Alaskan health department still struggling to recover after ‘nation-state sponsored’ cyberattack
Sep 21 2021
Hackers Are Going âDeep-Sea Phishing,â So What Can You Do About It?
Nick Kael, CTO at Ericom, discusses how phishing is gaining sophistication and what it means for businesses.
Hackers are upping their game, using an approach I call âDeep Sea Phishing,â which is the use of a combination of the techniques described below to become more aggressive. To keep pace, cybersecurity innovators have been working diligently to develop tools, techniques and resources to improve defenses. But how can organizations fight against evolving threats that have yet to be launchedâor even conceived of?
For example, in February, 10,000 Microsoft users were targeted in a phishing campaign which sent emails purporting to be from FedEx, DHL Express and other couriers which contained links to phishing pages hosted on legitimate domains, with the goal of obtaining recipientsâ work email credentials. Use of legitimate domains allowed the emails to evade security filters, and peopleâs pandemic-related reliance on delivery services and habituation to similar messages boosted success rates.
And in May, attackers launched a massive, sophisticated payment-themed phishing campaign. The phishing emails urged users to open an attached âpayment adviceâ â which was, in fact, not an attachment at all but rather an image containing a link to a malicious domain. When opened, Java-based STRRAT malware was downloaded onto the endpoint and via a command-and-control (C2) server connection, ran backdoor functions such as collecting passwords from browsers, running remote commands and PowerShell, logging keystrokes and other criminal activity.
Phishing is no longer the basement-brewed, small-scale nuisance of cyber lore, either. Today, nearly 70 percent of cyberattacks â like like those cited above â are orchestrated by organized crime or nation-state affiliated actors. With many recovery tabs running into the millions, organizations need a solution that can safeguard them from attacks that have not yet been engineered â i.e., zero-day attacks that can cause the most damage.
But before we tackle the issue of defense, letâs first take a look at just what weâre defending against. The types of phishing tactics noted below are listed in ascending order of sophistication.
Types of Phishing
Sep 20 2021
How to retain the best talent in a competitive cybersecurity market
hiring and retaining the best talent has quickly become a top priority for most organizations today. In the cybersecurity industry, which faces an immense skills shortage, this is especially true. In fact, according to CompTIA and Cyber Seek, a job-tracking database from the U.S. Commerce Department, there are nearly 500,000 open positions in cybersecurity nationwide as of Q2 2021, which makes hiring the right candidate for a technical role in IT security like finding a needle in a haystack. As a result, itâs never been more important to attract and develop employees in cybersecurity â and here are a few best practices for doing so.
Retention is not a one-size-fits-all initiative
Every employee and organization are different. Even in an industry with a talent deficit, employee/employer culture needs to be symbiotic. What an employee and an employer are looking for must be aligned and when it is, the opportunities are endless.
Cybersecurity Career Master Plan
Sep 20 2021
âBack to basicsâ as courier scammers skip fake fees and missed deliveries
These scams can take many different forms, including:
- A fake gift sent by an online âfriendâ is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other peopleâs profile data from online data sites, courting you online, and then âsendingâ you a âgiftâ, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the âdeliveryâ, correctly identifying the item, its value and its made-up shipping code. Finally, thereâs a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
- A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that itâs easier to guess what you havenât just bought than what you have, these crooks are banking that you will click the link or phone the âcustomer supportâ number theyâve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to âhelpâ you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
- A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake âcourier companyâ website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card âwonât be charged until the delivery is completeâ, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks wonât bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.
KISS â Keep It Simple and Straightforward
Sep 19 2021
The digital identity imperative
But creating an identity layer wasnât imperative for the creators of the internet as they didnât predict the emergence of online platforms that facilitate people-to-people interaction.
The digital presences most of us have are based on browsing or consumer habits and are siloed within various accounts and social networks. Indeed, they donât present an accurate picture of our unique identifiers and who we are.
Building an identity layer is complex
Establishing a verified digital identity is a complex process. Authenticating that a person performing an action online is who they say they are, and then validating that they exist is tedious for two major reasons.
The digital identity imperative
Self-Sovereign Identity
Sep 18 2021
âOMIGODâ Azure Critical Bugfix? Do It YourselfâBecause Microsoft Wonât
Using OMI on Microsoft Azure? Drop everything and patch this critical vulnerability, snappily named OMIGOD. But wait! You probably donât know whether youâre using OMI or not.
Yâsee, Open Management Infrastructure (OMI) is often silently installed on Azureâas a prerequisite. And, to make matters worse, Microsoft hasnât rolled out the patch for youâdespite publishing the code a month ago. So much for the promise of âThe Cloud.â
What a mess. In todayâs SB Blogwatch, we put the âmessâ into message.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Difficult Hollywood.
OMI? DIY PDQ
Whatâs the craic? Simon Sharwood saysââMicrosoft makes fixing deadly OMIGOD flaws on Azure your jobâ:
Your next stepâ
Microsoft Azure users running Linux VMs in theââŠâAzure cloud need to take action to protect themselves against the four âOMIGODâ bugs in theââŠâOMI framework, because Microsoft hasnât. ⊠The worst is rated critical at 9.8/10ââŠâon the Common Vulnerability Scoring System.
âŠ
Complicating matters is that running OMI is not something Azure users actively choose. ⊠Understandably, Microsoftâs actions â or lack thereof â have not gone down well. [And it] has kept deploying known bad versions of OMI. ⊠The Windows giant publicly fixed the holes in its OMI source in mid-AugustââŠâand only now is advising customers.
âŠ
Your next step is therefore obvious: patch ASAP.
âOMIGODâ Azure Critical Bugfix? Do It YourselfâBecause Microsoft Wonât
Sep 17 2021
PenTest as a Service
Download Modern Pentesting for security and development team
Find out how Cobalt service protect your Apps: Cobaltâs Pentest as a Service (PtaaS) platform coupled with an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.
Find out how Cobalt service protect your Apps: Cobaltâs Pentest as a Service (PtaaS) platform coupled with an exclusive community of testers delivers the real-time insights you need to remediate risk quickly and innovate securely.
Please email with the subject “Beginnerâs Guide to Compliance-Driven Pentesting” if interested to read this guide: Info@deurainfosec.com
Sep 17 2021
IBM Report Shows Severity of Cloud Security Challenges
IBM Security Services today published a report detailing a raft of issues pertaining to cloud security, including the fact that there are nearly 30,000 cloud accounts potentially for sale on dark web marketplaces.
The report is based on dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research.
The report found advertisements for tens of thousands of cloud accounts and resources for sale. Prices generally range from a few dollars to over $15,000 per account for access credentials depending on the amount of cloud resources that might be made accessible. On average, the price tag for cloud access rose an extra $1 for every $15 to $30 in credit the account held. Therefore, an account with $5,000 in available credit would be worth about $250, the report surmised.
In 71% of cases, threat actors offered access to cloud resources via the remote desktop protocol (RDP). X-Force Red found that 100% of their penetration tests into cloud environments in 2021 uncovered issues with either passwords or policy violations. Two-thirds of cloud breaches would likely have been prevented by more robust hardening of systems, such as properly implementing security policies and patching systems, the report noted.
More troubling still, IBM research indicates that vulnerabilities in cloud applications are growing, totaling more than 2,500 vulnerabilities for a 150% increase in the last five years. Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months.
The report also notes two-thirds of the incidents analyzed involved improperly configured application programming interfaces (APIs), mainly involving misconfigured API keys that allowed improper access. API credential exposure through public code repositories frequently resulted in access into cloud environments as well, the report noted.
API Security in Action
Sep 16 2021
Phishing Staff Awareness Training
Microsoft has been warning of a “widespread” phishing campaign in which fraudsters use open redirect links to lure users to malicious websites to harvest Office 365 and other credentials.
ITG Phishing Staff Awareness Training Program educates your staff on how to respond to these types phishing attacks 📧
Phishing Staff Awareness E-Learning Course
Sep 16 2021
Keys to the cloud: Unlocking digital transformation to enhance national security
This, paired with the âanything you can do, I can do betterâ mantra adopted by todayâs nation-state threat actors, has left mission-critical information vulnerable to attack as it undergoes the great cloud migration.
These agile threat actors â without any red tape to stand in their way â have already adopted a cloud-centric mindset, oftentimes at the expense of our national security. Meanwhile, emerging technologies like artificial intelligence and machine learning that lend themselves to assisting defensive efforts are rendered useless unless the defense community focuses more time, energy and resources on becoming cloud-centric.
Ultimately, the issue of national security hangs in the balance, and the best way to ensure we stay ahead of the curve is by using the cloud to âdigitally overmatchâ our opponents and unlock the full potential of digital transformation.
Overwhelming opponents
Originally coined by the Army, the concept of âdigital overmatchâ stems from the idea that the respective branches of the military can easily overwhelm their opponents on the ground due to their superior resources. Now, in the era of cyber-enabled conflict, this concept can also be applied to the non-Defense space. Given that data is such a strategic asset, defenders must ensure they can outpace and outmaneuver adversaries by using data-driven technologies such as the cloud, and deliver on-demand resources across all domains whenever and wherever theyâre needed.
Without commercial and government innovation in cloud-native technology, federal agencies and the military are unable to maximize the full potential of their modernization strategy.
âDigital overmatchâ in action
Cloud Computing Security: Foundations and Challenges
Sep 15 2021
Serious Security: How to make sure you donât miss bug reports!
Articles in our Serious Security series are often fairly technical, although we nevertheless aim to keep them free from jargon.
In the past, weâve dug into into topics that include: website hacking (and how to avoid it), numeric computation (and how to get it right), and post-quantum cryptography (and why weâre getting it).
Helping others to help you
This time, however, the Serious Security aspect of the article isnât really technical at all.
Instead, this article is a reminder of how you can make it easy for people to to help you with cybersecurity, and why you want to help them to do just that.
Bug Bounty Hunter , Notebook Storyboard for notes & write by hand ideas and thoughts , 100 pages (6″9″) | matte | open usage with simple elegent … engineer ,hacking learner | pentester
Sep 14 2021
The Pegasus project: key takeaways for the corporate world
Forbidden Stories, a Paris-based non-profit organisation that seeks to ensure the freedom of speech of journalists, recently announced that the Pegasus Project surveillance solution by the Israeli NSO Group selected 50,000 phone numbers for surveillance by its customers following a data leak.
The NSO Group has always maintained that the purpose of the Pegasus Project was for governments to monitor terrorist activity. However, this recent story, if true, could suggest that the solution has been abused for a long period of time and used for other nefarious purposes.
As reported by Forbidden Stories, the leaked data suggests the wide misuse of Pegasus Project and a range of surveillance targets that include human rights defenders, academics, businesspeople, lawyers, doctors, union leaders, diplomats, politicians and several heads of states. The NSO Group continues to contend these assertions are based on wrong assumptions and uncorroborated theories. Whether these statements are true or false, they raise interesting considerations for enterprises and government organisations that have a requirement to protect the smartphones of employees who have access to sensitive information.
Pegasus Project is reported to provide NSO Group customers full control of target devices, which makes it a threat of interest. However, it is not the first mobile threat that organisations should be concerned about. In another contested case, SNYK suggested that the Sour Mint threat, a Software Development Kit (SDK) developed by the Chinese mobile ad platform provider Mintegral and used by more than 1,200 apps in the Apple App Store, was responsible for spying on users by activity logging URL-based requests through the app. It was reported that user activity is logged to a third-party server that could potentially include personally identifiable information (PII).
Where things get interesting with Sour Mint is its ability to evade defences by slipping through the Quality Assurance (QA) process of the Apple App Store, which goes to show that even the thoroughness of Appleâs processes were not sufficient to detect malicious code in the case of this threat.
So, with the rise of mobile threats such as Pegasus Project and Sour Mint, how should organisations defend against such threats?
Mobile security solution review in light of the
WhatsApp Pegasus hack
Sep 14 2021
Apple products vulnerable to FORCEDENTRY zero-day attack â patch now!
You know what weâre going to say, so weâll say it right away.
Patch early, patch often.
Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Appleâs iPhone, iPad and Macintosh operating systems.
Theyâve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though its official designation is CVE-2021-30860.
Citizen Lab has attributed the vulnerability, and the code that exploits it, to controversial device surveillance company NSO Group, already well-known for its so-called Pegasus line of spyware-like products.
According to Citizen Lab, this exploit relies on booby-trapped PDF files, and was spotted in the wild when a Saudi Arabian activist handed over their phone for analysis after suspecting that spyware had somehow been implanted on the device.
The Citizen Lab report coincides with Appleâs own security bulletin HT21807, which credits Citizen Lab for reporting the hole, and says simply:
Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. [âŠ] An integer overflow was addressed with improved input validation.
The problem with integers
The Art of Mac Malware: The Guide to Analyzing Malicious Software
Sep 13 2021
Mobile app creation: Why data privacy and compliance should be at the forefront
A userâs personal data can be anything from their user name and email address to their telephone name and physical address. Less obvious forms of sensitive data include IP addresses, log data and any information gathered through cookies, as well as usersâ biometric data.
Any business whose mobile app collects personal information from users is required to have a Privacy Policy. Regardless of app geography or business domain, there are mandatory regulations such as the GDPR, the CCPA, and the PDPA, as well as Apple, Google and Android guidelines that ensure accountability and user data privacy. Some apps do not directly collect personal data but instead use a third-party tool like Google Analytics â they, too, need a Privacy Policy.
Data privacy and security and the mobile app creation process
Xamarin in Action: Creating native cross-platform mobile apps
Sep 10 2021
Digital Driverâs Licenses: Unintended Consequences
Maryland recently joined seven other U.S. states to permit users to carry âdigital driverâs licenses.â Under the programâwhich initially will work with Apple devices like iPhonesâusers can download a digital credentialâa digital driverâs licenseâto their phones. The digital ID would be carried in the Apple digital wallet in much the same way as a regular ID is carried in a regular wallet. The digital driverâs license is based on the International Standards Organization (ISO) standard which is described more fully here.
Obviously, there are issues here related to the security of the credential, the degree of authentication necessary to obtain the credential, whether the credential can be simultaneously loaded into multiple devices and whether I can âloanâ my driverâs license to my identical twin brother (yes, I have an identical twin brother). Moreover, for the credential to be meaningful, it must permit both local and connected validationâthat is, a police officer needs to be able to check to see if you have an apparently valid ID at the scene of a violation or accident without access to online verification and they must also be able to validate the ID against some online database. In addition, we need to decide who has access to the digital validation protocolsâpolice and other traffic enforcement officials? TSA or transportation security officials? The dude at the front desk of the office building? The bouncer at the bar? The server serving alcohol? The resident associate (RA) checking people in at the college dorm? Are there any controls on who can access these credential validation services and for what purpose? A digital credential is much easier to spoof (simply do a screenshot) if there is no ability to validate online. Moreover, the validation must be robust enough to work reasonably well offlineâthings like a photo ID, a watermark, etc. You know, all the stuff we put on the âreal IDâ driverâs license.
Digital Driverâs Licenses: Unintended Consequences
Sep 10 2021
How getting a CISSP can change the course of a career
Technical certifications are increasingly in demand with 87% of IT employees possessing at least one and 40% pursuing their next, according to Questionmark. Despite cybersecurity pros being more likely to have earned vendor-specific credentials, they think job pursuers should focus more on getting vendor-neutral ones.
In this interview with Help Net Security, May (Maytal) Brooks-Kempler, CEO at Helena, talks about her CISSP journey. Seven years ago she passed the CISSP exam, and today she teaches a CISSP course based on materials she co-authored.
Certified Information Systems Security Professional (CISSP) training course
If youâre building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.
This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.
Certified Information Systems Security Professional (CISSP) training course
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle 3rd Edition
Sep 10 2021
ProtonMail Now Keeps IP Logs
Sep 09 2021
50 Key Stats About Freedom of the Internet Around the World
50 Key Stats About Freedom of the Internet Around the World
Almost every part of our everyday lives is closely connected to the internet â we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, weâve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
Digital Rights
Freedom of Information
Right to Internet Access
Freedom from Internet Censorship
Net Neutrality
The Bottom Line
Freedom and the Future of the Internet
Sep 08 2021
Windows zero-day MSHTML attack
Details are scarce so far, but Microsoft is warning Office users about a bug thatâs dubbed CVE-2021-40444, and described as Microsoft MSHTML Remote Code Execution Vulnerability.
The bug doesnât have a patch yet, so itâs whatâs known as a zero-day, shorthand for âthe Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.â
In other words: the crooks got there first.
As far as we can tell, the treachery works like this:
- You open a booby-trapped Office file from the internet, either via an email attachment or by downloading a document from a criminal-controlled web link.
- The document includes an ActiveX control (embedded add-on code) that ought not to have unrestricted access to your computer.
- The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attackerâs choice.
MSHTML isnât a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.
Even though HTML is most closely associated with web browsing, many apps other than browsers find it useful to be able to render and display web content, for example as a convenient and good-looking way to present documentation and help files, or to let users fill in and submit support tickets.
This âstripped down minibrowserâ concept can be found not only on Windows but also on Googleâs Android and Appleâs iOS, where the components Blink and WebKit respectively provide the same sort of functionality as MSHTML on Microsoft platforms. Mozilla products such as Firefox and Thunderbird are based on a similar idea, known as Gecko. On iOS, interestingly, Apple not only uses WebKit as the core of its own browser, Safari, but also mandates the use of WebKit in browsers or browser-like apps from all other vendors. Thatâs why Firefox on iOS is the only version of that product that doesnât include Gecko -it has no choice but to use WebKit instead.
« Previous Page — Next Page »
