Building an Effective Cybersecurity Program
Feb 28 2022
Take a dev-centric approach to cloud-native AppSec testing
While some applications are still being built on a monolithic (all-in-one) architecture – i.e., all components in a single code base, on a single server, connected to the internet – an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, “housed” in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.
But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can “start” on one microservice, go through multiple components, and “finish” on a different microservice.
“We are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers – the container, the cluster, and the cloud – they way these layers are configured affects what a hacker can do with these vulnerabilities,” notes Ron Vider, one of the co-founders and the CTO of Oxeye.
Modern architectures require modern AppSec testing solutions
This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.
“Old-school” software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.
Oxeye is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.
Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.
“The Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,” Vider told Help Net Security.
“First it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the application’s code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether it’s exploitable or not.”
Feb 27 2022
Help Net Security: Healthcare Cybersecurity Report has been released
Help Net Security newest report takes a closer look at one of the most targeted industries today – healthcare.
As exhausted healthcare professionals struggle with an extraordinary situation, their IT departments face critical skills and staffing shortages. Routine security measures may fall by the wayside, breaches may go undetected for weeks, and efforts to validate the security measures undertaken by affiliates and third parties may fall short.
The idea behind the Help Net Security: Healthcare Cybersecurity Report is to provide you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Published Q1 2022
Since the start of the COVID-19 pandemic, security incidents at healthcare organizations have become more common. This not only increased costs for an already struggling industry, but inflicted a burden on the individuals whose personal information was exposed.
The Help Net Security: Healthcare Cybersecurity Report provides you with an overview of the information security issues healthcare is dealing with, offer expert insight on what is needed to move defense capabilities in the right direction, and provide food for thought for those working to protect healthcare infrastructures worldwide.
Feb 26 2022
Fileless SockDetour backdoor targets U.S.-based defense contractors
Researchers provided details about a stealthy custom malware dubbed SockDetour that targeted U.S.-based defense contractors.
Cybersecurity researchers from Palo Alto Networks’ Unit 42 have analyzed a previously undocumented and custom backdoor tracked as SockDetour that targeted U.S.-based defense contractors.
According to the experts, the SockDetour backdoor has been in the wild since at least July 2019.
Unit 42 attributes the malware to an APT campaign codenamed TiltedTemple (aka DEV-0322), threat actors also exploited the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) and ServiceDesk Plus vulnerability (CVE-2021-44077). The attackers successfully compromised more than a dozen organizations across multiple industries, including technology, energy, healthcare, education, finance and defense.
SockDetour serves as a backup fileless Windows backdoor in case the primary one is removed. The analysis of one of the command and control (C2) servers used by TiltedTemple operators revealed the presence of other miscellaneous tools, including memory dumping tool and several webshells.
“SockDetour is a backdoor that is designed to remain stealthily on compromised Windows servers so that it can serve as a backup backdoor in case the primary one fails,” reads the analsysi published by Palo Alto Networks. “It is difficult to detect, since it operates filelessly and socketlessly on compromised Windows servers.”
Once SockDetour is injected into the process’s memory, it hijacks legitimate processes’ network sockets to establish an encrypted C2 channel, then it loads an unidentified plugin DLL file retrieved from the server.
According to Microsoft DEV-0322 is an APT group based in China, which employed commercial VPN solutions and compromised consumer routers in their attacker infrastructure.
Microsoft first spotted the DEV-0322 attacks by analyzing the Microsoft 365 Defender telemetry during a routine investigation in July 2021.
At least four defense contractors were targeted by the threat actor, and one of them was compromised.
SockDetour was delivered from an external FTP server, a compromised QNAP to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021. The researchers speculate the QNAP NAS server was previously infected with QLocker ransomware.
“While it can be easily altered, the compilation timestamp of the SockDetour sample we analyzed suggests that it has likely been in the wild since at least July 2019 without any update to the PE file. Plus, we did not find any additional SockDetour samples on public repositories. This suggests that the backdoor successfully stayed under the radar for a long time.” concludes the report.
Feb 25 2022
Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.
The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.
In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.
“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.
The nation-state group is using the compromised accounts to target contacts in the victims’ address books. Attackers spear-phishing messages have been sent from email accounts using the domains
i.ua-passport.space
and id.bigmir.space
.
The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.
The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Phishing and Communication Channels: A Guide to Identifying and Mitigating Phishing Attacks
Feb 24 2022
Iranian Broadcaster IRIB hit by wiper malware
Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.
An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.
Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.
According to the experts, the effects of the attack were more serious than officially reported.
Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.
During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.”
“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.
“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.
“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.
The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.
The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.
The report details the use of four backdoors in the attack:
- WinScreeny, used to make screenshots of the victim’s computer;
- HttpCallbackService, a Remote Administration Tool (RAT);
- HttpService, another backdoor that listens on a specified port;
- ServerLaunch, a C++ dropper.
Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.
The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.
“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.
Ransomware Protection Playbook
Feb 23 2022
A comparison of NDR solutions: Deep packet inspection (DPI) vs. metadata analysis
DPI has become popular since it provides very detailed traffic analysis. However, this approach requires designated hardware sensors and large amounts of processing power, while at the same time being blind to encrypted network traffic and only analysing data flowing over the mirrored infrastructure.
Metadata analysis (MA) overcomes these limitations to provide detailed and insight-enriched visibility into the entire network. In addition, MA is completely unaffected by encryption and ever-increasing network traffic. These advantages make MA-based NDR solutions a superior and future-proof alternative to NDR solution relying on deep packet inspection.
Modern organisations are characterised by complex IT environments and expanding attack surfaces. To protect themselves, they need a robust cyber architecture with a reliable Network Detection and Response (NDR) solution. NDR is crucial to detect suspicious behaviours and malicious actors, and quickly respond to threats. NDR tools continuously analyse traffic to build models of “normal” behaviour on enterprise networks, detect suspicious traffic, and raise alerts.
Traditional NDR solutions rely on deep packet inspection (DPI). This approach supports detailed analysis and has thus become quite popular. But as data volumes increase and network traffic becomes increasingly encrypted, such solutions are becoming inadequate to protect enterprise networks moving forward. What organisations now need is a more future-proof NDR solution relying on metadata analysis.
In this article, we explore and compare two NDR approaches: deep packet inspection and metadata analysis. We will examine why metadata analysis is a superior detection technology to protect IT/OT networks from advanced cyber threats.
What is deep packet inspection and how does it work?
Deep packet inspection is the traditional approach to NDR. DPI monitors enterprise traffic by inspecting the data packets flowing across a specific connection point or core switch. It evaluates the packet’s entire payload, i.e., its header and data part to look for intrusions, viruses, spam, and other issues. If it finds such issues, it blocks the packet from going through the connection point.
DPI relies on traffic mirroring. In effect, the core switch provides a copy (“mirror”) of the network traffic to the sensor that then uses DPI to analyse the packet’s payload. Thus, DPI provides rich information and supports detailed analysis of each packet on the monitored connection points. This is one of its biggest benefits.
However, its drawbacks outnumber this benefit. As network traffic continues to increase and IT environments become increasingly complex and distributed, DPI is reaching its limits.
Why DPI can’t detect or prevent advanced cyberattacks
Feb 22 2022
Why DDoS is still a major attack vector and how to protect against it
What is a DDoS attack?
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aren’t new cyberattack vectors; They go all the way back to the early 1970s when modern commercial and enterprise networks emerged.
DDoS is a cyberattack in which the adversary seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. It doesn’t peruse any private data or get control over the target’s infrastructure; it just aims to bring the service down.
In today’s world, specifically with COVID, which accelerated organizations’ digital transformation, web presence is a must for just about any business. In this environment, DDoS attacks can be very destructive.
Main ingredients of DDoS attacks
Ingredient # 1 – Botnet
A botnet is a group of infected, compromised machines with malware controlled by malicious software without the knowledge of the machine owner. It ranges from ordinary home or office PCs to IoT devices. Compromised machines called bots or ‘zombies’ are used to launch DDoS attacks, spread SPAM, or perform other malicious activities orchestrated by the attacker.
One of the most infamous Botnets is ‘Mirai,’ which used hundreds of thousands of hijacked IoT devices. The creators of the Mirai botnet, Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built Mirai, managed to hijack IoT devices by scanning the Internet for vulnerable IoT devices with factory-set usernames and passwords, log into them, and infect them with the Mirai malware.
The Mirai botnet was used in multiple DDoS attacks between 2014 and 2016 and, when the creators felt the heat coming from the authorities, they published the Mirai source code in a Hackers’ forum in an attempt to cover their tracks. All three were eventually indicted, plead guilty, and are now fighting crime with the FBI. Amazing how life turns out.
Just like we have COVID variants and mutations, Mirai also evolved and its source code mutations have been used in the wild by hackers. Okiru, Satori/Fbot, Masuta, Moobot, and more than 60 other Mirai variants are out there.
Ingredient # 2 – Command and Control
Feb 22 2022
Microsoft Safety Scanner
Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
Note
Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
Important information
- The security intelligence update version of the Microsoft Safety Scanner matches the version described in this web page.
- Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
- This tool does not replace your antimalware product. For real-time protection with automatic updates, use Microsoft Defender Antivirus on Windows 11, Windows 10, and Windows 8 or Microsoft Security Essentials on Windows 7. These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on removing difficult threats.
System requirements
Safety Scanner helps remove malicious software from computers running Windows 11, Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. For details, refer to the Microsoft Lifecycle Policy.
How to run a scan
- Download this tool and open it.
- Select the type of scan that you want to run and start the scan.
- Review the scan results displayed on screen. For detailed detection results, view the log at %SYSTEMROOT%\debug\msert.log.
To remove this tool, delete the executable file (msert.exe by default).
For more information about the Safety Scanner, see the support article on how to troubleshoot problems using Safety Scanner.
Related resources
- Troubleshooting Safety Scanner
- Microsoft Defender Antivirus
- Microsoft Security Essentials
- Removing difficult threats
- Submit file for malware analysis
- Microsoft antimalware and threat protection solutions
Recommended content
- Microsoft Security Advisory 3033929
- Trojan malware – Windows security Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them.
- Prevent malware infection – Windows security Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer.
- use the System Configuration utility – Windows Client Describes how to use the System Configuration utility to troubleshoot errors that may prevent from starting correctly.
Feb 22 2022
A cyber attack heavily impacted operations of Expeditors International
American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack
American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.
Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.
“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company. ”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”
The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.
The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.
The company hired cybersecurity experts to investigate the security breach and recover from the attack.
The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation
“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.
Cyber Attacks and the New Normal of Geopolitics
Feb 22 2022
How much can you trust your printer?
Which assets can be made accessible by printer vulnerabilities?
Business-class printers are often running a variant of Linux, which means they have many of the same vulnerabilities that you would find on any network attached Linux server. Many zero-day exploits that have been found in the Linux kernel could be found in these printers if they are left unpatched.
So, what is the primary motivation of attackers? It is usually to gain remote access behind the corporate firewall. Cybercriminals often use network-attached devices to discover more about the other devices connected to the network. If a device can be used to scan the network, it might be possible to find other vulnerable devices on the network. It may even be possible for the attacker to use the printer to mount the attacks on other network-attached devices. In this way, a printer becomes a staging area for malicious actors to attack and compromise other, more critical platforms within a corporate network.
That said, for some companies, the printer itself can be the target. Many business class printers have hard drives that are used to save jobs, templates and other necessary information needed for its use by the customer. This means that an immense amount of sensitive and confidential data is being stored on the printer. Extraction of this valuable, locally stored data on the printer is sometimes an attacker’s goal.
What can organizations do to make their printers secure?
First off, good “firmware hygiene” is essential. Multi-function network-attached printers are surprisingly sophisticated systems, and as a result have highly sophisticated embedded operating systems. Most of these printers have a webserver for providing device status and allowing configuration updates along with printer firmware updates. These devices are also expected to support a lot of different network protocols, such as SNTP, SNMP and the related printer-specific protocols.
As you might expect: the more complex the firmware in a device is, the more potential security vulnerabilities it may have. Printer OEMs are aware of the attack surface their products present, and they strive to maintain the highest grade of security within their embedded software. A policy for applying standard vendor-authentic updates and patches should be followed. Also, intrusion-detection software should be operational within a corporate LAN. This allows for monitoring of any non-standard, potentially malicious traffic – not just from the user’s personal devices, but from any network-attached appliance.
Printer Security The Ultimate Step-By-Step Guide
Feb 21 2022
BEC scammers impersonate CEOs on virtual meeting platforms
The FBI warned US organizations and individuals are being increasingly targeted in BECattacks on virtual meeting platforms
The Federal Bureau of Investigation (FBI) warned this week that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.
Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both entities and individuals who perform legitimate transfer-of-funds requests
Cybercriminals are targeting organizations of any size and individuals, in BEC attack scenarios attackers pose as someone that the targets trust in, such as business partners, CEO, executives, and service providers.
Scammers use to compromise legitimate business or personal email accounts through different means, such as social engineering or computer intrusion to conduct unauthorized transfers of funds.
Crooks started using virtual meeting platforms due to the popularity they have reached during the pandemic.
The Public Service Announcement published by FBI warns of a new technique adopted by scammers that are using virtual meeting platforms to provide instructions to the victims to send unauthorized transfers of funds to fraudulent accounts.
“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts. A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars.” reads the FBI’s PSA.
Crooks are using the virtual meeting platforms for different purposes, including impersonating CEOs in virtual meetings and infiltrating meetings to steal sensitive and business information.
Below are some of the examples provided by the FBI regarding the use of virtual meeting platforms by crooks:
- Compromising an employer or financial director’s email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake1” audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.
- Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations.
- Compromising an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.
Below are recommendations provided by the FBI:
- Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Feb 21 2022
New Version of the NIST CSF Tool
THE NIST CSF TOOL
I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.
Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.
After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do (your practices) against what you say you do (your policies) when it comes to Privacy as it is Security.
As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.
You can find the new version on the Downloads page.
NIST Cybersecurity Framework: A pocket guide
Feb 20 2022
New Book: Advanced Security Testing with Kali Linux!
In Advanced Security Testing with Kali Linux you will learn topics like:
- The MITRE ATT@CK Framework
- Command & Control (C2) Frameworks
- Indepth Network Scanning
- Web App Pentesting
- Advanced Techniques like “Living off the Land”
- AV Bypass Tools
- Using IoT Devices in Security
- and much, much more!!
Learning attacker Tactics, Techniques and Procedures (TTPs) are imperative in defending modern networks. This hands on guide will help guide you through these with step by step tutorials using numerous pictures for clarity.
Want to step your security game up to the next level? Check out “Advanced Security Testing with Kali Linux”.
Feb 20 2022
Ukraine: how cyber-attacks became so important to the conflict
https://theconversation.com/ukraine-how-cyber-attacks-became-so-important-to-the-conflict-177266
For the past few weeks, Russia has been deploying military forces into strategic positions on Ukraine’s borders. However, there is another, virtual dimension to the escalating conflict: cyber-attacks on Ukrainian government and business websites and services.
Although it is impossible to confirm the Russian state is behind these attacks, commentators have suggested that similar tactics form part of a type of hybrid warfare that Russia has been fine tuning for the past couple of decades.
Cyber-espionage and information warfare have become an intrinsic part of recent conflicts and happen on a regular basis between conflicting powers. However, governments do not usually publicly claim responsibility for this type of activity, since this could put them in a position of declaring war against the targeted country and provoking counterattacks and sanctions from the international community. Therefore, evidence that Russia is definitely behind these attacks is hard to establish.
Cyber-attacks are often attributed to hacker groups with nationalist motivations, who justify their political agendas without explicitly verifying any state backing.
In January, there was a spate of attacks by Belarusian hackers believed to be supporting Russia. They launched a series of malware attacks against Ukrainian computer systems with many government and other websites being defaced with provocative and intimidating messages.
In mid February, there was another round of cyber-attacks, this time targeting the Ukrainian army website, ministerial websites and some of the major banks, including PrivatBank, preventing online payments and use of banking apps.
These latest attacks were mainly distributed denial of service (DDOS) attacks, where a huge number of small packets of information are sent to websites and servers from multiple sources. This information overload causes the servers and computer systems targeted to slow down or collapse because of the swarm of information requests.
Russian involvement in those cyber-attacks is suspected, but is hard to confirm. The attacks follow the pattern of similar tactics with alleged Russian backing over the past two decades in Ukraine, Estonia and Georgia, including attacks on communications infrastructures and power grids.
The US president and EU officials are now discussing increasing cyberspace defences against such attacks or imposing sanctions, if required.
Despite all of this, Ukrainian officials have refrained from explicitly mentioning the Russian state as being behind these attacks.
A searing look inside the rise of cyberwarfare as the primary way nations now compete with and sabotage one another – The Perfect Weapon
Feb 20 2022
Protecting Your Data Online – How to Prevent Identity Theft
As technology progresses, our daily activities are moving online. This includes tasks that we may not think of as being particularly sensitive, such as shopping and banking. While this makes our lives easier in many ways, it also leaves us vulnerable to identity theft. Here are seven tips to protect your data and reduce your risk of it showing up on the dark web.
1) Shred sensitive documents
Shredding sensitive documents is an easy way to protect yourself against identity theft or data breaches. For example, when you receive junk mail that contains your personal information (such as pre-approved credit card offers), it’s best to cut up the document into pieces rather than just throw it in the garbage bin. This also goes for unsolicited checks in the mail and other unwanted or unsolicited offers. By cutting up or shredding these types of documents, you prevent someone else from stealing your personal information and more easily disposing of them. The same principle can be applied with old papers containing important information such as bank statements and tax returns – before throwing something away, ask yourself if anyone could get access to it if they took the paper out of your garbage can. If so, shred it!
2) Be cautious about what you post online
Before posting anything on Facebook or Twitter, ask yourself if you would be comfortable if everyone in the world read the information. The Internet is an amazing resource that can provide us with huge amounts of information right at our fingertips. However, it’s important to be aware that just because something is “just for friends” doesn’t mean that someone else won’t see your posts. Remember that this includes any selfies you may take – anyone could grab a picture off of your page, re-post it elsewhere, or even print it out and keep a copy long after you have deleted the original from your computer.
3) Ensure your passwords are strong
When choosing a password, it is very important to use diverse information that is difficult for others to guess. Avoid using real words or meaningful personal information in your passwords, even when combined with numbers or symbols. For example, “ilovemycat” might seem like an unlikely password choice at first glance, yet there are websites out there designed to reveal simple passwords such as these within seconds. A stronger approach would be to create a random string of characters and numbers, such as the phrase “I l@ve mY cAt.” You could then add on some additional characters or numbers if you preferred that people not know which type of animal you love so much! The more complex and unique your password is, the better chance you have of keeping it safe.
4) Use two-factor authentication
An easy way to add another level of security when signing into websites such as Facebook or Gmail is to enable “two-factor authentication.” For example, after entering in your password, a unique code will be sent by text message to the phone number you provided when setting up two-factor authentication. The code must then be entered before you can access your account. This adds a layer of protection since a hacker would need more than just your password in order to get into your accounts – they would also need access to your cell phone! Note that certain banks may also offer this feature for accessing protected accounts via their online banking portal. If you are unsure, contact your bank to find out more about two-factor authentication.
5) Password protect your devices
Another way to prevent unauthorized access is by password-protecting your cell phone or tablet. You may think that this is unnecessary or unimportant, but it can actually be a very important step in securing your data and preventing others from accessing it without consent. For example, if you lose your phone somewhere where someone could pick it up off the ground (such as on public transit), they wouldn’t be able to access your device without knowing the PIN code for unlocking it first. This is an easy step that many people neglect yet protects against any potential personal information leaks through lost or stolen electronic devices.
6) Be mindful of when your software is updated
Another easy way to protect yourself from the latest security risks is by updating your software and programs promptly. Both Mac and PC users can agree that it’s not always fun to spend time shutting down what you’re doing to update your computer or phone, but it is important! You may even receive updates through your system itself, such as Apple OS X – make sure you accept all updates when they are available so that you can keep up with the latest versions of all programs installed on your devices.
7) Take precautions offline as well
While online precautions are important for protecting yourself against identity theft, physical protection of personal information at home should also be taken. If confidential documents are kept anywhere around the house, consider using security safes that can be locked. This makes it difficult for someone to come along and take your information or documents without checking first.
DISC InfoSec Tools and training
Feb 19 2022
CISA compiled a list of free cybersecurity tools and services
The U.S. CISA has created a list of free cybersecurity tools and services that can help organizations increase their resilience.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it has compiled a list of free cybersecurity tools and services that can help organizations to reduce cybersecurity risk and increase resilience.
The list is part of an ongoing project, it will be continuously updated by CISA that also plans to allow third parties to propose their resources to include in the list.
The list includes open source tools and free resources provided by government organizations and private cybersecurity firms.
The tools cover a broad range of activities normally conducted by defenders, from incident response to threat detection.
“As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.” reads the announcement published by CISA. “The list is not comprehensive and is subject to change pending future additions.”
The US agency proposed the following categorization according to the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats:
- Reducing the likelihood of a damaging cyber incident;
- Detecting malicious activity quickly;
- Responding effectively to confirmed incidents; and
- Maximizing resilience.
The list already includes cybersecurity tools and services from major IT and cybersecurity firms, including ones provided by CISA, AT&T Cybersecurity, Cloudflare, Cisco, Center for Internet Security, CrowdStrike, Google, IBM, Microsoft, Mandiant, Splunk, SANS, Secureworks, Tenable, and Palo Alto Networks. The list also includes tens of tools are open source.
CISA pointed out that it does not endorse any commercial product or service.
DISC InfoSec Tools and training
Feb 19 2022
Google Privacy Sandbox promises to protect user privacy online
Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.
“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.
Google is also committed tp fighting and reducing covert data collection.
The goals of the Privacy Sandbox are:
- Build new technology to keep your information private
- Enable publishers and developers to keep online content free
- Collaborate with the industry to build new internet privacy standards
Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.
“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”
Feb 18 2022
CVE-2021-44731 Linux privilege escalation bug affects Canonical’s Snap Package Manager
Canonical’s Snap software packaging and deployment system are affected by multiple vulnerabilities, including a privilege escalation flaw tracked as
CVE-2021-44731
(CVSS score 7.8).
Snap is a software packaging and deployment system developed by Canonical for operating systems that use the Linux kernel. The packages, called snaps, and the tool for using them, snapd, work across a range of Linux distributions
The flaws have been discovered by Qualys researchers, the CVE-2021-44731 is the most severe one and is a race condition in the snap-confine’s setup_private_mount() function.
The snap-confine is a program used internally by snapd to construct the execution environment for snap applications. An unprivileged user can trigger the flaw to gain root privileges on the affected host.
“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.” reads the post published by the experts. “As soon as the Qualys Research Team confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with both vendor and open-source distributions in announcing this newly discovered vulnerability.”
Qualys experts also developed a PoC exploit for this issue that allows obtaining full root privileges on default Ubuntu installations.
Below is the full list of vulnerabilities discovered by the experts:
| CVE | DESCRIPTION |
|---|---|
| CVE-2021-44731 | Race condition in snap-confine’s setup_private_mount() |
| CVE-2021-44730 | Hardlink attack in snap-confine’s sc_open_snapd_tool() |
| CVE-2021-3996 | Unauthorized unmount in util-linux’s libmount |
| CVE-2021-3995 | Unauthorized unmount in util-linux’s libmount |
| CVE-2021-3998 | Unexpected return value from glibc’s realpath() |
| CVE-2021-3999 | Off-by-one buffer overflow/underflow in glibc’s getcwd() |
| CVE-2021-3997 | Uncontrolled recursion in systemd’s systemd-tmpfiles |
Feb 17 2022
50 Key Stats About Freedom of the Internet Around the World
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
Digital Rights
Freedom of Information
Right to Internet Access
Freedom from Internet Censorship
Net Neutrality
The Bottom Line
The Internet in Everything: Freedom and Security in a World with No Off Switch
« Previous Page — Next Page »
