Jun 19 2021
Can *YOU* blow a PC speaker using only a Linux kernel driver?
We don’t often put out programming appeals on Naked Security, especially when the code that we’re looking for is dangerous and destructive.
But this time we’re prepared to make an exception, given that it’s a rainy Friday afternoon where we are, and that this issue is now in its fifteenth consecutive year.
Our attention was drawn to the problem by a tweet from well-known Google cybersecurity researcher Tavis Ormandy, who tweeted today to say:
Can *YOU* blow a PC speaker using only a Linux kernel driver?
Jun 18 2021
Cruise operator Carnival discloses a security breach
Carnival Corp. this week confirmed that the data breach that took place in March might have exposed personal information about customers and employees of Carnival Cruise Line, Holland America Line, and Princess Cruises.
Carnival Corporation & plc is a British-American cruise operator, currently the world’s largest travel leisure company, with a combined fleet of over 100 vessels across 10 cruise line brands. A dual-listed company,
Carnival Corporation has over 150,000 employees and 13 million guests annually. The cruise line operates under the brands Carnival Cruise Line, Costa, P&O Australia, P&O Cruises, Princess Cruises, Holland American Line, AIDA, Cunard, and their ultra-luxury cruise line Seabourn.
The company sent a data breach notification letter to its customers to inform them that unauthorized parties might have gained access to their data, including social Security numbers, passport numbers, dates of birth, addresses and health information of people.
At the time of this writing, the number of impacted individuals was not revealed, it is also unclear if the company paid a ransom.
In 2020, the company was the victim of two distinct ransomware attacks that took place in August and December. In October, Carnival Corporation disclosed a data breach as a result of the ransomware attack that took place in August. Ransomware operators have stolen the personal information of customers, employees, and ship crews during the attack.
The recent security breach was spotted on March 19, in response to the incident, the IT staff shut down access and launched an investigation with the help of a cybersecurity.
The company announced to have implemented additional security measured to protect its infrastructure.
The cruise operator set up a call center to provide supports to its customers.
The good news is that the company is not aware of any abuse of personal information stolen during the intrusions.
Jun 17 2021
Calculating Your Company’s Total Cybersecurity Risk Exposure
In the first part of my blog post I focused on calculating the impact of a cybersecurity breach in relation to a company’s size and industry. In part two, I present an approach to better understand how often a company will experience security breaches.
The probability is usually the big unknown. Not particularly helpful is that our abilities to estimate a probability are inferior to our abilities to estimate damage. In addition, we must consider a range of limitations to our abilities to estimate. We don’t estimate well in magnitudes very small or large. Once in 1,000 years and once in 10,000 years is harder to differentiate than once per year and once in 10 years. Also, we tend to overestimate the probability of recently occurred incidents.
The great uncertainty drives risk practitioners to reduce their risk assessments to pure impact assessments (“Estimations of probability can only be wrong!”). However, we can use what is out there on data and make comparisons.
Source: Calculating Your Company’s Total Cybersecurity Risk Exposure
Jun 17 2021
Identity Theft: Learn How to Stay Safe and Not Become a Victim
Did you know the odds of being struck by lightning in a given year are only around 1 in 100,000,000? That’s not a scary thought, mainly since 9 out of 10 people survive.
But when it comes to identity theft, the odds are 1 in 15. Worldwide, there’s a new victim every 2 seconds. Now, that is spine-chilling!
Identity theft is the most common consequence of a data breach. Defrauding and stealing someone’s identity is easier today than it has ever been in history.
Let’s go behind the scenes of an identity theft maneuver and learn how you can protect yourself from it.
What is identity theft
Identity theft occurs when someone uses your personal identifying information (like your name, social security number, or credit card number) without your knowledge or permission. The purpose of identity theft is to commit fraud or other crimes.
Identity thieves gain financial advantages or other benefits, while victims suffer financial loss and possibly other severe consequences, including being accused of a crime they didn’t commit.
Source: How identity thieves grab your information
Jun 17 2021
VPNs and Trust
Most interesting to me is the home countries of these companies. Express VPN is incorporated in the British Virgin Islands. NordVPN is incorporated in Panama. There are VPNs from the Seychelles, Malaysia, and Bulgaria. There are VPNs from more Western and democratic countries like the US, Switzerland, Canada, and Sweden. Presumably all of those companies follow the laws of their home country.
And it matters. I’ve been thinking about this since Trojan Shield was made public. This is the joint US/Australia-run encrypted messaging service that lured criminals to use it, and then spied on everything they did. Or, at least, Australian law enforcement spied on everyone. The FBI wasn’t able to because the US has better privacy laws.
We don’t talk about it a lot, but VPNs are entirely based on trust. As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction. You don’t know who actually owns and runs the VPNs. You don’t even know which foreign companies the NSA has targeted for mass surveillance. All you can do is make your best guess, and hope you guessed well.
The same should be pertinent for any technology or piece of software or hardware produced in other countries where privacy and copywrite laws are lax , anything supporting technology from a piece of software or hardware.
Jun 16 2021
A flaw in Peloton Bike+ could allow hackers to control it
A flaw in the Peloton Bike+ could be exploited by an attacker with initial physical access to gain root entry to the interactive tablet, taking complete control of the system.
A vulnerability in the popular Peloton Bike+ could have allowed an attacker to gain complete control over the device, including the camera and microphone to spy on the gym users.
The flaw was discovered by researchers from McAfee’s Advanced Threat Research (ATR) team, it could be exploited by attackers to gain remote root access to the Peloton’s “tablet.” The touch screen tablet allows users to access interactive and streaming content.
Experts pointed out that the attackers need physical access to the bike or access during any point in the supply chain (from construction to delivery),
Experts noticed that the tablet is a standard Android device, once compromised it, the attacker could install malware, eavesdrop on traffic, and take the full control of the Bike+.
“A hacker enters a gym or fitness center with a Peloton Bike+. They insert a tiny USB key with a boot image file containing malicious code that grants them remote root access. Since the attacker doesn’t need to factory unlock the bike to load the modified image, there is no sign that it was tampered with.” reads the analysis published by the experts. “With their newfound access, the hacker interferes with the Peloton’s operating system and now has the ability to install and run any programs, modify files, or set up remote backdoor access over the internet. “
The attackers could add malicious apps disguised as popular applications, such as Netflix or Spotify, that could allow them to steal the login credentials of the gym users. An attacker could also gather info regarding users’ workouts or spy on them via the bike’s camera and microphone.
Attackers could decrypt the encrypted communications from the bike to various cloud services and databases it accesses, potentially accessing sensitive information.
The researchers discovered that the Bike’s system did not verify that the device’s bootloader was unlocked before attempting to boot a custom image, allowing the experts to load a file that wasn’t meant for the Peloton hardware.
Jun 15 2021
TikTok Can Now Collect Biometric Data
Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing
![Defense Management: DOD Can Establish More Guidance for Biometrics Collection and Explore Broader Data Sharing by [U.S Government Accountability Office]](https://m.media-amazon.com/images/I/510AjNrEc1L.jpg)
Jun 15 2021
VPN attacks up nearly 2000% as companies embrace a hybrid workplace
“As companies return to a hybrid workplace, it’s crucial that they are aware of the evolving threat landscape,” said Craig Robinson, Program Director, Security Services at IDC. “The data highlighted in this threat report by Nuspire and Recorded Future shows that security leaders need to stay vigilant as threat actors see opportunity in the continued era of remote access.”
Increase in VPN attacks
In Q1 2021, there was a 1,916% increase in attacks against Fortinet’s SSL-VPN and a 1,527% increase in Pulse Connect Secure VPN. These vulnerabilities allow a threat actor to gain access to a network. Once they are in, they can exfiltrate information and deploy ransomware.
“2020 was the era of remote work and as the workforce adjusted, information technology professionals scrambled to support this level of remote activity by enabling a wide variety of remote connectivity methods,” said J.R. Cunningham, CSO at Nuspire. “This added multiple new attack vectors that enabled threat actors to prey on organizations, which is what we started to see in Q1 and are continuing to see today.”
Because of the significant increase in VPN and RDP vulnerabilities, the report discovers malware, botnet and exploitation activity are down compared to Q4, but threat actors are still on the prowl.
Additional findings
Network Security, Firewalls, and VPNs with Cloud Labs
Jun 15 2021
RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries
What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.
According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower – at 8,459,060,239 unique entries:
The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.
With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.
Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.
How to check if your password was leaked?
Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker or our leaked password checker.
Note: We take our readers’ privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.
Source: RockYou2021
Jun 14 2021
SEO poisoning campaign aims at delivering RAT, Microsoft warns
Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.
Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems
The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.
Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.
Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.
![RATS! How Hackers Take Over Your Computer: An Introduction to Remote Access Trojans by [James Wilson]](https://m.media-amazon.com/images/I/51fZz3kkIlL.jpg)
Jun 13 2021
FBI/AFP-Run Encrypted Phone
If there is any moral to this, it’s one that all of my blog readers should already know: trust is essential to security. And the number of people you need to trust is larger than you might originally think. For an app to be secure, you need to trust the hardware, the operating system, the software, the update mechanism, the login mechanism, and on and on and on. If one of those is untrustworthy, the whole system is insecure.
It’s the same reason blockchain-based currencies are so insecure, even if the cryptography is sound.
Jun 12 2021
Certified Information Systems Security Professional (CISSP) training course
Certified Information Systems Security Professional (CISSP) training course
If you’re building a career in information security the Certified Information Systems Security Professional (CISSP) is the must-have qualification to help you progress. It is a globally recognized standard that demonstrates your competence as an IT professional.
This course will prepare you with the knowledge and skills to complete the CISSP exam, which will get you Certified Information Systems Security Professional status. professional. Covering topics including cloud computing, mobile security, application development security, and risk management, you will gain the knowledge to best manage information security issues back in your organization.
Duration: 5 days
“I would highly recommend the course to a friend, and in fact I already have! I’d also recommend it to a security team within an organization, even if they’re not specifically targeting a CISSP certification as it teaches a broad range of best practices and will help instill a culture of security and best practice in any organization.”
Who should attend?
This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP common body of knowledge (CBK), such as:
- Security consultants
- Security managers
- IT directors/managers
- Security auditors
- Security architects
- Security analysts
- Security systems engineers
- Chief information security officers
- Security directors
- Network architects
Please note: A one year experience waiver is available with a 4-year college degree, or regional equivalent, or additional credentials from the (ISC)² approved list, thus requiring four years of direct full-time professional security work experience in 2 or more of the 8 domains of the CISSP CBK.
Don’t have 5 years of experience? – Become an Associate of (ISC)²
Certified Information Systems Security Professional (CISSP) training course
Official (ISC)2® Guides
7 tips for CISSP Success
Jun 11 2021
Access Target’s Webcam, Microphone, Device location, and more
Cybercriminals and black hat hackers exploit system vulnerabilities and human weaknesses as well. This hacking tutorial discusses how a malicious actor can access any mobile or computer camera, microphone, physical location, and device information by just sending a URL along with some basic social engineering techniques.
Throughout this tutorial, we will glance at How Hackers Access Target WebCam Remotely and see what is happening on the other hand. To break into the victim’s webcam, we will utilize the tool Storm-Breaker and Kali Linux.
Recently in March 2021,
A group of hackers breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc. gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons, and schools.
Storm-Breaker is going to assist us with a hack. With Storm-Breaker, you have.
- Get Device Information Without Any Permissions
- Access Location [SMARTPHONES]
- OS Password Grabber [WIN-10]
- Access Webcam
- Access Microphone
Let us get rolling!
Install Storm-Breaker in Kali Linux
Table of Contents
Jun 11 2021
The 6 steps to implementing zero trust
In their minds, this security approach can only be applied to fresh, or “greenfield,” environments – and even there organizations are hesitant as they may believe security will hinder business agility.
The true reason for why businesses are hesitant when it comes to zero trust is due to a lack of understanding of the process and the unfortunate influence of the myths stated above. Forrester’s zero trust framework gives a clear overview of the seven pillars that provide a comprehensive zero trust strategy: data, people, workloads, devices, networks, automation and orchestration, and visibility and analytics. Even after seeing the different elements set out, businesses may feel overwhelmed by the number of areas that can be linked with zero trust – it’s the classic “boiling the ocean” problem.
But what if companies instead took a more incremental and agile approach where benefits are realized at each stage along the way? This approach not only results in a regular and measurable improvement in security posture, but it also facilitates the integration of further capabilities throughout the process.
Implementing zero trust
Jun 10 2021
Detecting Deepfake Picture Editing
In a world of deepfakes, it will soon be impossible to tell what is real and what isn’t. As advances in artificial intelligence, video creation, and online trolling continue, deepfakes pose not only a real threat to democracy — they threaten to take voter manipulation to unprecedented new heights. This crisis of misinformation which we now face has since been dubbed the “Infocalypse.”
In DEEPFAKES, investigative journalist Nina Schick uses her expertise from working in the field to reveal shocking examples of deepfakery and explain the dangerous political consequences of the Infocalypse, both in terms of national security and what it means for public trust in politics. This all-too-timely book also unveils what this all means for us as individuals, how deepfakes will be used to intimidate and to silence, for revenge and fraud, and just how truly unprepared governments and tech companies are for what’s coming.
Jun 10 2021
Global Scamdemic: Scams Become Number One Online Crime
Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.
Group-IB, a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale.
Group-IB, a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale.
Overall, fraud accounts for 73% of all online attacks: 56% are scams (fraud that results in the victim voluntarily disclosing sensitive data) and 17% are phishing attacks (theft of bank card details). Using patented Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over 70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year .
On June 10th, during the Digital Risk Summit 2021 online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the company’s proprietary solution. In one year, the system has helped save € 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.
The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRP’s research into threat actors’ fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector) affected over 500 fake accounts per bank on average in 2020 . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created per insurer.
In 2020, a multi-stage scam called Rabbit Hole targeted companies’ brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited 40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least 100 brands worldwide. The threat actors target the theft of personal and bank card details.
Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least 44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of 93 brands were misused as part of Classiscam. As of early 2021, there were more than 12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached 10,000. A Classiscam -Bedrohungsgruppe makes up to 97,000 euros per month.
“Last year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, it’s only a matter of time before scammers keep an eye out”, explains Dmitry Tiunkin , Group-IB DRB Head, Europe. “Digital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet. Group-IB’s DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations. Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.”
Jun 08 2021
The Benefits of Automated Penetration Testing
Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.
“In the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,” as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.
This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.
However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.
Table of Contents
- More effective cyber threat intelligence gathering and assessments
- Automated attack simulations and continuous testing
- Improved threat response through automated evaluation, prioritization, real-time reports, and guided responses
- Better penetration testing in virtually all aspects
Jun 08 2021
Reformulating the cyber skills gap
Many thought leaders have approached the skills shortage from a cumulative perspective. They ask “How on Earth can companies afford to keep re-training their teams for the latest cyber-threats?” The challenge, to them, emanates from the impracticalities of entry level training becoming obsolete as new challenges emerge.
Of course, the question of ongoing training is very important, but I believe it has misled us in our evaluation of the growing disparity between the supply and demand of cyber-professionals. What we should be asking is “How can we create a generation of cyber-professionals with improved digital skills and resilience to tackle an enemy that continually mutates?”
Defining the relationship between people and tech is of the utmost importance here. Cybersecurity is not merely a technical problem, it’s a human problem. This is a critical intersection. People are not the weakest link in an effective cybersecurity defense strategy, but the most crucial. However, technology is the apparatus that can properly arm us with the skills to defend against attacks.
The silver bullet
The only thing we can be certain of is that cyberattacks are taking place right now and will continue to take place for the foreseeable future. As a result, cybersecurity will remain one of the most critical elements for maintaining operations in any organization.
There is a growing appetite for reform in cybersecurity training, particularly among higher education institutions (e.g., with the UK’s top universities now offering National Cyber Security Centre (NCSC) certified Bachelor’s and Master’s programs. It is in the interest of the British government that this appetite continues to grow, as the Department for Culture, Media & Sport reported there were nearly 400,000 cybersecurity-related job postings from 2017-2020.
In addition, COVID-19 has been a significant catalyst in increasing uptake and emphasis on cyber skills since the steep rise in the use of digital platforms in both our work and personal lives has expanded the surface area for attacks and created more vulnerability.
Overall, though, young people remain our best hope for tackling the global cyber skills gap, and only by presenting cybersecurity to them as a viable career option can we start to address it. This is the critical starting point. Once we do this, the next important step is to give universities and schools the facilities to offer sophisticated cyber training.
![The Cyber Skill Gap: How To Become A Highly Paid And Sought After Information Security Specialist! by [Vagner Nunes]](https://m.media-amazon.com/images/I/51mKZDGZ9vL.jpg)
Jun 07 2021
In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat service AN0M for 3+ years to intercept messages between criminals globally
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members …
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.
Named Operation Ironside, on Monday, law enforcement agencies from Australia, Europe, and the US conducted house searches and arrested hundreds of suspects across a wide spectrum of criminal groups, from biker gangs in Australia to drug cartels across Asia and South America, and weapons and human traffickers in Europe.
In a press conference today, Australian police said the sting operation got underway in 2018 after the FBI successfully seized encrypted chat platform Phantom Secure.
Knowing that the criminal underworld would move to a new platform, US and Australian officials decided to create their own service, which they called Anøm (also stylized as AN0M).
Just like Phantom Secure, the new service consisted of secure smartphones that were configured to run only the An0m app and nothing else.
The app, advertised through word of mouth and via the anom.io website, allowed phone owners to send encrypted text and voice messages between devices and prevented them from installing any other apps.
No phone number was required to use the app, which relayed all its messages via An0m’s central platform.
But according to investigators, this app design allowed officials to intercept the messages and decrypt texts sent by gang members to each other, many of which included details of drug movements or murder plots.
According to Australian police officials, the FBI ran the platform while the AFP technical staff built a system to decrypt messages that passed through the platform in real-time.
Officials initially relied on undercover agents to promote the An0m devices, but as law enforcement agencies shut down competing platforms, such as EncroChat and Sky ECC, other gangs found refuge on the network, which eventually amassed more than 11,000 users.
Investigators described Operation Ironside as one of the largest sting operations in law enforcement history.
Investigators appear to have decided to shut down the sting operation after criminal groups started catching on that the An0m app was leaking their conversations.
Source: In a huge sting operation, FBI and Australian Federal Police ran an encrypted chat
Listening In: Cybersecurity in an Insecure Age
« Previous Page — Next Page »
