InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
It felt like I had stepped out of a time machine and it was 2019. I was walking about a mile between meetings on different sides of the Mandalay Bay hotel. Though seeing some folks with face masks reminded me that it was, in fact, 2022. But I was in Las Vegas, and the badge around my neck indicated I was there for the Black Hat U.S. 2022 show.
It’s been a long time since I’ve been to a large security conference. Or any conference at all, for that matter. I couldn’t attend the RSA Conference back in June, so it had been 30 months since I’ve seen the security community in person. As I fly over Arkansas on my way back to Atlanta, here are a few thoughts about the show.
1. Security conferences are back: Well, kind of. There were a lot of people at Black Hat. Lots of vendor personnel on the show floor and lots of practitioners at the sessions. Sometimes the practitioners even made it to the show floor, given that most of the companies said they had a steady stream of booth traffic. It was nice to see people out and about, and I got to connect with so many good friends and got lots of hugs. It was good for my soul. 2. There was no theme: I went in expecting to see a lot of zero-trust and XDR and DevSecOps. I saw some of the buzzword bingo, but it was muted. That doesn’t mean I understood what most of the companies did, based on their booth. I didn’t. Most had some combination of detection, cloud and response as well as a variety of Gartner-approved category acronyms. I guess the events marketing teams are a bit rusty. 3. Booth size doesn’t correlate to company size: Some very large public companies had small booths. Some startups that I’d never heard of had large booths. Does that mean anything? It means some companies burned a lot of their VC money in Vegas this week, and public company shareholders didn’t. 4. Magicians still fill the booth, and you can get very caffeinated: Whenever I saw a crowd around a booth, there was typically some kind of performer doing some kind of show. Not sure how having some guy do magic tricks helped create demand for a security product, but it did fill the booths. So, I guess event marketing folks get paid by the badge scan, as well. Moreover, every other booth had an espresso machine. So if you needed a shot of energy after a long night at the tables or in a club, Black Hat was there for you.
I asked practitioners about budgets and vendors about sales cycles. Some projects are being scrutinized, but the “must-haves” like CSPM, CNAPP, and increasingly, API security are still growing fast. Managed detection and response remains very hot as organizations realize they don’t have the resources to staff their SOC. Same as it ever was.
Overall, the security business seems very healthy, and I couldn’t be happier to be back at Black Hat.
OCSF initiative will give enterprise security teams an open standard for moving and analyzing threat data
BLACK HAT AWS and Splunk are leading an initiative aimed at creating an open standard for ingesting and analyzing data, enabling enterprise security teams to more quickly respond to cyberthreats.
Seventeen security and tech companies at the Black Hat USA 2022 show this week unveiled the Open Cybersecurity Schema Framework (OCSF) project, which will use the ICD Schema developed by Symantec as the foundation for the vendor-agnostic standard.
The creation of the OCSF, licensed under the Apache License 2.0, comes as organizations are seeing their attack surfaces rapidly expand as their IT environments become increasingly decentralized, stretching from core datacenters out to the cloud and the edge. Parallel with this, the number and complexity of the cyberthreats they face is growing quickly.
“Today’s security leaders face an agile, determined and diverse set of threat actors,” officials with cybersecurity vendor Trend Micro, one of the initial members of OCSF, wrote in a blog post. “From emboldened nation state hackers to ransomware-as-a-service (RaaS) affiliates, adversaries are sharing tactics, techniques and procedures (TTPs) on an unprecedented scale – and it shows.”
Trend Micro blocked more than 94 billion threats in 2021, a 42 percent year-on-year increase, and 43 percent of organizations responding to a survey from the vendor said their digital attack surface is getting out of control.
Cybersecurity vendors have responded by creating platforms that combine attack surface management, threat prevention, and detection and response to make it easier and faster for enterprises to counter attacks. They streamline processes, close security gaps, and reduce costs, but they’re still based on vendor-specific products and point offerings.
Vendors may use different data formats in their products, which means moving datasets from one vendor’s product to that of another often requires the time-consuming task of changing the format of the data.
“Unfortunately, normalizing and unifying data from across these disparate tools takes time and money,” Trend Micro said. “It slows down threat response and ties up analysts who should be working on higher value tasks. Yet up until now it has simply become an accepted cost of cybersecurity. Imagine how much extra value could be created if we found an industry-wide way to release teams from this operational burden?”
Dan Schofield, program manager for technology partnerships at IBM Security, another OCSF member, wrote that the lack of open industry standards for logging and event purposes creates challenges when it comes to detection engineering, threat hunting, and analytics, and until now, there has been no critical mass of vendors willing to address the issue.
The new open source tools are designed to help defense, identity and access management, and security operations center teams discover vulnerable network shares.
Network shares in Active Directory environments configured with excessive permissions pose serious risks to the enterprise in the form of data exposure, privilege escalation, and ransomware attacks. Two new open source adversary simulation tools PowerHuntShares and PowerHunt help enterprise defenders discover vulnerable network shares and manage the attack surface.
The tools will help defense, identity and access management (IAM), and security operations center (SOC) teams streamline share hunting and remediation of excessive SMB share permissions in Active Directory environments, NetSPI’s senior director Scott Sutherland wrote on the company blog. Sutherland developed these tools.
PowerHuntShares inventories, analyzes, and reports excessive privilege assigned to SMB shares on Active Directory domain joined computers. The PowerHuntShares tool addresses the risks of excessive share permissions in Active Directory environments that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments.
“PowerHuntShares will inventory SMB share ACLs configured with ‘excessive privileges’ and highlight ‘high risk’ ACLs [access control lists],” Sutherland wrote.
PowerHunt, a modular threat hunting framework, identifies signs of compromise based on artifacts from common MITRE ATT&CK techniques and detects anomalies and outliers specific to the target environment. The tool automates the collection of artifacts at scale using PowerShell remoting and perform initial analysis.
Network shares configured with excessive permissions can be exploited in several ways. For example, ransomware can use excessive read permissions on shares to access sensitive data. Since passwords are commonly stored in cleartext, excessive read permissions can lead to remote attacks against databases and other servers if these passwords are uncovered. Excessive write access allows attackers to add, remove, modify, and encrypt files, such as writing a web shell or tampering with executable files to include a persistent backdoor.
“We can leverage Active Directory to help create an inventory of systems and shares,” Sutherland wrote. “Shares configured with excessive permissions can lead to remote code execution (RCE) in a variety of ways, remediation efforts can be expedited through simple data grouping techniques, and malicious share scanning can be detected with a few common event IDs and a little correlation (always easier said than done).”
Here’s this week’s BWAIN, our jocular term for a Bug With An Impressive Name.
BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website.
This one is dubbed ÆPIC Leak, a pun on the words APIC and EPIC.
The former is short for Advanced Programmable Interrupt Controller, and the latter is simply the word “epic”, as in giant, massive, extreme, mega, humongous.
The letter Æ hasn’t been used in written English since Saxon times. Its name is æsc, pronounced ash (as in the tree), and it pretty much represents the sound of the A in in the modern word ASH. But we assume you’re supposed to pronounce the word ÆPIC here either as “APIC-slash-EPIC”, or as “ah!-eh?-PIC”.
What’s it all about?
All of this raises five fascinating questions:
What is an APIC, and why do I need it?
How can you have data that even the kernel can’t peek at?
Let’s rewind to 1981, when the IBM PC first appeared.
The PC included a chip called the Intel 8259A Programmable Interrupt Controller, or PIC. (Later models, from the PC AT onwards, had two PICs, chained together, to support more interrupt events.)
The purpose of the PIC was quite literally to interrupt the program running on the PC’s central processor (CPU) whenever something time-critical took place that needed attention right away.
These hardware interrupts included events such as: the keyboard getting a keystroke; the serial port receiving a character; and a repeating hardware timer ticking over.
Without a hardware interrupt system of this sort, the operating system would need to be littered with function calls to check for incoming keystrokes on a regular basis, which would be a waste of CPU power when no one was typing, but wouldn’t be responsive enough when they did.
As you can imagine, the PIC was soon followed by an upgraded chip called the APIC, an advanced sort of PIC built into the CPU itself.
These days, APICs provide much more than just feedback from the keyboard, serial port and system timer.
APIC events are triggered by (and provide real-time data about) events such as overheating, and allow hardware interaction between the different cores in contemporary multicore processors.
And today’s Intel chips, if we may simplifly greatly, can generally be configured to work in two different ways, known as xAPIC mode and x2APIC mode.
Here, xAPIC is the “legacy” way of extracting data from the interrupt controller, and x2APIC is the more modern way.
Simplifying yet further, xAPIC relies on what’s called MMIO, short for memory-mapped input/output, for reading data out of the APIC when it registers an event of interest.
In MMIO mode, you can find out what triggered an APIC event by reading from a specific region of memory (RAM), which mirrors the input/output registers of the APIC chip itself.
This xAPIC data is mapped into a 4096-byte memory block somewhere in the physical RAM of the computer.
This simplifies accessing the data, but it requires an annoying, complex (and, as we shall see, potentially dangerous) interaction between the APIC chip and system memory.
In contrast, x2APIC requires you to read out the APIC data directly from the chip itself, using what are known as Model Specific Registers (MSRs).
According to Intel, avoiding the MMIO part of the process “provides significantly increased processor addressability and some enhancements on interrupt delivery.”
Notably, extracting the APIC data directly from on-chip registers means that the total amount of data supported, and the maximum number of CPU cores that can be managed at the same time, is not limited to the 4096 bytes available in MMIO mode.
Microsoft confirms ‘DogWalk’ zero-day vulnerability has been exploited
Microsoft has published a fix for a zero-day bug discovered in 2019 that it originally did not consider a vulnerability.
The tech giant patched CVE-2022-34713 – informally known as “DogWalk” – on Tuesday, noting in its advisory that it has already been exploited.
According to Microsoft, exploitation of the vulnerability requires that a user open a specially-crafted file delivered through a phishing email or web-based attack.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability,” Microsoft explained. “An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”
Later in the advisory, Microsoft said the type of exploit needed is called an “Arbitrary Code Execution,” or ACE, noting that the attacker would need to convince a victim through social engineering to download and open a specially-crafted file from a website which leads to a local attack on their computer.
A three-year wait
The bug was originally reported to Microsoft by security researcher Imre Rad on December 22, 2019. Even though a case was opened one day later, Rad said in a blog post that Microsoft eventually declined to fix the issue six months later.
Microsoft initially told Rad that to make use of the attack he described, an attacker would need “to create what amounts to a virus, convince a user to download the virus, and then run it.” The company added that “as written this wouldn’t be considered a vulnerability.”
“No security boundaries are being bypassed, the PoC doesn’t escalate permissions in any way, or do anything the user couldn’t do already,” Microsoft told Rad.
But in June, as security researchers dug into the “Follina” vulnerability, cybersecurity expert j00sean took to Twitter to resurface the issue and spotlight it again.
Bonuses:
1) It's not needed to use a remote location for "ms-search". We can use folder Downloads. 2) As the downloaded file is diagcab, there's no prompt to open an executable in a remote location. And MOTW prompt bypass. pic.twitter.com/2WP40H6f8I
Rad noted that on August 4, Microsoft contacted him and said they “reassessed the issue” and “determined that this issue meets our criteria for servicing with a security update” tagging it as CVE-2022–34713.
Microsoft said in its advisory that, like Follina, this is yet another vulnerability centered around Microsoft Support Diagnostic Tool (MSDT)
“Public discussion of a vulnerability can encourage further scrutiny on the component, both by Microsoft security personnel as well as our research partners. This CVE is a variant of the vulnerability publicly known as Dogwalk,” Microsoft said this week.
Microsoft acknowledged but did not respond to requests for comment about why their assessment of the issue changed after three years, but Microsoft security research and engineering lead Johnathan Norman took to Twitter to thank Rad and j00sean for highlighting the issue.
“We finally fixed the #DogWalk vulnerability. Sadly this remained an issue for far too long. thanks to everyone who yelled at us to fix it,” he said.
if there is a way to bypass the fix it is probably my fault 🙂
Coalfire vice president Andrew Barratt said he has not seen the vulnerability exploited in the wild yet but said it would “be easily delivered using a phishing/rogue link campaign.”
When exploited, the vulnerability places some malware that automatically starts the next time the user reboots/logs into their Windows PC, Barratt explained, noting that while it is not a trivial point-and-click exploit and requires an attachment to be used in an email, it can be delivered via other fileservers – making it an interesting tactic for an insider to leverage.
“The vast majority of these attachments are blocked by Outlook, but various researchers point out that other email clients could see the attachment and launch the Windows troubleshooting tool (which it leverages as part of the exploit),” Barratt said. “The challenge for a lot of anti-malware is that the file leveraged doesn’t look like a traditional piece of malware, but could be leveraged to pull more sophisticated malware on to a target system. It’s an interesting technique but not one that is going to affect the masses. I’d expect this to be leveraged more by someone meeting the profile of an insider threat.”
Bharat Jogi, director of vulnerability and threat research at Qualys, added that Microsoft likely changed its tune related to CVE-2022–34713 because today’s bad actors are growing more sophisticated and creative in their exploits.
Jogi noted that Follina has been recently used by threat actors — like China-linked APT TA413 — in phishing campaigns that have targeted local U.S. and European government personnel, as well as a major Australian telecommunications provider
Security chiefs should shop early for coverage and prepare for long questionnaires about their companies’ cyber defenses, industry professionals say
Insurers are scrutinizing prospective clients’ cybersecurity practices more closely than in past years, when underwriting was less strict. PHOTO: GETTY IMAGES/ISTOCKPHOTO
For many businesses, obtaining or renewing cyber insurance has become expensive and arduous.
The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.
“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.
In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.
Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.
Companies buying insurance are subject to tight scrutiny of internal cyber practices. This is different from past years, when carriers poured into the cyber market and competition produced less-stringent underwriting, Ms. Selby said.
Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.
“Prior to the questionnaires, you just gave them the coverage amount you wanted and the industry you were in, and that was it,” Mr. Castaldo said, referring to interactions with cyber insurers.
Discover Financial Services has a third party validate the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you are making the right investments and are building and maintaining a robust cybersecurity program,” Mr. Khalfan said.
Some of the questions insurers ask—and the level of detail required—can depend on the carrier, the size and type of the business seeking coverage and the amount of coverage desired.
Around 18 months ago, underwriters asked companies whether they required multifactor authentication when administrators accessed their system, said Tom Reagan, cyber practice leader in Marsh McLennan’s financial and professional products specialty practice. Today there’s an expectation that multifactor authentication is used throughout the organization, not just by administrators, he said.
Insurers also expect organizations to have planned and tested for a cyber event, such as through tabletop exercises, Mr. Reagan said: “They are not just interested in your smoke alarms, they want to hear about the fire drills.”
Carriers want to know what kind of backup plans companies have if a ransomware attack strikes and how those plans are tested. Insurers also diving deeper into whether a company’s networks are segregated to limit the spread of malware, Ms. Selby said. Other important criteria some insurers consider, she said, include endpoint protection, or monitoring and protecting devices against cyber threats, and incident-response exercises.
Some companies will need to work with more carriers than in the past to get the desired level of coverage because no single insurer wants to carry so much risk, Ms. Selby said.
Amid the changing landscape, Mr. Reagan recommended that companies start to re-evaluate their cyber-insurance needs as early as six months before a policy comes up for renewal. Starting earlier to identify possible holes allows businesses to make changes to their cyber defenses, if necessary, and gather information that carriers require, he said.
The livestream for Dark Reading News Desk at Black Hat USA 2022 will go live on August 10 at 9:50 AM
Welcome to the Dark Reading News Desk, which will be livestreamed from Black Hat USA at Mandalay Bay in Las Vegas. Dark Reading editors Becky Bracken, Fahmida Rashid, and Kelly Jackson Higgins will host Black Hat newsmakers ranging from independent researchers and threat hunters to reverse engineers and other top experts in security, on Wednesday, Aug. 10, and Thursday, Aug. 11, from 11 a.m. until 3 p.m. Pacific Time.
Among the highlights: On Wednesday, Dark Reading will be joined at the Black Hat News Desk by Allison Wikoff from PwC, to talk about the latest in job-themed APT social engineering scams; Brett Hawkins from IBM, to discuss supply chain management systems abuse; and many more. Dr. Stacy Thayer, a researcher specializing in burnout, will also be on hand to offer her best tips for helping cybersecurity professionals manage stress.
On Thursday, Martin Doyhenard joins the Dark Reading News Desk to unpack his research on exploiting inter-process communication in SAP’s HTTP server; Kyle Tobener, head of security with Copado, will explain his new framework for “effective and compassionate security guidance”; and Zhenpeng Lin, a PhD student at Northwestern University, will walk us through his work on the so-called Dirty Pipe Linux kernel exploit.
So don’t miss any of the action from Black Hat and join Dark Reading’s News Desk broadcast for some of the biggest headlines and the latest cybersecurity research from around the globe.
Tune in to this page on Wednesday and the livestream will appear at the top of the page.
It’s “a revolutionary scientific advance in molecular data storage and cryptography.”
Scientists from the University of Texas at Austin sent a letter to colleagues in Massachusetts with a secret message: an encryption key to unlock a text file of L. Frank Baum’s classic novel The Wonderful Wizard of Oz. The twist: The encryption key was hidden in a special ink laced with polymers, They described their work in a recent paper published in the journal ACS Central Science.
When it comes to alternative means for data storage and retrieval, the goal is to store data in the smallest amount of space in a durable and readable format. Among polymers, DNA has long been the front runner in that regard. As we’ve reported previously, DNA has four chemical building blocks—adenine (A), thymine (T), guanine (G), and cytosine (C)—which constitute a type of code. Information can be stored in DNA by converting the data from binary code to a base-4 code and assigning it one of the four letters. A single gram of DNA can represent nearly 1 billion terabytes (1 zettabyte) of data. And the stored data can be preserved for long periods—decades, or even centuries.
There have been some inventive twists on the basic method for DNA storage in recent years. For instance, in 2019, scientists successfully fabricated a 3D-printed version of the Stanford bunny—a common test model in 3D computer graphics—that stored the printing instructions to reproduce the bunny. The bunny holds about 100 kilobytes of data, thanks to the addition of DNA-containing nanobeads to the plastic used to 3D print it. And scientists at the University of Washington recently recorded K-Pop lyrics directly onto living cells using a “DNA typewriter.”
But using DNA as a storage medium also presents challenges, so there is also great interest in coming up with other alternatives. Last year, Harvard University scientists developed a data-storage approach based on mixtures of fluorescent dyes printed onto an epoxy surface in tiny spots. The mixture of dyes at each spot encodes information that is then read with a fluorescent microscope. The researchers tested their method by storing one of 19th-century physicist Michael Faraday’s seminal papers on electromagnetism and chemistry, as well as a JPEG image of Faraday.
Other scientists have explored the possibility of using nonbiological polymers for molecular data storage, decoding (or reading) the stored information by sequencing the polymers with tandem mass spectrometry. In 2019, Harvard scientists successfully demonstrated the storage of information in a mixture of commercially available oligopeptides on a metal surface, with no need for time-consuming and expensive synthesis techniques.
This latest paper focused on the use of sequence-defined polymers (SDPs) as a storage medium for encrypting a large data set. SDPs are basically long chains of monomers, each of which corresponds to one of 16 symbols. “Because they’re a polymer with a very specific sequence, the units along that sequence can carry a sequence of information, just like any sentence carries information in the sequence of letters,” co-author Eric Anslyn of UT told New Scientist.
But these macromolecules can’t store as much information as DNA, per the authors, since the process of storing more data with each additional monomer becomes increasingly inefficient, making it extremely difficult to retrieve the information with the current crop of analytic instruments available. So short SDPs must be used, limiting how much data can be stored per molecule. Anslyn and his co-authors figured out a way to improve that storage capacity and tested the viability of their method.
First, Anslyn et al. used a 256-bit encryption key to encode Baum’s novel into a polymer material made up of commercially available amino acids. The sequences were comprised of eight oligourethanes, each 10 monomers long. The middle eight monomers held the key, while the monomers on either end of a sequence served as placeholders for synthesis and decoding. The placeholders were “fingerprinted” using different isotope labels, such as halogen tags, indicating where each polymer’s encoded information fit within the order of the final digital key,
Then they jumbled all the polymers together and used depolymerization and liquid chromatography-mass spectrometry (LC/MS) to “decode” the original structure and encryption key. The final independent test: They mixed the polymers into a special ink made of isopropanol, glycerol, and soot. They used the ink to write a letter to James Reuther at the University of Massachusetts, Lowell. Reuther’s lab then extracted the ink from the paper and used the same sequential analysis to retrieve the binary encryption key, revealing the text file of The Wonderful Wizard of Oz.
In other words, Anslyn’s lab wrote a message (the letter) containing another secret message (The Wonderful Wizard of Oz) hidden in the molecular structure of the ink. There might be more pragmatic ways to accomplish the feat, but they successfully stored 256 bits in the SDPs, without using long strands. “This is the first time this much information has been stored in a polymer of this type,” Anslyn said, adding that the breakthrough represents “a revolutionary scientific advance in the area of molecular data storage and cryptography.”
Anslyn and his colleagues believe their method is robust enough for real-world encryption applications. Going forward, they hope to figure out how to robotically automate the writing and reading processes.
Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and availability (CIA) tradeoff being one of the leading causes. Adopting cybersecurity solutions to protect OT infrastructure is a vital obligation since availability is critical in OT infrastructure. It necessitates a thorough knowledge of ICS operations, security standards/frameworks, and recommended security solutions. OT security in the past was restricted to guarding the infrastructure using well-known techniques like security officers, biometrics, and fences because ICS/OT systems didn’t connect to the internet. For ease of operation, every ICS/OT infrastructure currently has internet access or is doing so. However, this transformation exposes these systems to dangers that cannot be avoided by relying just on conventional precautions.
Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.
Tutanota is an end-to-end encrypted email app and a freemium secure email service, as of March 2017, Tutanota’s owners claimed to have over 2 million users.
The news is that Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account.
“Politicians on both sides of the Atlantic are discussing stronger antitrust legislation to regulate Big Tech – and such laws are badly needed as the blocking of Tutanota users from Microsoft Teams demonstrates. Big Tech companies have the market power to harm smaller competitors with some very easy steps like refusing smaller companies’ customers from using their own services.” reads a comment shared by the German email service provider. “Currently, Microsoft is actively blocking Tutanota email addresses from registering a Microsoft Teams account. This severe anti-competitive practice forces our customers to register a second email address – possibly one from Microsoft themselves – to create a Teams account.”
Microsoft doesn’t recognize the company as an email service but as a corporate address.
The first time that a Tutanota user registered a Teams account, its domain was recognized as a corporation, for this reason, any other users of the popular email service were not able to register its account and were requested to contact their admin.
“We repeatedly tried to solve the issue with Microsoft, but unfortunately our request was ignored”, says Matthias Pfau, co-founder of Tutanota.
“Microsoft would only have to change the settings that Tutanota is an email service so that everyone can register an individual account but they (Microsoft) say such a change is not possible.”
Let’s see if Microsoft will solve the issue, allowing 2 million users to use its MS Teams service.
We have build cybersecurity solution sheets for our clients which we would like to share with you. This can be a useful resource when there is a need to remediate risk. These are in pdf format which you can download.
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
If you have any questions, feel free to send us an email to info@deurainfosec.com
Software Bill of Material and Vulnerability Management Blind Spots
Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.
Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
Why it matters:
Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
Recent vulnerabilities (e.g. log4j) have far reaching impact.
Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.
What to do:
It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.
When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.
Here are the top phone security threats in 2022 and how to avoid them
Your handset is always at risk of being exploited. Here’s what to look out for.
Oscar Wong / Getty
Our mobile devices are now the keys to our communication, finances, and social lives — and because of this, they are lucrative targets for cybercriminals.
Whether or not you use a Google Android or Apple iOS smartphone, threat actors are constantly evolving their tactics to break into them.
This includes everything from basic spam and malicious links sent over social media to malware capable of spying on you, compromising your banking apps, or deploying ransomware on your device.
The top threats to Android and iOS smartphone security in 2022
Phishing and smishing
Image: Maria Diaz / ZDNet
Phishing occurs when attackers send you fake and fraudulent messages. Cybercriminals attempt to lure you into sharing personal information, clicking malicious links, downloading and unwittingly executing malware on your device, or handing over your account details — for a bank, PayPal, social network, email, and more.
Mobile devices are subject to phishing through every avenue PCs are, including email and social network messages. However, mobile devices are also vulnerable to smishing, which are phishing attempts sent over SMS texts.
Regarding phishing, it doesn’t matter if you are using an Android or an iOS device. To fraudsters and cybercriminals, all mobile devices are created equally.
Your best defense: Don’t click on links in emails or text messages unless you can be 100% they’re legit.
Physical security
Image: Maria Diaz / ZDNet
Many of us forget an essential security measure: physically securing our mobile devices. We may not use a PIN, pattern, or a biometric check such as a fingerprint or retina scan — and if so, we are making our handset vulnerable to tampering. In addition, if you leave your phone unattended, it may be at risk of theft.
Your best defense: Lock down your phone with a strong password or PIN number, at a minimum, so that if it ends up in the wrong hands, your data and accounts can’t be accessed.
SIM hijacking
Image: Maria Diaz / ZDNet
SIM hijacking, also known as SIM swapping or SIM porting, is the abuse of a legitimate service offered by telecom firms when customers need to switch their SIM and telephone numbers between operators or handsets.
Usually, a customer would call their telecom provider and request a switch. An attacker, however, will use social engineering and the personal details they discover about you — including your name, physical address, and contact details — to assume your identity and to dupe customer service representatives into giving them control of your number.
In successful attacks, a cybercriminal will be able to redirect your phone calls and texts to a handset they own. Importantly, this also means any two-factor authentication (2FA) codes used to protect your email, social media, and banking accounts, among others, will also end up in their hands.
SIM hijacking usually is a targeted attack as it takes data collection and physical effort to pull off. However, when successful, they can be disastrous for your privacy and the security of your online accounts.
Your best defense: Protect your data through an array of cybersecurity best practices so that it can’t be used against you via social engineering. Consider asking your telecom provider to add a “Do not port” note to your file (unless you visit in person).
Nuisanceware, premium service dialers, cryptocurrency miners
Image: Maria Diaz / ZDNet
Your mobile device is also at risk of nuisanceware and malicious software that will force the device to either make calls or send messages to premium numbers.
Nuisanceware is malware found in apps (more commonly in the Android ecosystem in comparison to iOS) which makes your handset act annoyingly. Usually not dangerous but still irritating and a drain on your power, nuisanceware may show you pop-up adverts, interrupt your tasks with promotions or survey requests, or open up pages in your mobile browser without permission.
While nuisanceware can generate ad impressions through users, premium service dialers are worse. Apps may contain hidden functions that will covertly sign you up to premium, paid services, send texts, or make calls — and while you end up paying for these ‘services,’ the attacker gets paid.
Some apps may quietly steal your device’s computing resources to mine for cryptocurrency.
Your best defense: Only download apps from legitimate app stores and carefully evaluate what permissions you’re allowing them to have.
Open Wi-Fi
Image: Maria Diaz / ZDNet
Open and unsecured Wi-Fi hotspots are everywhere, from hotel rooms to coffee shops. They are intended to be a customer service, but their open nature also opens them up to attack.
Specifically, your handset or PC could become susceptible to Man-in-The-Middle (MiTM) attacks through open Wi-Fi connections. An attacker will intercept the communication flow between your handset and browser, stealing your information, pushing malware payloads, and potentially allowing your device to be hijacked.
You also come across ‘honeypot’ Wi-Fi hotspots every so often. These are open Wi-Fi hotspots created by cybercriminals, disguised as legitimate and free spots, for the sole purpose of performing MiTM.
Your best defense: Avoid using public Wi-Fi altogether and use mobile networks instead. If you must connect to them, at least consider using a virtual private network (VPN).
Surveillance, spying, and stalkerware
Image: Maria Diaz / ZDNet
Surveillanceware, spyware, and stalkerware come in various forms. Spyware is often generic and will be used by cyberattackers to steal information including PII and financial details. However, surveillanceware and stalkerware are normally more personal and targeted; for example, in the case of domestic abuse, a partner may install surveillance software on your phone to keep track of your contacts, phone calls, GPS location, and who you are communicating with, and when.
Your bestdefense: An antivirus scan should take care of generic spyware, and while there’s no magic bullet for surveillanceware or stalkerware, you should watch out for any suspicious or unusual behavior on your device. If you think you are being monitored, put your physical safety above all else. See our guide for how to find and remove stalkerware from your phone.
Ransomware
Image: Maria Diaz / ZDNet
Ransomware can impact mobile devices as well as PCs. Ransomware will attempt to encrypt files and directories, locking you out of your phone, and will demand payment — commonly in cryptocurrency — through a blackmail landing page. Cryptolocker and Koler are prime examples.
Ransomware is often found in third-party apps or deployed as a payload on malicious websites. For example, you may see a pop-up request to download an app — disguised as everything from a software cracker to a pornography viewer — and your handset can then be encrypted in mere minutes.
Your best defense: Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories.
Trojans, financial malware
By Rawpixel.com — Shutterstock
There are countless mobile malware variants, but Google and Apple’s fundamental protections stop many in their tracks. However, out of the malware families, you should be aware of, trojans top the list.
Trojans are forms of malware that are developed with data theft and financial gains in mind. Mobile variants include EventBot, MaliBot, and Drinik.
Most of the time, users download the malware themselves, which may be packaged up as an innocent and legitimate app or service. However, once they have landed on your handset, they overlay a banking app’s window and steal the credentials you submit. This information is then sent to an attacker and can be used to pillage your bank account. Some variants may also intercept 2FA verification codes.
The majority of financial trojans target Android handsets. iOS variants are rarer, but strains including XCodeGhost still exist.
Your best defense: Keep your phone up-to-date with the latest firmware, your Android or iOS handset’s fundamental security protections on, and don’t download apps from sources outside official repositories. If you suspect your phone has been compromised, stop using financial apps, cut off your internet connection, and both run a personal check and antivirus scan.
Mobile device management exploits
Image: Maria Diaz / ZDNet
Mobile Device Management (MDM) solutions are enterprise-grade tools suited for the workforce. MDM features can include secure channels for employees to access corporate resources and software, spreading a company’s network security solutions and scans to each endpoint device, and blocking malicious links and websites.
However, if the central MDM solution is infiltrated or otherwise compromised, each mobile endpoint device is also at risk of data left, surveillance, or hijacking.
Your best defense: The nature of MDM solutions takes control out of the hands of end users. Therefore, you can’t protect against MDM compromise. What you can do, however, is maintain basic security hygiene on your device, make sure it is up-to-date, and keep your personal apps and information off work devices.
How can I physically protect my device?
Your lock screen is the gateway to your device, data, photos, private documents, and apps. As such, keeping it secure is paramount.
On Android, consider these settings:
Screen lock type: Swipe, pattern, PIN, password, and biometric checks using fingerprints or your face
Smart lock: Keeps your phone unlocked when it is with you, and you can decide what situations are considered safe
Auto factory resets: Automatically wipes your phone after 15 incorrect attempts to unlock
Notifications: Select what notifications show up and what content is displayed, even when your phone is locked
Lockdown mode: From Android 9.0, lockdown mode can be enabled
Find my Device: Find, lock, or erase your lost device
On iOS devices, check out:
Passcode: set a passcode to unlock your device
Face ID, Touch ID: Biometrics can be used to unlock your device, use apps, and make payments
Find my iPhone: Find, track, and block your lost iPhone
Lockdown mode: Apple previewed its own version of lockdown mode in July. Dubbed “extreme” protection for a small pool of users, the upcoming feature will provide improved security for malicious links and connections, as well as wired connections when an iPhone is locked.
What should I look out for as symptoms of a malware infection?
If you notice your Android or iOS device is not behaving normally, you may have been infected by malware or be otherwise compromised.
Things to watch out for are:
Battery life drain: Batteries degrade over time, especially if you don’t let your handset run flat every so often or you are constantly running high-power mobile apps. However, if your handset is suddenly hot and losing power exceptionally quickly, this could signify malicious apps and software burning up your resources.
Unexpected behavior: If your smartphone is behaving differently and you’ve recently installed new apps or services, this could indicate that all is not well.
Unknown apps: Software that suddenly appears on your device, especially if you have allowed the installation of apps from unidentified developers or have a jailbroken smartphone, could be malware or surveillance apps that have been installed without your knowledge or consent.
Browser changes: Browser hijacking, changes to a different search engine, web page pop-ups, and ending up on pages you didn’t mean to could all be a sign of malicious software tampering with your device and data.
Unexpected bills: Premium number scams and services are operated by threat actors to generate fraudulent income. If you have unexpected charges, calls, or texts to premium numbers, this could mean you are a victim of these threats.
Service disruption: SIM hijacking is a severe threat. This is normally a targeted attack with a particular goal, such as stealing your cryptocurrency or accessing your online bank account. The first sign of attack is that your phone service suddenly cuts off, which indicates your telephone number has been transferred elsewhere. A lack of signal, no ability to call, or a warning that you are limited to emergency calls only can indicate a SIM swap has taken place. Furthermore, you may see account reset notifications on email or alerts that a new device has been added to your existing services.
What about Pegasus and government-grade malware?
On occasion, enterprise and government-grade malware hit the headlines. Known variants include Pegasus and Hermit, used by law enforcement and governments to spy on everyone from journalists to lawyers and activists.
In June 2022, Google Threat Analysis Group (TAG) researchers warned that Hermit, a sophisticated form of iOS and Android spyware, is exploiting zero-day vulnerabilities and is now in active circulation.
The malware tries to root devices and capture every detail of a victim’s digital life, including their calls, messages, logs, photos, and GPS location.
However, the likelihood of you being targeted by these expensive, paid-for malware packages is low unless you are a high-profile individual of interest to a government willing to go to these lengths. You are far more likely to be targeted by phishing, generic malware, or, unfortunately, friends and family members who are using stalkerware against you.
What should I do if I think my Android or iOS phone is compromised?
If you suspect your Android or IOS device has been infected with malware or otherwise compromised, you should take urgent action to protect your privacy and security. Consider these steps below:
Run a malware scan: You should ensure your handset is up-to-date with the latest operating system and firmware, as updates usually include patches for security vulnerabilities that can be exploited in attacks or malware distribution. Google and Apple offer security protection for users, but it wouldn’t hurt to download a dedicated antivirus app. Options include Avast, Bitdefender, and Norton. Even if you stick to the free versions of these apps, it’s far better than nothing.
Delete suspicious apps: Deleting strange apps isn’t foolproof, but any apps you don’t recognize or use should be removed. In the cases of nuisanceware, for example, deleting the app can be enough to restore your handset to normal. You should also avoid downloading apps from third-party developers outside of Google Play and the Apple Store that you do not trust.
Revisit permissions: From time to time, you should check the permission levels of apps on your mobile device. If they appear to be far too extensive for the app’s functions or utilities, consider revoking them or deleting the app entirely. Keep in mind that some developers, especially in the Android ecosystem, will offer helpful utilities and apps in Google Play only to turn them malicious down the line.
Tighten up communication channels: You should never use open, public Wi-Fi networks. Instead, stick to mobile networks; if you don’t need them, turn off Bluetooth, GPS, and any other features that could broadcast your data.
Premium service dialers: If you’ve had unexpected bills, go through your apps and delete anything suspicious. You can also call your telecom provider and ask them to block premium numbers and SMS messages.
Ransomware: There are several options if you have unfortunately become the victim of mobile ransomware and cannot access your device.
If you were alerted to the ransomware before your device is encrypted and a ransom note is displayed, cut off the internet and any other connections — including any wired links to other devices — and boot up your mobile in Safe Mode. You might be able to delete the offending app, run an antivirus scan, and clean up before any significant damage occurs.
However, if your handset is locked, your next steps are more limited, as removing the malware only deals with part of the problem.
If you know what ransomware variant is on your handset, you can try using a decryption tool such as those listed by the No More Ransom project. You can also provide information to Crypto Sheriff, and researchers will try and find out what type of malware you’re dealing with for free.
In the worst-case scenario, you might need to perform a factory reset. Removing ransomware stops it from spreading further but will not restore files that have been encrypted. You can restore your device following a reset if you’ve consistently backed up your data.
Remember, paying a ransom does not guarantee that your files will be decrypted and returned to you.
Stalkerware, surveillanceware: When you know or suspect you’ve been targeted by stalkerware or surveillanceware, this can be extremely difficult to handle. If it’s the case that basic, generic spyware has landed on your device, Google, Apple, or a dedicated antivirus app should pick this up for you and remove it.
However, suppose a partner or other close contact is monitoring you, and you try to remove a stalkerware app from your phone. In that case, they will be alerted directly, or they will become aware because they are no longer receiving your information.
You shouldn’t try to remove these apps if this risks your physical safety. Indeed, some commercially-available forms of spyware damage a handset so severely that the operator can remotely reinstall them, anyway, and the only real option is to throw the device away (or keep it for law enforcement purposes).
Reach out to an organization that can help you, consider using a burner phone if you can, and keep yourself as physically safe as possible.
SIM hijacking: If you suspect you have been SIM-swapped, you have a very short window for damage control. The first thing you should do is call your telecom provider and try to have your service restored as quickly as possible — but as we all know, you can be left on hold for an infuriatingly long time.
If you can, go and visit your carrier in person, in-store.
No one is exempt from the risk of SIM swaps, customer service representatives may not have been trained to recognize SIM hijacking, and cybercriminals may have enough of your personal information to pass as you without challenge.
To mitigate the risk in the first place, consider linking your crucial ‘hub’ accounts, financial services, and cryptocurrency wallets to a number that isn’t publicly connected to you. A simple pay-as-you-go number will do, and so if your personal or work numbers are compromised, the potential opportunities for theft are limited.
Whether you’re a small organisation with limited resources or an international firm, achieving ISO 27001 certification will be a challenge.
Anyone who has already been through the process will know that. You must assemble a team, conduct a gap analysis and risk assessment, apply security controls, create documentation and perform staff awareness training. And that’s before you even get into internal audits and certification audits.
To make matters more complicated, once you’ve certified to ISO 27001, you must maintain your compliance status and regularly recertify.
Organisations must do this to ensure that they have maintained their compliance practices and accounted for changes in the way they operate.
In this blog, we look at the key issues you must address if you are to maintain ISO 27001 compliance.
How often do you need recertify to ISO 27001?
An organisation’s ISO 27001 certification lasts three years. The certificate itself will state the date at which certification was issued and when it will expire.
As that day approaches, the organisation must apply for recertification. This can be with the same body that performed the initial audit or it can be with another registrar.
How to maintain ISO 27001 certification
Organisations can ensure that their ISO 27001 practices remain compliant by following these seven steps.
1.Continually test and review risks
Your ISMS (information security management system) was built to address risks that you identified during the certification process, but the threat landscape is constantly evolving.
As such, you must regularly monitor the risks you face to ensure that your defences are adequate. Part of this process will involve vulnerability scans and other tools that can automatically spot new risks. However, you should also perform more rigorous tests on a regular basis.
To remain compliant, you must complete an ISO 27001 risk assessment at least once a year or whenever you make substantial changes to your organisation.
You can use the results of the assessment to determine whether your controls work as intended and whether additional defences should be adopted.
2.Keep documentation up to date
The policies and processes you wrote during the initial implementation will have been created specifically for the way your organisation operated at that time.
However, your operations will no doubt evolve and you need to ensure that your documentation takes that into account. Have you made a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way?
If the answer to any of those questions is yes, then you must amend your documentation accordingly.
3.Perform internal audits
An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance.
You will have conducted an internal audit as part of your initial certification process, so you should already have the framework to hand, which you can repeat as part of your compliance maintenance.
4.Keep senior management informed
Unless you are extremely lucky, the maintenance practices outlined above will reveal weaknesses that you must address if you are to remain compliant.
Remedying those vulnerabilities will take time and resources, which requires you to gain board-level approval. As such, you should keep senior management informed of both your activities maintaining the ISMS and the benefits that it has brought.
For example, your defences might have played a direct role in preventing a data breach or cyber attack. If so, you should have logged and investigated the event, in which case you’ll have proof of the ISMS’s effectiveness that you can bring to the board.
An ISMS isn’t just about preventing security breaches, though. It also helps organisations operate more efficiently and responsibly. You should also provide evidence of this, presenting key performance indicators and interviews with employees and other stakeholders.
5.Establish a regular management review process
In addition to informing the board of the ISMS’s successes, you should also involve them in the review process. This is where you can discuss opportunities for improvement or necessary changes that must be made.
There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.
6.Stay on top of corrective actions
If there’s a theme to these tips, it’s that your ISMS isn’t set in stone. As such, it should evolve to meet the threats that your organisation faces.
By regularly monitoring the effectiveness of your ISMS, you should be able to perform corrective actions that prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.
However, some corrective actions will require a significant overhaul of your practices. These should be discussed during the management review process and could involve ongoing adjustments and monitoring.
7.Promote ongoing information security staff awareness
One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers.
Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.
You are required to provide staff awareness training as part of your certification process, but those lessons should be repeated on a regular basis. As with your management review, it should be at least annually but ideally twice yearly.
For organisations looking for a quick and effective way to meet their staff awareness training requirements, IT Governance is here to help.
With this 45-minute training course, you can enable your employees to demonstrate their competence in information security and ISO 27001 with digital badges.
The package comes with an annual licence, making it quick and easy to refresh employees’ knowledge on a regular basis.
Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.
The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.
A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.
The Dark Utilities operation is a ‘C2-as-a-service’ (C2aaS) that advertises reliable, anonymous C2 infrastructure and all the required additional functions for a starting price of just EUR 9,99.
A report from Cisco Talos says that the service has around 3,000 active subscribers, which would bring the operators a revenue of about EUR 30,000.
Dark Utilities login portal(Cisco)
Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS) – a decentralized network system for storing and sharing data.
Multiple architectures are supported and it appears that the operators are planning on expanding the list to provide a larger set of options of devices that could be targeted.
Platform selection on payload screen(Cisco)
Cisco Talos researchers say that selecting an operating system generates a command string that “threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.”
The selected payload also establishes persistence on the target system by creating a Registry key on Windows, or a Crontab entry or a Systemd service on Linux.
According to the researchers, the administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.
With tens of thousands of threat actors already subscribed and the low price, Dark Utilities is likely to attract an even larger crowd of less-skilled adversaries.
Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.
This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.
These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science.
A month after that, we wrote about a PhD student (who should have known better) and their supervisor (who is apparently an Assistant Professor of Computer Science at a US university, and very definitely should have known better) who went out of their way to introduce numerous apparently legitimate but not-strictly-needed patches into the Linux kernel.
They called these patches hypocrite commits, and the idea was to show that two peculiar patches submitted at different times could, in theory, be combined later on to introduce a security hole, effectively each contributing a sort of “half-vulnerability” that wouldn’t be spotted as a bug on its own.
As you can imagine, the Linux kernel team did not take kindly to being experimented on in this way without permission, not least because they were faced with cleaning up the mess:
Please stop submitting known-invalid patches. Your professor is playing around with the review process in order to achieve a paper in some strange and bizarre way. This is not ok, it is wasting our time, and we will have to report this, AGAIN, to your university…
Whether you are getting ready for back-to-school season, getting new work laptop or fancying a new gamer’s pc, learn the steps to protect your new PC from cyberthreats.
With Windows 11 making headlines for all the right reasons, it could be a great time to invest in a new PC for the family or the home office. But any new household computing device should come with an attendant safety warning. Hackers will be after your data the minute it’s connected to the internet. And they have numerous ways to get it.
That’s why you need to think about cybersecurity even before plugging your machine in and switching it on. Take time out now to refresh your memory and make cyber-hygiene a number one priority.
What are the main threats to my PC?
As soon as you’re connected to the internet, malicious actors will be looking to steal your data, encrypt and hold your machine ransom, lift financial details, secretly mine for cryptocurrency, and much more. They’ll do so via some tried and true methods, which often rely on cracking, stealing or guessing passwords, or exploiting software vulnerabilities. Top threats include:
Phishing: One of the oldest con tricks in the book. Cybercriminals masquerade as legitimate and trustworthy sources (banks, tech providers, retailers etc) and try to persuade users into clicking on links and/or opening attachments in emails. Doing so will take users to a spoofed site requesting that they fill in personal information (like logins and/or address/financial details) or could trigger a covert malware download.
Drive-by downloads and malicious ads: Sometimes merely visiting an infested website or a site running a malicious ad could trigger a malware download. We may think that well-known sites may be less compromised in this way as they are better resourced and can afford enhanced protection. But there have been plenty of counter-example through the years showing that it’s not always the case. That’s why its essential to invest in security software from a reputable provider and ensure that your browser’s security settings are correct.
Digital skimming: Hackers may also compromise the payment pages of e-commerce sites with malware designed to silently harvest your card data as it is entered. This is difficult to guard against as the issue is with the provider. However, shopping with better-known sites can reduce risk. Malicious apps and files: Cybercriminals also hide malware inside legitimate-looking applications and downloads. Many of these are posted to online forums, P2P sites, and other third-party platforms. That’s why it makes sense to download only from trusted sources, and to use an effective security software tool to scan for malicious software.
Ten tips to keep your computer safe
Many of the below steps may be taken care of automatically by your PC manufacturer/Microsoft, but it pays to dig a little deeper to make sure all the settings are as secure as you need them to be. Here are our top 10 tips for computer safety:
Apply automatic updates for the OS and any software running on the PC
Remove bloatware that often comes with PCs. Check beforehand if you don’t recognize any software to ensure removing it won’t degrade the performance. The fewer pieces of software on the machine, the less opportunity for attackers to exploit bugs in it
Install multi-layered security software from a reputable third-party vendor and keep it up to date
Configure backups, and ideally back up a copy of data to a remote storage device kept offline
Secure the browser by adjusting privacy and security settings and ensuring it is on the latest version
Switch on and configure your firewall on the OS and home router, ensuring it is protected with a strong password
Download a multi-factor authentication app in order to help protect your accounts from being hijacked via phishing and other attacks
Avoid using USBs that you don’t own, in case they are loaded with malware
Use a password manager to ensure that all your credentials are unique, strong, and hard-to-crack
Only download apps/files from trusted sources and avoid pirated material, which can often be booby-trapped with malware
It goes without saying that, even by following these best practices, you could still be at risk when browsing online. Always proceed with caution, don’t reply to unsolicited emails/online messages, and ensure device encryption is switched on.
Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, Securing systems explains how to deliver the right security at the right time in the implementation lifecycle.
Many experts often overlook hardware based security and its vital importance in establishing a secure workspace.
When it comes to cybersecurity, everyone likes to talk about software and the dangers that it poses. However, people often overlook hardware-based security and its vital importance in establishing a secure workspace. This is attributed to a general lack of knowledge when it comes to hardware security and how it works. So, it’s time to bust some myths that you might think are true when it comes to hardware security.
Myth #1: We never hear about hardware-based attacks, they don’t exist!
Just because you don’t hear about the problem frequently, it doesn’t mean that it doesn’t exist. Usually, cyberattacks that make the headlines are those involving large corporations that have fallen victim to a software-based attack carried out by infamous cybercrime syndicates. These stories are juicy and scandalous and entice audiences to read the article, generating more clicks onto the media outlet’s website. Additionally, many businesses choose to withhold information pertaining to hardware-based attacks as it indicates insufficient physical security, which reflects negatively upon the business. Another reason why you don’t often hear about hardware-based attacks is that enterprises who fall victim to them are oblivious to it. When an enterprise gets breached, the natural assumption is that it was due to a software vulnerability or phishing scam. Such misunderstanding, coupled with a lack of resources to detect a hardware attack tool, results in the attack method getting misconstrued.
However, that is not to say that hardware-based attacks don’t receive any media attention. A great example that receives public resonance concerns ATMs. These cash dispensing machines are becoming a go-to target for cybercriminals because of the instant payout. Instead of using brute force attacks on ATMs, cybercriminals can now just attach a hardware attack tool, known as a Black Box, to the internal computer to trick it into releasing cash through a MiTM attack. Since 2021, Black Box attacks have been on the rise and have amounted to losses of 1.5 million Euros in Europe alone.
Myth #2: We have security measures in place, and all our employees use VPNs– we are protected!
Yes, your security measures like NAC, IDS/IDP, firewalls and VPNs definitely provide some level of protection. However, malicious actors are continually evolving and finding new attack methods, which means exploiting blind spots, one of which is the hardware domain. Existing security solutions lack visibility into the Physical Layer (Layer 1), leaving them unfit to defend against, let alone identify, hardware-based attack tools. These malicious devices are designed to evade detection by operating on the Physical Layer and mimic human-like commands and executions, making them extremely dangerous as they can carry out a variety of harmful attacks without any obstacles in their way. If you are unable to determine all your assets’ hardware information within 10 seconds, you are, in fact, not protected.
Myth #3: “We don’t use USBs, so why should it concern us”
That’s a line we’ve heard many times before, but here’s the thing: you do, and it should!
Sure, your organization might not use flash drives and there might be some authorization capabilities in EPS/EDR solutions that block phones, keyboards and mice with certain VID/PIDs. That’s great, but what about the keyboards employees use to type? And the mice they use to navigate? Correct, those are USBs. They might be authorized, but that doesn’t mean they can’t get impersonated by a covert spoofing device. So long as there are HIDs in the work environment, there is the risk that one (or more) may be illegitimate. And without Physical Layer visibility, there’s no mechanism in place to determine what’s legitimate or not.
Myth #4: Why would anyone want to hack us; we aren’t an interesting target?
That’s where you’re wrong. In today’s day and age, almost anything that has data is of value and there is someone out there who wants to access it, no matter how mundane it could be. Not all hackers target large nuclear facilities or governmental institutions; the risk is usually too high for most cybercriminals. Your company, however, is a prime target – there’s data and it’s accessible. Whether the perpetrator wants to steal information for monetary gain, access it to gain a competitive advantage, or encrypt it in a ransomware attack, your company provides that opportunity and a hardware attack tool can do the job.
In short, every enterprise is a target for malicious actors; it can happen to anyone for any number of reasons. The important thing to remember is that you can prepare and build your company’s resistance to these attacks by gaining visibility on the Physical Layer through hardware-based security.
About the author: Julien Katzenmaier, Content Writer at Sepio
