation (for example, if the MAC has been changed by another program, the current address will be used)
random: generate a random variable for each connection
stable: similar to random β i.e. for each connection to generate a random variable, NO when connecting to the same network, the same value will be generated
NULL / not installed: This is the default value that allows you to roll back to global settings by default. If global settings are not set, then NetworkManager rolls back to the value preserve.
If you are trying to change the MAC in other ways and you are failing, it is entirely possible that NetworkManager, which changes the MAC in its own rules, is to blame. Since most Linux distributions with a NetworkManager graphical interface are installed and running by default, to solve your problem, you must first understand how NetworkManager works and by what rules.
NETWORKMANAGER CONFIGURATION FILES
NetworkManager settings, including settings related to MAC, can be done in a file /etc/NetworkManager/NetworkManager.conf or adding an additional file with the extension . . . .conf to the directory /etc/NetworkManager/conf.d
The second option is highly recommended, since when updating NetworkManager usually replaces the main one . . . . . . . . . .conf file and if you made changes to /etc/NetworkManager/NetworkManager.conf, then the settings you made will be overwritten.
HOW TO MAKE KALI LINUX REPLACE WITH EACH CONNECTION
If you want the MAC address to be replaced with each connection, but the same MAC is used in the connection to the same network, then the file /etc/NetworkManager/conf.d/mac.conf:
Lines with ethernet.cloned-mac-address & wifi.cloned-mac-address can be added individually or together.
Check the current values :
1
ip link
Restart the service :
1
sudo systemctl restart NetworkManager
We will make connections to wired and wireless networks. Now check the values of MAC againΒ
As you can see, MAC is replaced for both the wired and wireless interfaces.
As already mentioned, the same addresses will be generated for the same networks, if you want different MACs each time even for the same networks, then the lines should look like this:
HOW TO CONFIGURE AUTOMATIC MAC SPOOFING IN UBUNTU AND LINUX MINT
Ubuntu andΒ LinuxΒ Mint use NetworkManager versions that support automatic MAC configuration. However, if you connect a Wi-Fi card to Ubuntu or Linux Mint, you will see a real MAC. This is due to the fact that in the fileΒ /etc/NetworkManager/NetworkManager.confΒ indicated not to spoof :
Similarly, you can add lines to replace MAC (these settings create a new address for each connection, but when connecting to the same networks, the same address is used):
We will use the program ip, which is included in the package iproute2.
Letβs start by checking the current MAC address with the command :
1
ip link show interface_name
Where Interface_name β This is the name of a particular network interface that you want to see. If you do not know the name, or want to see all the interfaces, then the command can be started like this :
1
ip link show
At the moment, we are interested in the part that follows after link / etherβand represents a 6-byte number. It will look something like this :
1
link/ether 00:c0:ca:96:cf:cb
The first step for spoofing MAC addresses is to transfer the interface to a state down. This is done by the team
1
sudo ip link set dev interface_name down
Where Interface_name replaces the real name. In my case, this wlan0, then the real team looks like this:
1
sudo ip link set dev wlan0 down
Next, we go directly to the MAC spoofing. You can use any hexadecimal value, but some networks may be configured not to assign IP addresses to customers whose MAC address does not match any known vendor (producer). In these cases, so that you can successfully connect to the network, use the MAC prefix of any real vendor (first three bytes) and use arbitrary values for the next three bytes.
To change the MAC, we need to run the command :
1
sudo ip link set dev interface_name address XX:XX:XX:XX:XX:XX
Where XX: XX: XX: XX: XX: XX β This is the desired new MAC .
For example, I want to set the hardware address EC: 9B: F3: 68: 68: 28 for my adapter, then the team looks like this:
1
sudo ip link set dev wlan0 address EC:9B:F3:68:68:28
In the last step, we return the interface to the stateΒ up. ThisΒ can be done by a team of the form :
1
sudo ip link set dev interface_name up
For my system, a real team:
1
sudo ip link set dev wlan0 up
If you want to check if the MAC is really changed, just run the command again:
1
ip link show interface_name
Value after βlink / etherβshould be the one you installed.
CHANGE MAC WITH MACCHANGER
Another method uses macchanger (also known as the GNU MAC Changer). This program offers various functions, such as changing the address so that it matches a particular manufacturer, or its complete randomization.
Set macchanger β it is usually present in official repositories, and in Kali Linux it is installed by default.
At the time of the change of the MAC, the device should not be used (be connected in any way, or have status up). To transfer the interface to a state down:
1
sudo ip link set dev interface_name down
For spoofing, you need to specify the name of the interface, and replace in each next command wlan0 in the name of the interface that you want to change the MAC.
To find out the values of MAC, execute the command with the option -s:
1
sudo macchanger -s wlan0
Something like:
12
Current MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)Permanent MAC: 00:c0:ca:96:cf:cb (ALFA, INC.)
The βCurrent MACβ line means the address at the moment, and βPermanent MACβ means a constant (real) address.
For spoofing the MAC address to a completely arbitrary address (option -r):
The first two lines are already explained, the line βNew MACβ means a new address.
For randomization, only bytes that determine the uniqueness of the device, the current MAC address (i.e.e. if you check the MAC address, it will register as from the same vendor) run the command (option -e):
1
sudo macchanger -e wlan0
To set the MAC address to a specific value, execute (optionΒ -m):
1
sudo macchanger -m XX:XX:XX:XX:XX:XX wlan0
Here XX: XX: XX: XX: XX: XX β This is the MAC you want to change to.
Finally, to return the MAC address to the original, constant value prescribed in the iron (option -p):
1
sudo macchanger -p wlan0
CONCLUSION
NetworkManager currently provides a wealth of MAC spoofing capabilities, including a change to a random address, or to a specific one. A feature of NetworkManager is the separation of βscanningβ and βconnectedβ modes, i.e. you may not see that the settings made have already entered into force until you connect to any network.
If after the change of MAC you have problems with connecting (you cannot connect to networks β wired or wireless), this means that there is a ban on connecting with MAC from an unknown vendor (producer). In this case, you need to use the first three octets (bytes) of any real vendor, the remaining three octets can be arbitrary saysΒ pentesting experts.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups.
The Palo Alto Networks Unit 42 incident response team has discovered a new variant of PlugX malware that is distributed via removable USB devices and targets Windows PCs. This should not come as a surprise since 95.6% of new malware or their variants in 2022 targeted Windows.
According to Unit 42 researchers, the new variant was detected when carrying out an incident response post a Black Basta ransomware attack. The researchers uncovered several malware samples and tools on the victimsβ devices. This includes the Brute Ratel C4 red-teaming tool, GootLoader malware, and an old PlugX sample.
PlugX malware has been around for almost a decade and has been used by multiple actors of Chinese nexus and several other cybercrime groups. The malware was previously used in many high-profile cyberattacks, such as the 2015 U.S. Government Office of Personnel Management (OPM) breach.
The same backdoor was also used in the 2018 malware attack on the Android devices of minority groups in China. Most recently, in November 2022, researchers linked Google Drive phishing scams to the group infamously known for using PlugX malware.
Scope of Infection
The new variant stood out among other malware because it could infect any attached removable USB device, e.g., floppy, flash, thumb drives, and any system the removable device was plugged into later.
So far, no evidence connects the PlugX backdoor or Gootkit to the Black Basta ransomware group, and researchers believe another actor could have deployed it. Moreover, researchers noted that the malware could copy all Adobe PDF and Microsoft Word documents from the host and places them in a hidden folder on the USB device. The malware itself creates this folder.
Malware Analysis
Unit 42 researchers Jen Miller-Osborn and Mike Harbison explained in their blog post that this variant of PlugX malware is a wormable, second-stage implant. It infects USB devices and stays concealed from the Windows operating file system. The user would not suspect that their USB device is being exploited to exfiltrate data from networks.
PlugXβs USB variant is different because it uses a specific Unicode character called non-breaking space/ U+00A0 to hide files in a USB device plugged into a workstation. This character prevents the Windows OS from rendering the directory name instead of leaving an anonymous folder in Explorer.
Furthermore, the malware can hide actor files in a removable USB device through a novel technique, which even works on the latest Windows OS.
The malware is designed to infect the host and copy the malicious code on any removable device connected to the host by hiding it in a recycle bin folder. Since MS Windows OS by default doesnβt show hidden files, the malicious files in recycle bin arenβt displayed, but, surprisingly, it isnβt shown even with the settings enabled. These malicious files can be viewed/downloaded only on a Unix-like OS or through mounting the USB device in a forensic tool.
The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.
Threat analysis firm Securonixβs cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.
Malware Distribution Technique
The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driverβs license that doesnβt exist.
Images used in the scam (Credit: Securonix)
With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.
What is PY#RATION
PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.
However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Pythonβs built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.
Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.
Potential Dangers
This Python RAT is packed into an executable that uses automated packers such as βpyinstallerβ and βpy2exeβ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).
Infection chain of the PY#RATION python malware (Credit: Securonix)
Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.
The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Whoβs behind this campaign, the distribution volume, and campaign objectives are still unclear.
The European Union Agency for Cybersecurity (ENISA) has made available Awareness Raising in a Box (AR-in-a-BOX), a βdo it yourselfβ toolbox to help organizations in their quest to create and implement a custom security awareness raising program
The package includes:
A guideline on how to build an internal cyber-awareness raising program tailored to employeesβ needs
A guideline on creating an awareness campaign targeted at external stakeholders
A how-to guide on how to select the appropriate tools and channels to best reach the target audience and tips for effective communication in social media
Instructions on selecting the right metrics and developing key performance indicators (KPIs) to evaluate the effectiveness of a program or campaign
A guide for the development of a communication strategy
An awareness raising game, in different versions and styles, for a generic audience and for an audience in the energy sector. It also comes with a guide on how it should be played
An awareness raising quiz to test comprehension and retention of key information (e.g., how to create good passwords)
Why security awareness matters
PeopleΒ have becomeΒ cyber-attackersβ primary attack vector, which means that programs for raising cyber awareness are crucial for an organizationβs cybersecurity strategy. The goal of these programs is to promote good cybersecurity practices of employees, managers and executives andΒ improve their cybersecurity behavior.
AR-in-a-BOXΒ can help them wrap their head around the task and push them towards realization.
βAR-in-a-Box is offered by ENISA to public bodies, operators of essential services, large private companies as well as small and medium ones (SMEs). [It] is dynamic and will be regularly updated and enriched,β the agency noted.
The Wireshark Team has recently unveiled the latest iteration of their widely-utilized packet analyzer, Wireshark 4.0.3.
This version boasts a multitude of improvements, including new features and updates, as well as the resolution of various bugs to ensure a smooth and efficient user experience.
The Wireshark packet analyzer is a free and open-source application that is available for all major platforms. In addition to troubleshooting networks, Wireshark can be used to analyze network traffic, develop software or communications protocols, and can even be used for educational purposes in the cybersecurity field.
Wireshark supports a wide range ofΒ network protocols, and with Wireshark, a security professional can see the details of network packets in real-time, including the:-Β
Many organizations utilize this tool on a regular basis as part of their daily business operations so that they can monitor the day-to-day tasks of their businesses.
Wireshark 4.0.3Platform Support
Wireshark 4.0.3 packet analyzer is available for all major platforms and operating systems, and below we have given you a list of them in case you need them:-
Windows
Linux
macOS
BSD
Whatβs New?
The 32-bit Windows packages for Wireshark 4.0 and later canβt be downloaded from the official Wireshark website, and cannot be installed on your computer. Currently, Qt 5.12.2 is the version shipped with Windows installers as the standard version.
There are several new fixes for the multitude of vulnerabilities and bugs that have been added to this new version. However, here below we have mentioned new things added to this version:-
Vulnerability Fixes
Bug Fixes
Updated Protocol Support
Vulnerabilities Fixed
Here below we have mentioned the vulnerabilities that have been fixed in this new version:-
Screenshots in AppStream metainfo.xml file not available.
Updated Protocol Support
Listed below are all the updated protocol support that is supported by the current version:-
ASTERIX
BEEP
BGP
BPv6
CoAP
EAP
GNW
GSM A-bis P-GSL
iSCSI
ISUP
LwM2M-TLV
MBIM
NBAP
NFS
OBD-II
OPUS
ProtoBuf
RLC
ROHC
RTPS
Telnet
TIPC
USB
It is absolutely crucial that users upgrade their current version of Wireshark to the newly released 4.0.3 version as soon as possible.
The Wireshark team has put a great effort into adding new features and fixing bugs to improve the overall user experience. Failure to update will result in missing out on the many enhancements and refinements this version has to offer.
In addition, if you are interested in getting the latest version of the application,Β you may click this link.
GoTo is a well-known brand that owns a range of products, including technologies for teleconferencing and webinars, remote access, and password management.
If youβve ever used GoTo Webinar (online meetings and seminars), GoToMyPC (connect and control someone elseβs computer for management and support), or LastPass (a password manangement service), youβve used a product from the GoTo stable.
Youβve probably not forgotten the big cybersecurity story over the 2022 Christmas holiday season, whenΒ LastPass admittedΒ that it had suffered a breach that was much more serious than it had first thought.
The companyΒ first reported, back in August 2022, that crooks had stolen proprietary source code, following a break-in into the LastPass development network, but not customer data.
But the data grabbed in that source code robbery turned out to include enough information for attackers toΒ follow upΒ with a break-in at a LastPass cloud storage service, where customer data was indeed stolen, ironically including encrypted password vaults.
Now, unfortunately, itβs parent company GoToβs turn toΒ admit to a breachΒ of its own β and this one also involves a development network break-in.
Security incident
On 2022-11-30, GoTo informed customers that it had suffered βa security incidentβ, summarising the situation as follows:
Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.
This story, so briefly told at the time, sounds curiously similar to the one that unfolded from August 2022 to December 2022 at LastPass: development network breached; customer storage breached; investigation ongoing.
Nevertheless, we have to assume, given that the statement explicitly notes that the cloud service was shared between LastPass and GoTo, while implying that the development network mentioned here wasnβt, that this breach didnβt start months earlier in LastPassβs development system.
The suggestion seems to be that, in the GoTo breach, the development network and cloud service intrusions happened at the same time, as though this was a single break-in that yielded two targets right away, unlike the LastPass scenario, where the cloud breach was a later consequence of the first.
Incident update
Two months later, GoTo hasΒ come backΒ with an update, and the news isnβt great:
[A] threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.
The company also noted that although MFA settings for some Rescue and GoToMyPC customers were stolen, their encrypted databases were not.
Two things are confusingly unclear here: firstly, why were MFA settings stored encrypted for one set of customers, but not for others; and secondly, what do the words βMFA settingsβ encompass anyway?
Several possible important βMFA settingsβ come to mind, including one or more of:
A recent report reveals that the number of attacks on financial service APIs and web applications worldwide increased by 257%.
There are more APIs in use than ever, and the average FinTech company takes advantage of hundreds if not thousands of connections in their daily operations.
APIs have become a critical component of fintech but also open new vulnerabilities. 48% of financial service company states that API security remains the top concern of their API utilization.
So, what are the top FinTechΒ API securityΒ challenges?
Impacts Of API Attacks on Fintech
API attacks on fintech companies can severely affect the financial industry and the customers who rely on these services. These attacks are becoming increasingly frequent as fintech companies grow in popularity and usage.
API attacks can have serious consequences, including financial loss and damage to a companyβs reputation. These attacks can steal sensitive information like login credentials or financial data. This data can be used for identity theft, financial fraud, and other criminal activities, causing significant financial losses for the affected customers.
They can also be used to disrupt services or conduct fraudulent transactions. Additionally, service disruptions can lead to lost business, damage to reputation, and loss of customer trust.
API attacks can also have a ripple effect throughout the financial industry. If a major fintech company is compromised, it can cause mistrust and uncertainty among other financial institutions. This can lead to increased scrutiny and regulations for the entire industry.
Fintech companies must take proactive measures to secure their APIs and protect their customersβ data. This includes implementing robust authentication and authorization mechanisms, encryption for sensitive data, and regularly testing and updating security measures.
Additionally, having an incident response plan to address and mitigate potential breaches quickly is crucial in preserving customer trust and minimizing damage to the companyβs reputation.
OWASP Top 10 API Security Risks
OWASP API Top 10 isnβt necessarily FinTech-specific. But with API usage exploding in every industry, itβs worth taking some time to understand the risks theyβve identified. After all, many modern companies would not exist without APIs.
Broken object-level authorization
Broken user authentication
Excessive data exposure
Lack of resources to rate limiting
Broken function-level authorization
Mass assignment
Security misconfiguration
Injection
Improper assets management
Insufficient logging and monitoring
What are the Challenges of Protecting APIs?
Explosive increase in API utilization
There has been a significant increase in the use of APIs in fintech in recent years. APIs allow fintech companies to easily integrate with other systems and services, such as banking platforms, payment processors, and data providers. This enables fintech companies to build new products and services quickly and easily and offer their customers a more comprehensive range of features.
As many APIs are integrated into third-party systems, it can be challenging to monitor for potential vulnerabilities.
Connections Create New Vulnerabilities & Risks
Most applications are made up of multiple services connected through APIs. This interconnectivity can inadvertently create new risks and vulnerabilities.
As interconnected services increase, the complexity of securing API connections also increases. Each connection represents a potential vulnerability that malicious actors could exploit. Additionally, as more services are connected, the attack surface for potential vulnerabilities also increases.
Data Exposure
FinTech companies handle sensitive financial information, making them prime targets for cyber attacks.
Tracking and monitoring for potential security threats can make it more difficult as more data is exposed through APIs. It can be difficult to track exactly,
What needs to be protected and how?
Where are APIs exposing data?
Is the exposure necessary?
The larger the amount of data and the more diverse the sources, the harder it can be to identify and respond to security incidents.
Furthermore, the increased use of cloud and third-party services can complicate tracking, as it can be challenging to determine where data is being stored and how it is being used.
Data exposure can also be a moving target based on API updates. For maximum security, you must always remain mindful of changes.
Rapid Development
An API in FinTech is perfect for rapid innovation and development. New updates, features, and functionality can be rolled out quickly and smoothly.
APIs are constantly changing. And because of that, app developers need to roll out multiple updates yearly.
This creates a challenge for the security team because they need to be able to keep pace with changes and know what security structures need to include.
Developers Canβt Catch Everything
Itβs difficult, if not impossible, to catch all possible vulnerabilities before deployment. Despite the care taken during the development process, itβs unrealistic to think that developers would be aware of everything that could go wrong.
Developers also need to move quickly. Because there are always new features to add and innovations to make, security can be an afterthought for better or worse.
Traditional Security Isnβt Enough
Most FinTech companies have sophisticated runtime security stacks already. These feature multiple layers of security tools. But these solutions simply arenβt enough when it comes to API vulnerabilities.
Traditional approaches to FinTech API security, such as basic authentication, do not provide adequate protection. Because they rely on static, easily compromised credentials and do not consider the dynamic nature of API usage.
Traditional approaches often rely on static rules and signatures, which can be easily bypassed by attackers who know how to evade them.
Additionally, these approaches do not provide visibility into API activity, making detecting and responding to threats difficult.
For API security, it is necessary to use more modern security techniques specifically designed for this purpose.
Lack of skills
Appdome says lack of skills was one of the top two challenges in an organizationβs API strategy. Many organizations do not specialize in app security. And there are many factors to consider: development framework, OS, security features, and more.
API security should be a top priority for fintech. They could be turbulent if you donβt know how to navigate the waters ahead. Your best bet is to find a partner to assist you in setting up the necessary security infrastructures. The peace of mind with it will be well worth the investment.
API Protection with AppTrana
AppTrana API protection is a comprehensive security solution that provides advanced protection for your APIs.
One of its key features is API discovery, which allows you to automatically identify all the APIs within your organization and track their usage. This helps you to understand how your APIs are being used and identify any potential security risks.
Another important feature of AppTrana is its positive security model, which allows only known and trusted traffic to access your APIs.
AppTrana also includes rate limiting, a technique used to control the number of requests that can be made to an API within a certain period. This helps prevent malicious actors from overwhelming your APIs with many requests, which can cause them to become unresponsive or crash.
In addition to these features, AppTrana provides real-time monitoring and reporting, so you can quickly identify and respond to any security incidents. This includes detailed logs of all API activity and alerts for suspicious activity, such as excessive rate limiting or bot fingerprinting.
Your email address has become a digital bread crumb for companies to link your activity across sites. Hereβs how you can limit this.
When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.
It may seem harmless, but when you enter your email, youβre sharing a lot more than just that. Iβm hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.
First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.
If this all sounds familiar, thatβs because it is.
For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, includingΒ Appleβs release of a software feature in 2021Β allowing iPhone users to block apps from tracking them andΒ Googleβs decision to prevent websites from using cookies, which follow peopleβs activities across sites, in its Chrome browser by 2024.
Advertisers, web publishers and app makers now try to track people through other means β and one simple method is by asking for an email address.
Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.
Dig deeper into the moment.
βI can take your email address and find data you may not have even realized youβve given to a brand,β said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. βThe amount of data that is out there on us as consumers is literally shocking.β
Advertising tech is continuing to evolve, so it helps to understand what exactly youβre sharing when you enter in an email address. From there, you can decide what to do.
Your email address has become a potent piece of data.
For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.
One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.
Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters. That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.
Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.
βWebsites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content thatβs more privacy-centric than cookies,β Ian Colley, the chief marketing officer of the Trade Desk, said in an email. βThe internet is not free, after all.βA New Direction for Tech FixOur tech problems have become more complex, so Brian X. Chen has rebootedΒ his columnΒ to focus on the societal implications of the tech we use.Personal Tech Has Changed. So Must Our Coverage of It.Nov. 2, 2022
However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a βregression in privacyβ because it enabled the type of tracking behavior that modern web browsers were designed to prevent.
There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming youβve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad brokerβs database to match your identity with a profile containing enough insights to serve you targeted ads.
The bottom line is that if youβre wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, itβs largely because you are still sharing your email address.
So what to do?
There are various options for limiting the ability of advertising companies to target you based on your email address:
Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because itβs time-consuming to manage so many email addresses and their passwords.
Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Appleβs Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozillaβs Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.
When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)
You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.
I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests β food, travel, fitness and movies. Iβll use the movie-related email address, for example, when Iβm logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they wonβt know everything about me.
The field of cybersecurity is rife with acronyms. From AES to VPN, these technical alphabet soup terms have been part of the knowledge of not only cybersecurity experts but also organizations that are planning to buy security solutions or implement security technologies.
Enterprise Strategy Group (ESG) has released itsΒ 2023 Technology Spending Intentions Survey, and it includes four terms those concerned with cybersecurity need to be acquainted with. Not all of them are new, but it is advisable to be familiar with them, as they are expected to be important areas of cybersecurity spending in 2023.
XDR β Extended Detection and Response
Extended Detection and Response (XDR) is an approach in cybersecurity characterized by unified and integrated data visibility. It was developed in response to the rapidly evolving nature and increasing volumes of cyber threats by allowing organizations to proactively defend themselves with the full awareness of multiple attack vectors.
Markets and Markets project that the XDR market size will reach $2.4 billion by 2027, expanding at a CAGR of 19.1 percent for the period 2022 to 2027. Other estimates put the CAGR at over 20 percent, reflecting the increased internet in this cybersecurity approach in view of the rapidly evolving nature of the threat landscape.
One of the biggest cybersecurity challenges XDR addresses is the overwhelming amounts of security data organizations have to deal with. Security visibility is all about having information about attack surfaces and security events, which have become massive nowadays because of the number of new devices and technologies. However, the abundance of data can also pose a problem, as it hampers the prompt response to crucial alerts because of inefficient data handling. It is common for organizations to use disjointed tools that generate huge amounts of data including false positives and less important alerts. Organizations have a hard time going over all of the data, prioritizing them, and responding to each and every one of them.
XDR addresses this problem by unifying various disjointed security tools under a common dashboard, which makes it easy to view and analyze data from different sources. Also, XDR enables scalable automated responses to address simple security events, which comprise most of the security alerts. This frees up significant time for human security analysts so they can focus on more important concerns.
MXDR β Managed Detection and Response
MXDR refers to the combination of XDR and Managed Detection and Response (MDR). It is a new term used to encapsulate the setup wherein organizations purchase cybersecurity products that provide advanced functions for them to tinker with while having the advantage of not worrying about settings and the optimal use of available features and functions.
XDR is a cybersecurity product that can be obtained in full from a single vendor. MDR, on the other hand, is a cybersecurity solution managed by a third-party provider. Both have advantages and drawbacks, and organizations are not limited to just one or the other. In 2023, innovative solutions that embody the MXDR concept are set to gain traction or at least have improved awareness among customers.
ESG Research suggests that MXDR will be a popular option and not just a mere concept that brings together the benefits of XDR and MDR. A significant 34 percent of the organizations surveyed by ESG said that if they were to choose an MDR vendor, they would go for one that is primarily focused on XDR.
This is not surprising given that many cybersecurity professionals tend to be keen on being hands-on with the systems they are using. However, the reality is that the cybersecurity skills shortage continues to be a problem. The limited cybersecurity experts overseeing an organizationβs security posture do not have the luxury of being too meticulous and involved in all aspects of their security operations. They could use some support from managed services.
DRs
This is not an actual cybersecurity term but a portion common among multiple acronyms like Endpoint Detection and Response (EDR) and Cloud Detection and Response (CDR). Essentially, these are βmore DRs.β
While XDR is a reliable approach to defending organizations from various cyber threats, it is not a magical tool capable of addressing all kinds of attacks. It is far from perfect, and there will be instances when organizations would have to employ other solutions to fortify their security posture.
XDR brings together different βdetection and responseβ solutions to achieve more efficient handling of security data and events. It maximizes the real-time functionality of EDR and the network traffic analysis strengths of NDR (Network Detection and Response). However, XDR may not have everything it needs to address emerging threats. There will come a time for new approaches such as Data Detection and Response and Identity Detection and Response to be incorporated into an organizationβs security posture
XDR is not a fixed cybersecurity approach. It can continue integrating other DRs the way it did with EDR and NDR. However, its existence does not prevent the rise of other possibly more advanced DR technologies that are more attuned to specific emerging threats in 2023 and beyond.
SBOM
SBOM refers to the Software Bill of Materials. The United States Cybersecurity and Infrastructure Security Agency (CISA) defines this as βa nested inventory, a list of ingredients that make up software components.β It is regarded as a key component in software security and the management of risks in the software supply chain.
SBOM gained prominence when it was mentioned in the 2021 Executive Order of the United States President regarding the need to enhance software supply chain security in response to major cyber attacks that targeted the software supply chain. This was around the time when the SolarWinds attack was made known.
The software bill of materials is not a specific cybersecurity product or technology, but it is a crucial part of the application security and attack surface management discussion. With the surge in open-source software use and cloud-native application development, it becomes more important than ever to pay attention to SBOM to enable community engagement and development.
By now, it should be clear that cybersecurity is best undertaken as a global collaborative endeavor. It would be extremely difficult to secure the software supply chain when there is no transparency of software components. The knowledge of these software components allows everyone to examine and detect potential security issues and resolve them before threat actors get to exploit them.
Some say that the cybersecurity industry is one of the biggest offenders when it comes to introducing gimmicky acronyms and terms. This is not enough reason, though, to ignore or downplay important terms and concepts that address actual problems and bolster the cyber defense.
The field of cybersecurity is rife with acronyms. From AES to VPN, these technical alphabet soup terms have been part of the knowledge of not only cybersecurity experts but also organizations that are planning to buy security solutions or implement security technologies.
Enterprise Strategy Group (ESG) has released its 2023 Technology Spending Intentions Survey, and it includes four terms those concerned with cybersecurity need to be acquainted with. Not all of them are new, but it is advisable to be familiar with them, as they are expected to be important areas of cybersecurity spending in 2023.
Over the years, weβveΒ writtenΒ andΒ spokenΒ on Naked Security many times about the thorny problem of DNSΒ hijacking.
DNS, as you probably know, is short for domain name system, and youβll often hear it described as the internetβs βtelephone directoryβ or βgazetteerβ.
If youβre not familiar with the word gazeteer, it refers to the index at the back of an atlas where you look up, say, Monrovia, Liberia in a convenient alphabetic list, and it says something like 184 - C4. This tells you to turn straight to page 184, and to follow the grid lines down from the letter C at the top of the map, and across from the number 4 on the left. Where the lines meet, youβll find Monrovia.
For most users, most DNS lookups go out containing a server name, asking for a reply to come back that includes whatβs known as its A-record or its AAAA-record.
(A-records are used for 32-bit IPv4 internet numbers, such asΒ 203.0.113.42; AAAA-records are the equivalent answers for a 128-bit IPv6 addresses, such asΒ 2001:db8:15a:d0c::42Β β in this article, weβll just use A-records and IPv4 numbers, but the same security issues apply to the lookup process in both cases.)
Hereβs an example, where weβre looking up the imaginary domain name naksec.test via a DNS server that was specially created to track and teach you about DNS traffic.
Weβve used the old-school Linux tool dig, short for domain internet groper, to generate a simple DNS request (dig defaults to looking up A-records) for the server we want:
$ dig +noedns @127.42.42.254 naksec.test
;; QUESTION SECTION:
;naksec.test. IN A
;; ANSWER SECTION:
NAKSEC.TEST. 5 IN A 203.0.113.42
;; Query time: 1 msec
;; SERVER: 127.42.42.254#53(127.42.42.254) (UDP)
;; WHEN: Mon Jan 23 14:38:42 GMT 2023
;; MSG SIZE rcvd: 56
Hereβs how our DNS server dealt with the request, showing a hex dump of the incoming request, and the successful reply that went back:
Note that, for performance reasons, most DNS requests use UDP, the user datagram protocol, which works on a send-and-hope basis: you fire off a UDP packet at the server you want to talk to, and then wait to see if a reply comes back.
This makes UDP much simpler and faster than its big cousin TCP, the transmission control protocol, which, as its name suggests, automatically takes care of lots of details that UDP doesnβt.
Notably, TCP deals with detecting data gets lost and asking foir it again; ensuring that any chunks of data arrive in the right order; and providing a single network connection that, once set up, can be used for sending and receiving at the same time.
UDP doesnβt have the concept of a βconnectionβ, so that requests and replies essentially travel independently:
A DNS request arrives at the DNS server in a UDP packet of its own.
The DNS server keeps a record of which computer sent that particular packet.
The server sets about finding an answer to send back, or deciding that there isnβt one.
The server sends a reply to the original sender, using a second UDP packet.
From the level of the operating system or the network, those two UDP packets above are independent, standalone transmissions β they arenβt tied together as part of the same digital connection.
Itβs up to the server to remember which client to send each reply to; and itβs up to the client to figure out which replies relate to which requests it originally sent out.
