InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The pandemic, as well as usersâ personal preferences, have helped enable the rapid emergence of digital payment applications and digital wallets, which compete with credit cards and cash as preferred payment options.
The growing popularity of digital wallets such as Google Pay, Samsung Pay and Apple Pay is making them a bigger target for malicious actors, according to a report from security analytics software specialist Cognyte.
The study, which collected and analyzed threat actorsâ conversations about digital wallets from 2016 through 2020, found the number of threat actorsâ interactions around the topic almost doubled from 2017 to 2018.
By 2019, this number grew by 456%, reaching 31,878 interactions and by 2020 it grew by another 292%, reaching 96,363 interactions.
Though lots of people might be taking some time off over the Labor Day weekend, threat actors likely wonât â which means organizations should remain particularly vigilante about the potential for ransomware attacks, the federal government has warned.
Citing historical precedence, the FBI and CISA put out a joint cybersecurity advisory (PDF) Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity.
While the agencies said they havenât discovered âany specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday,â they are working on the idea that itâs better to be safe than sorry given that some major cyber-attacks have occurred over holidays and weekends during the past few months.
Indeed, attackers recently have taken advantage of the fact that many extend holiday weekends to four days or more, leaving a skeleton crew behind to oversee IT and network infrastructure and security, security professionals observed.
âModern cyber criminals use some pretty sneaky tactics to maximize the damage and collect the most money per attack,â noted Erich Kron, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost.
Because organizations are generally short-staffed over holiday weekends, the swiftness with which they can respond to attacks that occur during these times âwill be impacted,â he said.
Thatâs mainly because the absence of key personnel make it less likely that organizations that are targeted can quickly detect and contain attacks once launched, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.
âThis additional time gives attackers the ability to exfiltrate more sensitive data or lock up more computers with ransomware than they otherwise might have been able to,â he said in an email to Threatpost.
You must have had that happy feeling (happiest of all when itâs still a day or two to payday and you know that your balance is paper-thin) when youâre withdrawing money from a cash machine and, even though youâre still nervously watching the ATM screen telling you that your request is being processed, you hear the motors in the cash dispensing machinery start to spin up.
That means, even before any banknotes get counted out or the display tells you the final verdict, that [a] youâve got enough funds, [b] the transaction has been approved, [c] the machine is working properly, and [d] youâre about to get the money.
Well, imagine that if you hit the [Cancel] button at exactly the right moment between the mechanism firing up and the money being counted outâŠ
âŠand if your timing was spot on, then your card would stay in the machine, your account wouldnât get debited, and youâd be asked if you wanted to try again, BUT YOUâD GET THE CASH FROM THE CANCELLED TRANSACTION ANYWAY!?!!?
And imagine that, as long as you kept pressing that magic button at just the right moment, you could loop back on yourself and layer ghost withdrawal on ghost withdrawalâŠ
âŠuntil the machine finally ran out of money, or hit some internal software limit on recursive withdrawals, or you decided to quit while you were ahead and get clear of the ATM before an alarm went off.
Blockchain Bubble or Revolution: The Future of Bitcoin, Blockchains, and Cryptocurrencies
Windows 11 wonât auto-update on slightly old PCs. It appears this includes security updatesâalthough Microsoft PR is doing its usual trick of ghosting reporters who ask.
This sounds like a terrible idea: A fleet of unpatched Windows 11 PCs connected to the internet? Thatâs a recipe for disaster.
Stand by for Redmond to walk this one back in an embarrassing climbdown. In todayâs SB Blogwatch, we hope against hope.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Olivia vs. Paramore.
Why leave us in the dark?â Windows 11 wonât technically leave millions of PCs behindââŠâso long as you download and manually install an ISO file. ⊠But it turns out even that technicality has a technicality: Microsoft is now threatening to withhold Windows UpdatesââŠâpotentially even security updates. ⊠Itâs quite possible this is just a cover-your-ass measure. ⊠But itâs also possible Microsoft genuinely does mean to withhold patches. ⊠Microsoft declined to clarify things further. ⊠Windows 11 could theoretically be an operating system where you go back to the days of manually downloading [security] updates. ⊠Feature updates are probably less of a big deal. [But] why leave us in the dark?
When it comes to online behaviors, women are far safer than men, according to a wide-ranging survey from SecurityAdvisor.
Despite the fact that women made up 42% of the sample data, they account for 48% of the top safe users and only 26% of risky users. Men, on the other hand, account for 74% of risky users: A big driver of these risky behaviors stems from menâs and womenâs online behaviors.
According to SecurityAdvisorâs data, men are more likely to visit dangerous adult websites, use P2P software and watch pirated content than women.
SecurityAdvisor analyzed more than 500,000 malicious emails and an additional 500,000+ dangerous website visits by enterprise employees in more than twenty countries. Employees range from entry-level to executives and operate across many industries, including health care, financial services, communications, professional services, energy and utilities, retail and hospitality.
âOur partner here, Kelley McElhaney from Berkeley University, noted that women are more aware of long-term ramifications of risky behaviors,â SecurityAdvisor CEO Sai Venkataraman said. âAlso, society tends to tolerate failures by dominant groups better, hence men donât fear the consequences or fear consequences less.â
He also pointed out that men, from an early age, are socialized to take risks and win, hence they are less afraid of a potential negative outcome and engage in riskier behaviors.
What do AWS Partners with Level 1 Managed Security Service (MSSP) Competency provide?
All AWS Level 1 MSSP Competency Partners provide at minimum the ten 24/7 security monitoring, protection, and remediation services as defined in the Level 1 Managed Security Services baseline. Those ten 24/7 services specifically are below.
Many of the Level 1 MSSP Competency Partners also provide additional security assessment and implementation professional services as well to assist customers in their AWS cloud journey.
AWS Infrastructure Vulnerability Scanning â Routine scanning of AWS infrastructure for known software vulnerabilities.
AWS Resource Inventory Visibility â Continuous scanning and reporting of all AWS resources and their configuration details, updated automatically with newly added or removed resources.
AWS Security Best Practices Monitoring â Track and detect misconfigurations of AWS resources to improve cloud security posture and reduce business risk.
AWS Compliance Monitoring â Scanning AWS environment for compliance standards such as: CIS AWS Foundations, PCI DSS, HIPAA, HITRUST, ISO 27001, MITRE ATT&CK, and SOC2.
Monitor, Triage Security Events â Gain visibility into security alerts with a consolidated list of security events and recommended remediation guidance.
24/7 Incident Alerting and Response â Receive notification of high priority security events and expert guidance on recommended remediation steps 24/7.
DDoS Mitigation â Increase visibility and resilience to DDoS attacks and reduce the risk of availability, financial, and security impacts to applications.
Managed Intrusion Prevention System (IPS) â Add a layer of security for AWS-based endpoints, helping with defense against known threat patterns, to increase overall security posture.
Managed Detection and Response (MDR) for AWS-Based Endpoints â A combination of technology and cloud security experts working to continuously detect, investigate, and remove threats from within AWS-based endpoints.
Managed Web Application Firewall (WAF) â A firewall managed service designed to protect web-facing applications and APIs against common exploits.
OpenSSL, as its name suggests, is mainly used by network software that uses the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
Although TLS has now replaced SSL, removing a huge number of cryptographic flaws along the way, many of the popular open source programming libraries that support it, such as OpenSSL, LibreSSL and BoringSSL, have kept old-school product names for the sake of familiarity.
Despite having TLS support as its primary aim, OpenSSL also lets you access the lower-level functions on which TLS itself depends, so you can use the libcrypto part of OpenSSL to do standalone encryption, compute file hashes, verify digital signatures and even do arithmetic with numbers that are thousands of digits long.
The solution is, instead, to focus on building applications that are secure by design, with zero-trust security baked-in rather than bolted-on. This is one of the three key strategic criteria we see for forward-looking enterprises that are accelerating the security of their applications.
Make applications secure by design â zero-trust is now the recommended security model.
Embrace tools that enable agility and efficiency and eliminate complexity.
Embrace open source for future-proofing, maximum visibility and to avoid proprietary lock-in.
Integrating security and the WAN is the next wave in network architecture. That means embedding zero-trust and access management capabilities in applications.
Zero-trust, to continue with the sporting event analogy, requires ticket checks before fans reach the stadium; it determines if they are authentic fans and therefore whether they can enter, where they can go once theyâre inside the venue and which events they can watch. Zero-trust uses context as well as identity to authenticate users, and it enables policies that permit access only within a certain time window, a particular network segment or to a specific application. It removes the element of implicit trust that is so easily exploited, whether deliberately by bad actors or accidentally by careless users.
There are numerous ways of approaching the implementation of an ISMS. The most common method to follow is a âPlan Do Check Actâ process.
ISO 27001 is the international security standard that details the requirements of an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.
A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.
The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.
The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as âcontrolsâ).
ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
Samsung says that it can disable any of its Samsung TV sets remotely using TV Block, a feature built into all television products sold worldwide.
This was revealed by the South Korean multinational in a press release issued earlier this month in response to the July South African riots that led to large-scale looting, which also impacted Samsung warehouses and stores.
“TV Block is a remote, security solution that detects if Samsung TV units have been unduly activated, and ensures that the television sets can only be used by the rightful owners with a valid proof of purchase,” Samsung said.
“The aim of the technology is to mitigate against the creation of secondary markets linked to the sale of illegal goods, both in South Africa and beyond its borders. This technology is already pre-loaded on all Samsung TV products.”
As Samsung explains, the goal behind remotely disabling stolen TV sets is to limit looting and “third party purchases,” and ensuring that the TVs can only be used by “rightful owners with a valid proof of purchase.”
It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.
The proliferation of APIs that power applications, microservices, containers and serverless functions have created one of the greatest sources of security risk that businesses face today. The reason is simple: Itâs not the development teamâs responsibility to handle security. At the same time, however, security operations teams donât have visibility into APIs. Because you canât protect what you canât see, Lebin Cheng, head of API security, office of the CTO at Imperva, pointed out three primary ways APIs create security risk for organizations:
A legacy application, initially deployed for internal use, is exposed externally using gateways that perform only fundamental authentication and authorization, with inadequate protection against sophisticated data exfiltration attempts. Because APIs are often connected directly to a data source, this can give attackers direct access to sensitive data.
Modern applications are increasingly built with outsourced components and/or services. This means that the majority of the application stack isnât actually owned by the enterprise. What connects all these components is the API, but organizations often lack the visibility to monitor these API calls or the ability to secure the APIs in runtime.
The speed of software development is the Achillesâ heel of a security team. Developers need to move quickly and publish lines of code and APIs. However, the traditional approach of penetration testing for vulnerabilities isnât feasible in todayâs modern application workflow because it takes too long to conduct. This is creating a tug-of-war internally between the DevOps and SecOps teams.
âData exfiltration through a compromised or vulnerable API is the risk organizations need to be most worried about,â said Cheng in an email interview. According to research by Imperva Research Labs, the number of new API vulnerabilities grew at the same time other vulnerabilities decreased; by 2024, itâs predicted that API abuses and related data breaches will nearly double in volume.
Instead of waning, cyber attacks continue to rise as the years pass. Several reasons contribute to this phenomenon, despite developing and deploying more robust network and data security platforms. First, the recent spate of disruptive cyberattacks hampering operations of organizations and government agencies proves that cybercriminals are becoming bolder in perpetuating their malicious activities.
These nefarious actors attack small, medium, and large corporations and organizations. Several attacks were publicized. Most of them are high-profile ransomware victims: Kaseya, JBS, SolarWinds, Colonial Pipeline, Acer, AXA, and CAN Financial. Many of them opted to pay the ransom demand not to disrupt operations that can affect thousands of businesses and consumers.
The nagging question is why cyberattacks are happening more often today. First, attackers are getting more sophisticated. Second, many are organized hacking groups, while some are already identified as government-backed hackers. The increase in cyberattacks can be attributed to several reasons, namely:
The willingness of many victims to pay the ransom;
Increased use of unregulated cryptocurrencies, which are harder to trace;
Publication of cyberattacks enticed other hackers to try the activity themselves, taking the publication of the attacks as successes of cybercriminalsâ this turned into a get-rich-quick scheme;
Increasing numbers of people going online, especially amid the pandemic.
Given that, companies also need to carefully consider their ability to respond and recover from a ransomware incident. While the key component of recovery is maintaining and testing backups of critical data, one aspect of recovery thatâs often overlooked is having access to the stored packet data from the lead-up and ransomware attack itself.
High-quality packet data is important for ransomware recovery in three critical ways: (a) For determining the timeframe for backup restoration; (b) For creating a record of the attack for incident response (especially for legal and compliance reporting); (c) and for analyzing the attack itself to prevent it from happening again.
Razer gaming mice come with a buggy installer. It starts automatically when you plug in one of Razerâs devices.
The installer runs as SYSTEM. And it lets you start a shellâwhich also runs as SYSTEM. A classic elevation-of-privilege bug. And one thatâs incredibly simple to exploit.
It took us about two minutesâ Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software. ⊠A zero-day vulnerability in the plug-and-play Razer Synapse installationââŠâallows users to gain SYSTEM privilegesâ[which is]âthe highest user rights available in Windows. ⊠It took us about two minutes to gain SYSTEM privileges in Windows 10 after plugging in our mouse. ⊠Razer has contacted the security researcher to let them know that they will be issuing a fix. ⊠Razer also told the researcher that he would be receiving a bug bounty reward.
Google disclosed the details of a Windows ââAppContainer vulnerability because Microsoft initially had no plans to fix it.
Google Project Zero experts disclosed the details of a Windows ââAppContainer flaw after Microsoft announced it had no plans to fix it.
The team focused its analysis on Windows Firewall and AppContainer that were designed by Microsoft to limit the attack surface of applications. Bypass network restrictions in AppContainer sandboxes could allow an attacker to access services on localhost, as well as granting access to intranet resources in an enterprise organization.
Google Project Zero researcher James Forshaw discovered an issue in the configuration of Windows Firewall that could allow attackers to bypass restrictions and allowed an AppContainer process to access the network.
âRecently Iâve been delving into the inner workings of the Windows Firewall. This is interesting to me as itâs used to enforce various restrictions such as whether AppContainer sandboxed applications can access the network. Being able to bypass network restrictions in AppContainer sandboxes is interesting as it expands the attack surface available to the application, such as being able to access services on localhost, as well as granting access to intranet resources in an Enterprise.â wrote Forshaw.
âI recently discovered a configuration issue with the Windows Firewall which allowed the restrictions to be bypassed and allowed an AppContainer process to access the network. Unfortunately Microsoft decided it didnât meet the bar for a security bulletin so itâs marked as WontFix.â
According to Google, Microsoft decided to label the issue as WontFix.
âThe default rules for the WFP connect layers permit certain executables to connect TCP sockets in AppContainers without capabilities leading to elevation of privilege.â reads the security advisory published by Microsoft. âConnecting to an external network resource from an AppContainer is enforced through default rules in the WFP. For example, connecting to the internet via IPv4 will process rules in the FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer. This layer can contain rules such as âInternetClient Default Ruleâ which will match if the caller is in an AC and has the Internet Capability. If a match is made then the connection is allowed. Eventually an AC process will match the âBlock Outbound Default Ruleâ rule if nothing else has which will block any connection attempt.â
In this post, Iâll collect links on Appleâs iPhone backdoor for scanning CSAM images. Previous links are here and here.
Apple says that hash collisions in its CSAM detection system were expected, and not a concern. Iâm not convinced that this secondary system was originally part of the design, since it wasnât discussed in the original specification.
Good op-ed from a group of Princeton researchers who developed a similar system:
Our system could be easily repurposed for surveillance and censorship. The design wasnât restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.
Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices
The consequences of such an action could prove dire for your business, though, so before you let another day of stress go by, read on to learn some warning signs and tips on how to deal with burnout. The goal is to get your team working at maximum capacity without overworking them.
Signs of burnout
Burnout is the word used to describe acute exhaustion when your work becomes overwhelming and too stressful. It can lead to poor performance, absenteeism, or resignations. It is a real problem in many industries, but itâs hugely prevalent in information security because of the long hours and high pressure.
Fortunately, burnout comes with early warning signs that you can spot and address. These include:
Anger at colleagues
A constant feeling of exhaustion that could manifest in team members getting lost in daydreams or even nodding off at their desk
Expressions of hopelessness or being overwhelmed by their responsibilities or current task
The team member isolating themselves from others, i.e., avoiding time out with colleagues or social events
Unhappiness in the role
An inability to stop and take breaks
An increase in working hours (coming in early, staying late, skipping lunch, or frequently emailing during out-of-office hours)
If any of your staff shows some of these symptoms, itâs time to act!
Researchers have disclosed a nasty new way for bad people to mess up the internet for the rest of us. Theyâve found a fantastically powerful reflective-amplification attack technique that could easily be used for distributed denial of service (DDoS).
Youâll be pleased to know the researchers havenât wasted their time dreaming up a fancy name or a logo. On the other hand, theyâre far from hopeful that the problems can be fixed.
Nation-states would have to fix their firewalls, which ainât gonna happen. In todayâs SB Blogwatch, this is why we canât have nice things.
Weaponizing this attack is relatively simpleâ Academics said they discovered a way to abuse the TCP protocol, firewalls, and other network middleboxes to launch giant distributed denial of service (DDoS) attacks. ⊠The research is the first of its kind to describe a method to carry out DDoS reflective amplification attacks via the TCP protocol, previously thought to be unusable for such operations. ⊠Reflective amplificationââŠâhappens when an attacker sends network packets to a third-party server on the internet, the server processes and creates a much larger response packet, which it then sends to a victim instead of the attacker. ⊠The amplification factor for these TCP-based attacks is also far larger than UDP protocols, making TCP protocol abuse one of the most dangerous forms ofââŠâDDoS. ⊠The flaw they found was in the design of middleboxes, which are equipment installed inside large organizations that inspect network traffic. ⊠If the attacker tried to access a forbidden website, then the middlebox would respond with a âblock page,â which would typically be much larger than the initial packetâhence an amplification effect. ⊠Weaponizing this attack is relatively simple.
Distributed Denial of Service (DDoS) Attacks: Classification, Attacks, Challenges and Countermeasures
![CYBER SECURITY FOR TOP EXECUTIVES: Everything you need to know about Cybersecurity by [Alejandra Garcia]](https://m.media-amazon.com/images/I/51UZgLnDdYS.jpg)
