Tuesday, January 31, 2017

Information Security Events For February

Here are information security events in North America this month:   BSides Huntsville 2017 : February 4 in Huntsville, AL, USA     BSides Seattle 2017 : February 4 in Redmond, WA, USA     BSides Tampa Bay 2017 : February 10 in Tampa, FL, USA     BSides San Francisco 2017 : February 12 […]

The post Information Security Events For February appeared first on Infosec Events.



from Information Security Events For February

33c3, Vasilios Mavroudis’ and Federico Maggi’s ‘Talking Behind Your Back’

Permalink

from 33c3, Vasilios Mavroudis’ and Federico Maggi’s ‘Talking Behind Your Back’

Security sites to bookmark: fireeye, darkmatters.norsecorp and blueliv

New trends in security intelligence services A traditional marketing element already present in most security providers' Internet presence is a blog on current topics of interest: A smart way to attract readers while announcing their added value as a s...

from Security sites to bookmark: fireeye, darkmatters.norsecorp and blueliv

Webcast: How to Use the Trusted Platform Module (TPM) for Trust and Security

The rush to connect ever more devices with sensitive data and often insecure connections has created an exponential increase in associated security issues. Every day brings new reports of attacks, hacks, malware and data breaches. Fortunately, the TPM, or Trusted Platform Module, includes several widely vetted ways that help prevent many of these incidents and … Continue reading "Webcast: How to Use the Trusted Platform Module (TPM) for Trust and Security"

The post Webcast: How to Use the Trusted Platform Module (TPM) for Trust and Security appeared first on Trusted Computing Group.



from Webcast: How to Use the Trusted Platform Module (TPM) for Trust and Security

Shopping for W2s, Tax Data on the Dark Web

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can't be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

from Shopping for W2s, Tax Data on the Dark Web

3 Steps to a Secure ICS Network

Industrial Control Systems (ICS) attacks have a direct impact on people’s lives. The consequences of these attacks can be unpredictable, which is why ICS protection is a hot topic in security right now. Defining the right protection layer and best approach to secure communications in this environment is crucial. Historically, ICS departments operated independently from…

The post 3 Steps to a Secure ICS Network appeared first on Speaking of Security - The RSA Blog.



from 3 Steps to a Secure ICS Network

Three Upcoming Open Source Conferences

Attending open source conferences like the three coming up this spring can be an effective way to both expand your skills and make contacts with people from outside your organization. read more

from Three Upcoming Open Source Conferences

Cyber Security Roundup for January 2017

Lloyds Banking Services were hit by a massive 3-day long DDoS attack in mid-January, impacting millions of Lloyds, Halifax and Bank of Scotland customer’s ability to conduct online and mobile banking. Lloyds weren't the only UK business hit with a major DDoS attack in January, web hosting firm 123-Reg was taken down by another large DDoS attack. It seems major DDoS attacks are set to continue in 2017, their scale and capability fuelled by the rise of insecure IoT devices popping online. I think large scale DDoS attacks will be a major menace to the UK national and financial infrastructure for the years to come. 

For the first time 'Cyber Crime' statistics were included in the England and Wales crime survey, with over 3.6 million fraud cases and over 2 million computer misused offences recorded in 2016, which is more than the typical 'physical world' recorded crime. It is worth considering that not all cybercrime is reported in England and Wales, in my view the majority of UK cybercrime isn't reported.

The latest Beazley Breach Insights Report predicts the number of Ransomware attacks will double again in 2017, and UK schools are the latest sector to become victims of Ransomware. With the growing ransomware threat in mind, the Malware Hunters Team produce an interesting breakdown of a new ransomware strain called FireCrypt this month, well worth a look if you are interested in how the bad guys create, evolve and use ransomware tools.

There are lessons for the UK call centre industry to learn from a US telemarketing firm, which had a database of 400,000 call recordings reportedly breached. These voice recordings were said to hold personal information and more concerningly debit/credit card information. This breach is a reminder of the importance of adequately securing call recording data with call centres, and of the Payment Card Industry Data Security Standard (PCI DSS) industry regulation requirement 3.2, which states debit/credit card “3 or 4 digit security codes”, known in the industry as Sensitive Authentication Data, is never permitted to be recorded or stored beyond the authorisation of the card payment transaction. This is a PCI DSS requirement that far too many UK call centre businesses turn a blind eye to. This strict requirement is there for a reason, as if fraudsters get hold of credit/debit card data with the 3/4 digit security code, they can instantly commit fraud without having possession of the customer's payment card.

News
Awareness, Education and Threat Intelligence

Reports


from Cyber Security Roundup for January 2017

Password-stealing security hole discovered in many Netgear routers

Password-stealing security hole discovered in many Netgear routers

A security researcher has described how he uncovered a severe security hole in dozens of different Netgear routers, meaning that “hundreds of thousands, if not over a million” devices could be at risk of having their admin passwords stolen by hackers.

Read more in my article on the We Live Security blog.



from Password-stealing security hole discovered in many Netgear routers

Cisco Coverage for Shamoon 2

Shamoon is a type of destructive malware that has been previously associated with attacks against the Saudi Arabian energy sector we've been tracking since 2012. We've observed that a variant of Shamoon, identified as Shamoon 2, has recently been used ...

from Cisco Coverage for Shamoon 2

IoT Ransomware against Austrian Hotel

Attackers held an Austrian hotel network for ransom, demanding $1,800 in bitcoin to unlock the network. Among other things, the locked network wouldn't allow any of the guests to open their hotel room doors.

I expect IoT ransomware to become a major area of crime in the next few years. How long before we see this tactic used against cars? Against home thermostats? Within the year is my guess. And as long as the ransom price isn't too onerous, people will pay.

EDITED TO ADD: There seems to be a lot of confusion about exactly what the ransomware did. Early reports said that hotel guests were locked inside their rooms, which is of course ridiculous. Now some reports are saying that no one was locked out of their rooms.



from IoT Ransomware against Austrian Hotel

Privacy and Cybersecurity in Education: A Constant Battle

Millions of institutions across all industries have embraced cloud computing, seeing improvements in productivity, customer service, and cost savings. Yet cloud is impacting one industry at a larger scale than others: Education. Cloud is opening a new world of possibilities to students from across the globe, granting them access to a rich array of training resources, eliminating expensive and outdated textbooks, hardware and software; allowing them to collaborate efficiently. Despite significant security and privacy concerns, it is estimated that the global cloud computing in education market…

from Privacy and Cybersecurity in Education: A Constant Battle

Q/A with itacs GmbH’s Kai Wilke – DevCentral’s Featured Member for February

Kai Wilke is a Principal Consultant for IT Security at itacs GmbH – a German consulting company located in Berlin City specializing in Microsoft security solutions, SharePoint deployments, and customizations as well as classical IT Consulting. He is also a 2017 DevCentral MVP and DevCentral’s Featured Member for February! For almost 20 years in IT, […]

from Q/A with itacs GmbH’s Kai Wilke – DevCentral’s Featured Member for February

Insider trading takes the Dark Web by storm

New research highlights how inside traders are making thousands on the side by sharing their company access.

from Insider trading takes the Dark Web by storm

IBM calls healthcare industry a ‘leaky vessel in a stormy sea’

New research suggests that not enough is being done to protect medical systems and patient data.

from IBM calls healthcare industry a ‘leaky vessel in a stormy sea’

Locky Bart ransomware and backend server analysis

The developers of Locky Bart already had very successful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being infected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and understanding of this new version.

Categories:

Tags:

(Read more...)



from Locky Bart ransomware and backend server analysis

Locky Bart ransomware and backend server analysis

The developers of Locky Bart already had very successful ransomware campaigns running called “Locky” and “Locky v2”. After some users reported being infected with Locky Bart, we investigated it to find the differences as to gain greater knowledge and understanding of this new version.

Categories:

Tags:

(Read more...)



from Locky Bart ransomware and backend server analysis

If There Was a Flu Inoculation for Malware, Would You Get It?

It’s inevitable that we’ll have to fight off some sort of strain of flu during the winter season. Without adequate protection, the same goes for malware. Flu inoculations are unreliable due to the virus’ unpredictable polymorphic nature. If there was a reliable vaccine, you’d get it, right? Bromium’s micro-virtualization technology does offer reliable protection against […]

from If There Was a Flu Inoculation for Malware, Would You Get It?

Internet Censorship / Open Internet

Earlier this month my colleague Carl Herberger wrote a blog post regarding how the internet was rolling back our freedoms. I would agree with him. As time moves forward, we are seeing more situations where no one can hide from their government as the internet closes around them. An open internet as we know it […]

The post Internet Censorship / Open Internet appeared first on Radware Blog.



from Internet Censorship / Open Internet

ESET: Key Insights & Key Card Ransomware

ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts. Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD. David Harley

from ESET: Key Insights & Key Card Ransomware

Telemarketing firm leaks 17,000 recorded calls, many containing credit card details

Audio recordings of telemarketing calls include customers' names, physical addresses, phone number, credit card number, CV numbers, and more. David Bisson reports.

from Telemarketing firm leaks 17,000 recorded calls, many containing credit card details

Inception and the Road from Security Serendipity

You spin the top and wait to see if it continues in kinetic motion or if it falls to the pull of gravitational force. You trust that the road chosen to walk the path of serendipity toward an anticipated culmination of the correct state of scientific innovation – which, in this case, has been forged to […]… Read More

The post Inception and the Road from Security Serendipity appeared first on The State of Security.



from Inception and the Road from Security Serendipity

Regulatory Compliance in the Cloud

Choosing to upload your data to the cloud is, for the most part, a moot point; the advantages of mobility, scalability and convenience have proven that cloud platforms are a necessary and vital tool for the advancement of modern-day industry. However, some issues are still a challenge for the online world, including that of regulatory […]… Read More

The post Regulatory Compliance in the Cloud appeared first on The State of Security.



from Regulatory Compliance in the Cloud

Saudi Organizations Targeted by Resurfaced Shamoon Disk-Wiping Malware

FortiGuard is currently investigating a new wave of attacks targeting kingdom of Saudi Arabia organizations that use an updated version of the Shamoon malware (also known as DistTrack.) We described this malware in detail a few months ago in a previous...

from Saudi Organizations Targeted by Resurfaced Shamoon Disk-Wiping Malware

33c3, Jos Wetzels’,and Ali Abbasi’s ‘Wheel of Fortune’

Permalink

from 33c3, Jos Wetzels’,and Ali Abbasi’s ‘Wheel of Fortune’

How do I get my employees to stop clicking on everything?

If you’ve been given responsibility for network security in a non-technical area of the business, there’s one eternal question that has been bedeviling. How do you get your employees to stop clicking on everything?

Categories:

Tags:

(Read more...)



from How do I get my employees to stop clicking on everything?

Dynamic Security Assessment: In Action

In the first two posts of the Dynamic Security Assessment series, we delved into the limitations of security testing and then presented the process and key functions you need to implement the concepts.

To illuminate the concepts and make things a bit more tangible, let’s look at a plausible scenario involving a large enterprise in financial services with hundreds of locations. The organization has a global headquarters on the West Coast of the US and 4 regional HQ locations across the globe. Each region has a data center and IT operational folks to run things. The security team is centralized under a global CISO, but each region has a team that works specifically with the business leaders to ensure proper protection and jurisdiction. The organization’s business plan includes rapid expansion of its retail footprint and additional regional acquisitions, so the network and systems will continue to become more distributed and more complicated.

From a technology standpoint, new initiatives are being built in the public cloud. This was controversial at first, but there isn’t much resistance anymore. Yet migration of existing systems remains a challenge, but due to cost and efficiency needs the strategic direction is to consolidate their regional data centers into a single location to support legacy applications within 5 years. This centralization is made possible by moving a number of back-office systems to SaaS as their back office software provider just launched a new service and using the SaaS offering makes deploying in new locations and integrating acquired organizations much easier. They are heavy users of cloud storage, as initial fears were allayed due to the economic leverage of not having to continue investing in their complex and expensive storage architecture.

Clearly security is both an area of focus and a big concern, given the amount and sensitivity of financial data the organization manages. They are constantly phished and spoofed and their applications are under attack daily. There are incidents, but nothing rising to the need of disclosure to customers, but the fear is always there regarding adversary activity that they miss.

From a security operations standpoint, they currently scan their devices and have a reasonably effective patching/hygiene processes, but it still takes on average 30 days to roll out updates across the enterprise. They also undertake an annual pen test, and to keep their key security analysts engaged, they allow them to spend a few hours a week hunting for active adversaries and other malicious activity.

CISO Concerns

The CISO has a number of concerns regarding the organization’s security posture. Compliance mandates require vulnerability scans, which find what is theoretically vulnerable. But working through the list and making the changes takes a month. They always get great information from the annual pen test, but it only happens once a year and they can’t invest enough to find all of the issues.

And that’s just the existing systems spread across the existing data centers. The move to the cloud is significant and accelerating. As a result, sensitive (and protected) data is all over the place and they need to understand which ingress and egress points present risk of both penetration and exfiltration.

Compounding the issue is the direction to continue opening new branches and acquiring regional organizations. Doing the initial diligence on the newly acquired environment takes time that the team doesn’t have, and they usually have to make compromises on security to hit the aggressive timelines to integrate new organizations and drive cost economies.

To try to get ahead of attackers, they do undertake some hunting activity. But it’s a part time endeavor for their staff and they tend to find the easy stuff since that’s what their tools identify first.

The bottom line is that the window of exposure is open for at least a month, and that’s if everything works well. They know it’s too long and need to understand what they should focus on knowing they can’t get everything done and how they should most effectively deploy their staff.

Using Dynamic Security Assessment

The CISO understands the importance of assessment (given they already scan/patch and undertake an annual pen test), and is definitely interested in evolving towards a more dynamic assessment methodology. DSA would look like this in their environment:

  • Baseline Environment: The first step is to gather network topology and device configuration information and build a map of the current network. With this data, a baseline can be built of how traffic flows through the environment and what attack paths could be exploited to access sensitive data.
  • Simulation/Analytics: The financial institution cannot afford downtime, as their business is 24/7. So a non-disruptive, non-damaging means of testing the infrastructure is critical. Add to that the ability to assess the impact of adding new locations and (more importantly) acquired companies/networks helps understand what needs to be addressed before going live with an integrated network. Finally, being able to have a presence in cloud-networks provides another means of understanding the security posture of the organization, since an increasing amount of sensitive data is being moved to the cloud.
  • Threat Intel: The good news is that our model company is big, but not a Fortune 10 bank. That means it’ll be targeted, but not at the front end of any large scale attack using very sophisticated malware. This provides a window to learn from other financials, seeing how they are targeted, the malware used, the bot networks they connect to, and other TTPs. This provides the means to both put workarounds in place preemptively and understand the impact of the workarounds/fixes before actually committing time and resources to making the actual changes. In a resource constrained environment, this is absolutely critical.

So bringing to bear the new capabilities associated with Dynamic Security Assessment can provide a clear advantage over traditional scanning and pen testing approaches. Again, the idea isn’t to supplant the existing method, but supplement in a way that provides a more reliable means of prioritizing effort and detecting attacks.

Bringing It All Together

So in our sample company, the initial step is to deploy sensors across the environment, in each location and within all of the cloud networks. This provides the initial data to model the environment and build a map of the networks. Once you have the environment modeled, then you can start analyzing the risk for sensitive data stores. Identifying a handful of “missions” that the adversaries would likely undertake helps to focus efforts on clear and present danger, as opposed to every potential hole in the environment.

This initial assessment and resulting triage helps the organization focus their efforts on the attacks that can really cause a bunch of damage. The CISO understands there is a 30 day window before everything can be addressed (optimistically), but can ensure the team is focused on eliminating the issues with those high profile networks and devices that put sensitive data at risk.

Once the initial triage is done, the team can undertake a more detailed analysis of the environment turning the map into a baseline, understanding the typical traffic flows and activities within all of the organization’s systems and networks. This allows both the simulation activities and ongoing assessment activities to be able to identify anomalous activity, which warrants further investigation and/or immediate action.

The leveraging of threat intelligence data also plays into the ongoing assessment enabled by DSA. Instead of just patching everything, the CISO can marshal resources to address new attacks that are seen in the wild and would be successful in their environment, based on the ongoing simulation. This again helps the CISO focus resources on the issues that could the most significant damage.

DSA also helps with change control. As new changes are requested, driven by business needs and application upgrades, the impact of those changes can be modeled and the risks understood. So when an application is deployed into the cloud, the network map can be updated quickly to factor in these new potential exposure points. Similarly, diligence on opening new offices and integrating acquired companies is accelerated since the new locations can be easily modeled and the risks evaluated. What used to be an ad hoc, unscientific process can be quick and fact-based. Thus the CISO can present concerns not based on a gut feel, but with hard data about potential risks.

Finally, the DSA capability ensures that changes are made completely and accurately, as the ongoing assessment will identify whether issues found previously have been remediated and if not, what else needs to be done. The CISO is able to address the biggest concerns, which are to ensure they focus on the biggest risks and they get a full view of their entire infrastructure, including the resources that now run in the cloud.

So with that, we wrap up the Dynamic Security Assessment series. We’ll be assembling the paper over the next couple of weeks, so we’re always happy to get feedback on any of the posts to help us improve our research.

- Mike Rothman (0) Comments Subscribe to our daily email digest

from Dynamic Security Assessment: In Action

3 Reminders for HIPAA compliance in 2017

3 Reminders for HIPAA compliance in 2017

Even if notable punishments and fines for HIPAA non-compliance have only been doled out over the last 6 years, data privacy regulations have been around for 14. And with each passing year, these rules evolve in ways that make it near impossible to keep up without an expert on hand.

The post 3 Reminders for HIPAA compliance in 2017 appeared first on Health Security Solutions.



from 3 Reminders for HIPAA compliance in 2017

Evil Ops, MethBot

The story of the malvertising delivered MethBot - (PDF), and, at $3,000,000.00 per day (est.) it's truly maki...

from Evil Ops, MethBot

Monday, January 30, 2017

Evil Ops, MethBot

The story of the malvertising delivered MethBot - (PDF), and, at $3,000,000.00 per day (est.) it's truly maki...

from Evil Ops, MethBot

New Innovations for the New Year, Part Two: The Long Term

As I discussed in my previous post, the security industry often feels dangerously reactive to innovation. Instead of looking forward to the future, we are constantly playing catch up and filling in gaps as they emerge. Short term resolutions will always tend to be more reactive as a whole, but we can use the tools we develop today to prognosticate the future of our industry. Ultimately, our sector needs to find a proper balance between anticipation and reaction. Today, most […]

The post New Innovations for the New Year, Part Two: The Long Term appeared first on Data Security Blog | Vormetric.



from New Innovations for the New Year, Part Two: The Long Term

EyePyramid: An Archaeological Journey

This post authored by Mariano Graziano and Paul Rascagneres Summary:The few last days a malware sample named EyePyramid has received considerable attention, especially in Italy. The Italian police have arrested two suspects and also published a prelimi...

from EyePyramid: An Archaeological Journey

News in brief: DC cameras hacked; Trump ‘unprepared’ for Russian cyberattacks; fake news probed

Your daily round-up of some of the other stories in the news

from News in brief: DC cameras hacked; Trump ‘unprepared’ for Russian cyberattacks; fake news probed

Ransomware attack impacted 70% of Washington DC police surveillance cameras

Officials found 123 of 187 network video recorders capturing CCTV footage had fallen victim to two strains of ransomware. David Bisson reports.

from Ransomware attack impacted 70% of Washington DC police surveillance cameras

GDPR is just over a year away – and many firms are nowhere near ready

We've got some suggestions to help you prepare for the biggest shake-up to data security for decades

from GDPR is just over a year away – and many firms are nowhere near ready

Sex club for women exposes members’ private photographs

Poorly configured website left photos available online - we offer tips on how to protect your privacy when you sign up to sensitive sites

from Sex club for women exposes members’ private photographs

Over four billion data records were stolen in 2016

Three companies alone accounted for half of the total number of stolen records.

from Over four billion data records were stolen in 2016

Over four billion data records were stolen in 2016

Three companies alone accounted for half of the total number of stolen records.

from Over four billion data records were stolen in 2016

“Thank you” is not enough

A few weeks ago I made a very personal, and very public announcement- that I had lost my wife to cancer a few days before Christmas. I debated how to share the news, especially since we had largely kept it quiet- she was as private a person as I am public. I decided to share the news on Twitter and Facebook, and the response was overwhelming. Literally overwhelming. The outpouring of love and support I received was humbling and deeply moving. It made me want to be a better person (although a dear friend cautioned me against making any rash decisions).
The words “thank you” are not enough, especially tossed out here on my neglected blog, but it is a start. Thank you- to friends old and new, acquaintances, and complete strangers. I am truly humbled by your support.
For those who had not heard the news or our story, my wife and I met when she was 14 and I was 15, we started dating a few months later and never stopped. Below is a photo of us from 1976 (and yes, it is one of the last known photos of me without a beard).
FallFormal1976-1

2016 was a rough year for many of us and 2017 is presenting us with new challenges, but (forgive my optimism) together we can make things suck less, personally and professionally.
For me 2017 is about friends old, new, and as yet unmet. I still love technology, I love abusing technology and solving problems with technology, but this year is about people. I’ll be at most of the usual events, and a lot of smaller ones, all around the world. If our paths cross please find me, say hello, maybe share coffee or a cocktail and conversation.
I was recently at Shmoocon, it is an event I have always enjoyed and this year it was especially good to reconnect with the Shmoocon crowd as I started my return to being active and engaged on the road. I’ll be at BSides San Francisco and RSA in a couple of weeks, after that I’m regrouping before hitting the road again, but more on that later.
Thank you
Jack


from “Thank you” is not enough

New Rules on Data Privacy for Non-US Citizens

Last week, President Trump signed an executive order affecting the privacy rights of non-US citizens with respect to data residing in the US.

Here's the relevant text:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

At issue is the EU-US Privacy Shield, which is the voluntary agreement among the US government, US companies, and the EU that makes it possible for US companies to store Europeans' data without having to follow all EU privacy requirements.

Interpretations of what this means are all over the place: from extremely bad, to more measured, to don't worry and we still have PPD-28.

This is clearly still in flux. And, like pretty much everything so far in the Trump administration, we have no idea where this is headed.



from New Rules on Data Privacy for Non-US Citizens

SSD Advisory – NCurses 5.9 Local Privilege Escalation

Vulnerability Summary The following advisory describes an Local Privilege Escalation vulnerability in NCurses, version 5.9. Credit An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor Responses NCurses has released a patch to address the vulnerability. Thomas Dickey has also added the following statement “I don’t … Continue reading SSD Advisory – NCurses 5.9 Local Privilege Escalation

from SSD Advisory – NCurses 5.9 Local Privilege Escalation

SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

Vulnerabilities Summary The following advisory describes a Cross-Site Scripting (XSS) vulnerability found in WebSphere Portal version 8.0.0.1. IBM WebSphere Portal products provide enterprise web portals that help companies deliver a highly-personalized, social experience for their customers. WebSphere Portal products give users a single point of access to the applications, services, information and social connections they … Continue reading SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

from SSD Advisory – IBM WebSphere Portal Cross-Site Scripting (XSS)

PSD2: Is this the End of SMS-based Authentication?

SMS Authentication

Banks and payment service providers sometimes rely on SMS to verify the identity of a person who wishes to make a wire transfer or confirm a payment. They send an SMS message with a one-time password (OTP) to the person’s mobile phone, and the user has to enter this OTP into the application of the bank or payment service provider. In this blog post I discuss whether SMS-based authentication will... Read more

The post PSD2: Is this the End of SMS-based Authentication? appeared first on VASCO Data Security - Blog.



from PSD2: Is this the End of SMS-based Authentication?

Uber was right to disable surge pricing at JFK

Yesterday, the NYC taxi union had a one-hour strike protesting Trump's "Muslim Ban", refusing to pick up passengers at the JFK airport. Uber responded by disabling surge pricing at the airport. This has widely been interpreted as a bad thing, so the hashtag "#DeleteUber" has been trending, encouraging people to delete their Uber accounts/app.

These people are wrong, obviously so.

Surge Pricing

Uber's "Surge Pricing" isn't price gouging, as many assume. Instead, the additional money goes directly to the drivers, to encourage them come to the area surging and pick up riders. Uber isn't a taxi company. It can't direct drivers to go anywhere. All it can do is provide incentives. "Surge Pricing" for customers means "Surge Income" for the drivers, giving them an incentive. Drivers have a map showing which areas of the city are surging, so they can drive there.

Another way of thinking about it is "Demand Pricing". It's simply the economic Law of Supply and Demand. If demand increases, then prices increase, and then supply increases chasing the higher profits. It's why famously you can't get a taxi cab on New Years Eve, but you can get an Uber driver. Taxi drivers can't charge more when demand is surging, so there's no more taxis available on that date than on any other. But Uber drivers can/do charge more, so there's more Uber drivers.

Supply and Demand is every much a law as Gravity. If the supply of taxi drivers is less than the demand, then not everyone is going to get a ride. That's basic math. If there's only 20 drivers right now, and 100 people wanting a ride, then 80 riders are going to be disappointed. The only solution is more drivers. Paying drivers more money gets more drivers. The part time drivers, the drivers planning on partying instead of working, will decide to work New Years chasing the surge wages.

Uber's announcement

Uber made the following announcement:
Surge pricing has been turned off at #JFK Airport. This may result in longer wait times. Please be patient.
— Uber NYC (@Uber_NYC) January 29, 2017
Without turning off Surge Pricing, Uber's computers would notice the spike in demand, as would-be taxi customers switch to Uber. The computers would then institute surge pricing around JFK automatically. This would notify the drivers in the area, who would then flock to JFK, chasing the higher income. This would be bad for the strike.

By turning off surge pricing, there would be no increase in supply. It would mean the only drivers going to JFK are those dropping off passengers. It would mean that Uber wouldn't be servicing any more riders than on a normal day, making no difference to the taxi strike, one way or the other.

Why wouldn't Uber stop pickups at JFK altogether, joining the strike? Because it'd be a tough decision for them. They have a different relationship with their drivers. Both taxis and Uber are required to take passengers to the airport if asked, but taxis are much better at weaseling out of it [*]. That means screwing drivers, forcing them to go way out to JFK with no return fare. In contrast, taxis were warned enough ahead of time to avoid the trip.

The timing

The above section assumes a carefully considered Uber policy. In reality, they didn't have the time.

The taxi union didn't announce their decision until 5pm, with the strike set for only one hour, between 6pm and 7pm.
BREAKING: NYTWA drivers call for one hour work stoppage @ JFK airport today 6 PM to 7 PM to protest #muslimban! #nobannowall
— NY Taxi Workers (@NYTWA) January 28, 2017
Uber's announcement was at 7:30pm, half hour after the strike was over. They may not have been aware of the strike until after it started, when somebody noticed an enormous surge starting at 6pm. I can imagine them running around in a panic at 6:05pm, trying to figure out how to respond.

Disabling surge pricing is probable their default action. They've been down this route before. Every time there is a terrorist attack or natural disaster, and computers turn on Surge Pricing, somebody has to rush to go turn it off again, offer customer rebates, and so on for PR purposes.

Why doesn't the press report this?

Everyone knows Surge Pricing is evil. After all, that's what you always read it in the press. But that's because the press knows as little about basic economics as their readers.

A good example is this CNN story on the incident [*].

CNN describes this as "effectively lowering the cost of a ride". They ignore the reality, that this was "effectively lowering the supply of rides". Reading this, readers will naturally assume there's an unlimited supply ready to service the lower priced rides. What CNN fails to tell readers is that there is no increase in supply, that there can't be more rides than normal. They ignore the bit in the tweet that warns against longer wait times due to lack of supply.

Conclusion

The timing alone makes the #DeleteUber claims nonsense, as the strike was already over for 36 minutes when Uber tweeted. But in any case, Uber's decision not to do surge pricing did not "entice" customers with lower prices -- they would still have long waits (as the tweet says), causing a strong dis-enticement. No rational person could interpret this as Uber trying to profit from this event.

On the other hand, before this event, Uber announced it's opposition to Trump's action, and promised to help any of it's drivers adversely affected.



from Uber was right to disable surge pricing at JFK

WordPress patches dangerous XSS, SQL injection bugs

The security release fixes three flaws in the content management system.

from WordPress patches dangerous XSS, SQL injection bugs

WordPress patches dangerous XSS, SQL injection bugs

The security release fixes three flaws in the content management system.

from WordPress patches dangerous XSS, SQL injection bugs

Authoritative Asset Repository: What’s That?!

A Configuration Management Database (CMDB) is a repository that is an authoritative source of information of what assets are on the corporate network. At least, that’s what it’s supposed to be. However, in many of my recent discussions , the more common definition given for CMDB is “a struggle”. Does that sound familiar? If so, […]… Read More

The post Authoritative Asset Repository: What’s That?! appeared first on The State of Security.



from Authoritative Asset Repository: What’s That?!

Dozens of Android VPN Apps Fail to Protect Users’ Privacy, Study Reveals

One of the best friends a user can have in today’s digital age is a virtual private network (VPN). This tool masks a user’s IP address and tunnels their data through a network of servers. In so doing, a VPN helps a user anonymously and more securely browse the web. Unfortunately, not all VPNs fulfill […]… Read More

The post Dozens of Android VPN Apps Fail to Protect Users’ Privacy, Study Reveals appeared first on The State of Security.



from Dozens of Android VPN Apps Fail to Protect Users’ Privacy, Study Reveals

Hotel guests locked in their rooms by ransomware? It doesn’t make sense

It's a great story, but it's almost certainly not true.

from Hotel guests locked in their rooms by ransomware? It doesn’t make sense

Sunday, January 29, 2017

Former NSA lawyers blast US border plans to collect contacts lists, web histories

One former intelligence lawyer said the move would be 'tremendously intrusive' and could have a 'real cost' to effective intelligence gathering.

from Former NSA lawyers blast US border plans to collect contacts lists, web histories

Former NSA lawyer blasts US border plans to collect contacts lists, web histories

One former intelligence lawyer said the move would be 'tremendously intrusive' and could have a 'real cost' to effective intelligence gathering.

from Former NSA lawyer blasts US border plans to collect contacts lists, web histories

33c3, Mathy Vanhoef’s ‘Predicting and Abusing WPA2/802.11 Group Keys’

Permalink

from 33c3, Mathy Vanhoef’s ‘Predicting and Abusing WPA2/802.11 Group Keys’

Planning for RSA Conference? How to optimize your experience

Attending the RSA Conference (RSAC) for the first time can be a somewhat daunting experience. As anyone who has attended a past event will confirm, there is a veritable wealth of opportunity packed into a few days in the heart of one of the world’s most exciting cities! So how do you optimize your time to maximize your benefit? First, RSAC is designed to cover the interests of many different IT Security specialties. Peruse the track descriptions and you will find sessions for cryptography, application security, hackers & threats, law, policy and government, privacy, sponsor special topics, …

from Planning for RSA Conference? How to optimize your experience

Does an Azure co-administrator have rights over Azure AD

Understand how co-administrator rights of a subscription impact rights on Azure AD instances. read more

from Does an Azure co-administrator have rights over Azure AD

Does an Azure co-administrator have rights over Azure AD

Understand how co-administrator rights of a subscription impact rights on Azure AD instances. read more

from Does an Azure co-administrator have rights over Azure AD

Can you mix Storage Spaces Direct and shared storage in a cluster?

Learn about what storage can be mixed in a 2016 cluster read more

from Can you mix Storage Spaces Direct and shared storage in a cluster?

Can you mix Storage Spaces Direct and shared storage in a cluster?

Learn about what storage can be mixed in a 2016 cluster read more

from Can you mix Storage Spaces Direct and shared storage in a cluster?

Check for a switch with PowerShell script

Uses switches with your PowerShell scripts read more

from Check for a switch with PowerShell script

33c3, Will Scott’s and Philipp Winter’s ‘State of Internet Censorship 2016’

Permalink

from 33c3, Will Scott’s and Philipp Winter’s ‘State of Internet Censorship 2016’

Cybersecurity in 2017: Interview with OWASP Author Jim Manico

As the software world still reels from the major hacks and breaches that occurred, and surfaced, in 2016, it’s critical […]

The post Cybersecurity in 2017: Interview with OWASP Author Jim Manico appeared first on Checkmarx.



from Cybersecurity in 2017: Interview with OWASP Author Jim Manico

A Shakeup in Russia’s Top Cybercrime Unit

A chief criticism I heard from readers of my book, Spam Nation: The Inside Story of Organized Cybercrime, was that it dealt primarily with petty crooks involved in petty crimes, while ignoring more substantive security issues like government surveillance and cyber war. But now it appears that the chief antagonist of Spam Nation is at the dead center of an international scandal involving the hacking of U.S. state electoral boards in Arizona and Illinois, the sacking of Russia's top cybercrime investigators, and the slow but steady leak of unflattering data on some of Russia's most powerful politicians.

from A Shakeup in Russia’s Top Cybercrime Unit

Saturday, January 28, 2017

33c3, Jased’s ‘Untrusting the CPU’

Permalink

from 33c3, Jased’s ‘Untrusting the CPU’

Change Azure resource tag values

Easily check tag values of Azure resources uses PowerShell read more

from Change Azure resource tag values

Requirements for Azure AD Connect Health usage

Understand what you need to use Azure AD Connect read more

from Requirements for Azure AD Connect Health usage

State Chief Security Officers Share Current Plans



from State Chief Security Officers Share Current Plans

33c3, Kai Kunze’s ‘Beyond Virtual and Augmented Reality’

Permalink

from 33c3, Kai Kunze’s ‘Beyond Virtual and Augmented Reality’

33c3, Kai Kunze’s ‘Beyond Virtual and Augmented Reality’

Permalink

from 33c3, Kai Kunze’s ‘Beyond Virtual and Augmented Reality’

33c3, Filippo Valsorda’s and Nick Sullivan’s ‘Deploying TLS 1.3: The Great, The Good and The Bad

Permalink

from 33c3, Filippo Valsorda’s and Nick Sullivan’s ‘Deploying TLS 1.3: The Great, The Good and The Bad

ATM ‘Shimmers’ Target Chip-Based Cards

Several readers have called attention to warnings coming out of Canada about a supposed new form of ATM skimming called "shimming." Shimming attacks are not new (KrebsOnSecurity first wrote about them in August 2015), but they are likely to become more common as a greater number of banks in the United States shift to issuing chip-based cards. Here's a brief primer on shimming attacks, and why they succeed.

from ATM ‘Shimmers’ Target Chip-Based Cards

Browsers leak sensitive info to hackers

Browsers leak sensitive info to hackers

The Autofill feature fills a void in the web browsing habits of many. It eliminates the need to enter all your details when logging on your social media accounts or when checking out your basket after e-shopping. On Chrome and Safari browsers, however, danger lurks when you rely too much on autofill.

The post Browsers leak sensitive info to hackers appeared first on Health Security Solutions.



from Browsers leak sensitive info to hackers

CISO Customer Panel – Accelerate 2017

I recently wrote about the general sessions held on the first day of Fortinet's Accelerate 2017. There was so much great information presented that I couldn’t do justice to it in the general overview I posted of the morning’s events. So I wanted to take a few minutes and provide some deeper information around one of the best sessions of the day – the customer panel.

from CISO Customer Panel – Accelerate 2017

33c3, Filippo Valsorda’s and Nick Sullivan’s ‘Deploying TLS 1.3: The Great, The Good and The Bad

Permalink

from 33c3, Filippo Valsorda’s and Nick Sullivan’s ‘Deploying TLS 1.3: The Great, The Good and The Bad

Friday Squid Blogging: Squid Fossils from the Early Jurassic

New fossil bed discovered in Alberta: The finds at the site include 16 vampyropods, a relative of the vampire squid with its ink sac and fine details of its muscles still preserved in exquisite detail. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

from Friday Squid Blogging: Squid Fossils from the Early Jurassic

Matryoshka Doll Reconnaissance Framework

This post authored by David Maynor & Paul Rascagneres with the contribution of Alex McDonnell and Matthew Molyett


Overview


Talos has identified a malicious Microsoft Word document with several unusual features and an advanced workflow, performing reconnaissance on the targeted system to avoid sandbox detection and virtual analysis, as well as exploitation from a non-embedded Flash payload. This document targeted NATO members in a campaign during the Christmas and New Year holiday. Due to the file name, Talos researchers assume that the document targeted NATO members governments. This attack is also notable because the payload was swapped out with a large amount of junk data which was designed to create resource issues for some simplistic security devices.


The Nested Document


The analysed document is a RTF document with a succession of embedded objects.The first embedded object is an OLE object:

OLE object contained in the Office document

This OLE object contains an Adobe Flash object. The purpose of the Adobe Flash is to extract a binary blob embedded in itself via ActionScript execution. This blob is a second encoded and compressed Adobe Flash object. The encoded algorithm is based on XOR and zlib compression. This is the second Adobe Flash in the final payload located within the document.

Analysis of the payload


The relevant part of the payload is located in the ActionScript. First, a global constant is set which contains the URL of the Command & Control:
C&C configuration


First Step:

The first action of the ActionScript is to perform a HTTP request to the C&C:
HTTP request to the C&C
The URI is /nato and perfectly matches the filename pattern.

The Cisco Umbrella cloud security solution helps users to identify the DNS traffic associated with this specific C&C. The screenshot below illustrates the targeted nature of the campaign from the 29th of December 2016 through the 12th of January 2017. The huge quantity of requests starting the 16th of January were performed by the security research community:
The DNS requests on the CC view on Cisco Umbrella
The request contains the information about the target by using the flash.system.Capabilities.serverString API. Based on the Adobe documentation, The API allows the developer to obtain the capabilities of the installed Adobe Flash version. Here is an example from the documentation:

A=t&SA=t&SV=t&EV=t&MP3=t&AE=t&VE=t&ACC=f&PR=t&SP=t&SB=f&DEB=t&V=WIN%209%2C0%2C0%2C0&M=Adobe%20Windows&R=1600x1200&DP=72&COL=color&AR=1.0&OS=Windows%20XP&L=en&PT=ActiveX&AVD=f&LFD=f&WD=f&IME=t&DD=f&DDP=f&DTS=f&DTE=f&DTH=f&DTM=f

This query allows the attacker to gain information on the victim machine, including the version of the operating system or the Adobe Flash version. This information can be used by the attacker as a decision point regarding the interest in the victim. If the infected system looks like a sandbox or a virtual machine, the operator could ignore the request and the ActionScript is finished.

Second step:


The ActionScript stores the response of the first query in a variable called vars. Then, it performs a second HTTP request on a second URI:
Second HTTP request
The URI contains the value of “k1” obtained with the first request. If this initial request succeeds, the function expLoaded() (for Exploit Loaded) is executed.

Third step:



The result of the previous request is stored in the swf variable.  The data stored in this variable is an encrypted Adobe Flash object (swf). The ActionScript uses the unpack() function with a key (“k3”) obtained during the first request:
decryption of the download SWF file
On this step, the ActionScript performs a third HTTP query:
third HTTP request
If the request succeeds, the function payLoaded (for Payload Load) is called.

Fourth step:



The result of the previous request contains an encoded payload. The ActionScript uses the same unpack() with a different key (“k4”) that was obtained with the initial request.
Finally, the downloaded malicious Adobe Flash file is executed via the flash.display.Loader() API with the payload in the argument. The argument variable is called “sh” for shellcode:
execution of the SWF exploit with the payload in argument

A Trap!



The malicious payload has recently been replaced to return a substantial amount of junk data to inhibit investigation. This is designed to create resource utilization issues for devices like simplistic sandbox based security systems. As indicated in the Investigate data above it appears that many members of the security community are looking into these domains. This is very likely a direct response to hinder investigations.


Conclusion



The analysis of the Microsoft Office document shows an advanced workflow of infection. The purpose of the document is first to perform a reconnaissance of the victims in order to avoid communicating with sandbox systems or analyst virtual machines. Second, the Adobe Flash requests a payload and an Adobe Flash exploit which is loaded and executed on the fly. This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word trojan. It’s important to note that the actor realized security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices. These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.



from Matryoshka Doll Reconnaissance Framework

Friday, January 27, 2017

Friday Squid Blogging: Squid Fossils from the Early Jurassic

New fossil bed discovered in Alberta:

The finds at the site include 16 vampyropods, a relative of the vampire squid with its ink sac and fine details of its muscles still preserved in exquisite detail.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.



from Friday Squid Blogging: Squid Fossils from the Early Jurassic

Building Powerful Security Awareness Training for the Healthcare Industry

Training.jpg

Over the past couple of weeks, we’ve written a lot about the current state of security in the healthcare industry, and why things need to change.

We’ve also covered the main causes of healthcare data breaches, and noted that powerful security awareness training is the most natural starting point for security conscious healthcare organization.

But so far, we haven’t really covered what should be included in a healthcare specific security awareness training program. After all, while some aspects of security are relevant to every industry, healthcare organizations are faced with a few highly specific problems that need to be addressed.

Before we consider what should be included, though, it’s worth looking at things from another perspective.



from Building Powerful Security Awareness Training for the Healthcare Industry

LeakedSource data breach website goes offline following alleged police raid

The data breach aggregator and lookup service LeakedSource has gone offline following what appears to have been a police raid. David Bisson reports.

from LeakedSource data breach website goes offline following alleged police raid

Spotlight: Website Security Response for Photographers

Spotlight: Website Security Response for Photographers

It takes a lot of bravery to create a small business. Putting yourself out there and taking risks is not for the faint of heart. Having a website is just one aspect of your business, but it’s an important one. A website helps you develop a brand identity, communicate the value of your offerings, and attract new customers.

These days, more business owners are leveraging open-source content management systems to create and maintain their website.

Continue reading Spotlight: Website Security Response for Photographers at Sucuri Blog.



from Spotlight: Website Security Response for Photographers

Developer claims anti-virus does not improve security

Anti-virus is bad, dead (again) and worse, its corpse is poisoning the ecosystem of good software. There is, according to former Mozilla developer Robert O'Callahan, negligible evidence that anti-malware software produced by third-parties provides a...

from Developer claims anti-virus does not improve security

Cyber News Rundown: Edition 1/27/17

Major Dark Web Marketplace Hacked Recently, a hacker using the alias cypher0007 reached out to AtlasBay, a large dark web market, with information on two significant vulnerabilities that allowed him to access over...read more

The post Cyber News Rundown: Edition 1/27/17 appeared first on Webroot Threat Blog.



from Cyber News Rundown: Edition 1/27/17

News in brief: Fancy Bear ‘attacked TV network’; Lavabit comes back to life; museum does geek history

Your daily round-up of some of the other stories in the news

from News in brief: Fancy Bear ‘attacked TV network’; Lavabit comes back to life; museum does geek history

BSidesSD 2017 Recap

BSidesSD 2017 San Diego has finally joined the Security BSides (@SecurityBSides) circuit. This year, the first annual BSidesSD took place Jan 13th-14th held at National University on the northern side of San Diego. This author was one of twenty speakers accepted to talk at the inaugural event. My talk was once again centered around our […]

The post BSidesSD 2017 Recap appeared first on OpenDNS Umbrella Blog.



from BSidesSD 2017 Recap

Raise your glasses! Wine is 2.0!

That's the windows compatibility layer, obviously

from Raise your glasses! Wine is 2.0!

Facebook Introduces USB Security Key for Stronger Account Protection

Facebook has added a new feature to further strengthen the protection of users’ accounts. The social media giant announced on Thursday that users could now register a physical security key with their accounts to verify their identity. “Most people get their security code for login approval from a text message (SMS) or by using the Facebook […]… Read More

The post Facebook Introduces USB Security Key for Stronger Account Protection appeared first on The State of Security.



from Facebook Introduces USB Security Key for Stronger Account Protection

Semafone Kicks off 2017 with a PCI Award for Excellence

Semafone’s patented payment method has been recognised as an industry-leading solution at the inaugural PCI Awards for Excellence, run by AKJ Associates. The award was given to Semafone for its “outstanding PCI DSS projects” delivered to insurance giant AXA and global telecommunications company Sky. Working with AXA, Semafone’s solution was rolled out across 11 of […]

The post Semafone Kicks off 2017 with a PCI Award for Excellence appeared first on Semafone.



from Semafone Kicks off 2017 with a PCI Award for Excellence

Research into Twitter Bots

There are a lot of them.

In a world where the number of fans, friends, followers, and likers are social currency -- and where the number of reposts is a measure of popularity -- this kind of gaming the system is inevitable.



from Research into Twitter Bots

Today is the day you rethink your data security strategy

Today is Data Protection Day – a day established to remind us about the importance of improving our understanding of cyber threats and all things data security. This day was established 11 years ago and its purpose is more important than ever. Every organisation is, of course, well aware of the cyber security risks they currently face. The various high-profile hacks that occurred since Data Protection Day last year tell a cautionary tale – from Yahoo, in which one billion […]

The post Today is the day you rethink your data security strategy appeared first on Data Security Blog | Vormetric.



from Today is the day you rethink your data security strategy

Is ‘aqenbpuu’ a bad password?

Press secretary Sean Spicer has twice tweeted a random string, leading people to suspect he's accidentally tweeted his Twitter password. One of these was 'aqenbpuu', which some have described as a "shitty password". Is is actually bad?No. It's adequate...

from Is ‘aqenbpuu’ a bad password?

Moving to a Virtualized Environment? The Key Things You Need to Know about Your Security

Since cloud technology first appeared on the scene, companies have been battling with the concept of cloud security. The reality is that the cloud presents you with three unique challenges from a security perspective. 1. You need to think differently It may sound obvious, but the cloud is different from a physical data centre. When […]… Read More

The post Moving to a Virtualized Environment? The Key Things You Need to Know about Your Security appeared first on The State of Security.



from Moving to a Virtualized Environment? The Key Things You Need to Know about Your Security

The security of President Trump’s Android smartphone

The New York Times reports that US President Donald Trump is still using an old, poorly-secured Android smartphone.

from The security of President Trump’s Android smartphone

CSSP Domains Overview

Cloud computing has proved itself as a powerful means for organizations to grow their business in terms of cost and time efficiency, profitability and overall business growth. However, with the... Go on to the site to read the full article

from CSSP Domains Overview

RSA Conference 2017 – Data is the New Commodity

February is almost here, and while this means we are one month closer to spring, it also means it is time for the RSA Conference. The RSA Conference is an exciting time as thousands of people descend on Moscone Center in San Francisco to attend the world’s largest information security conference.  This year the conference […]

The post RSA Conference 2017 – Data is the New Commodity appeared first on HPE Security - Data Security.



from RSA Conference 2017 – Data is the New Commodity

Thursday, January 26, 2017

Duress Codes for Fingerprint Access Control

Mike Specter has an interesting idea on how to make biometric access-control systems more secure: add a duress code. For example, you might configure your iPhone so that either thumb or forefinger unlocks the device, but your left middle finger disables the fingerprint mechanism (useful in the US where being compelled to divulge your password is a 5th Amendment violation but being forced to place your finger on the fingerprint reader is not) and the right middle finger permanently wipes the phone (useful in other countries where coercion techniques are much more severe).



from Duress Codes for Fingerprint Access Control

33c3, Wolfie Christl’s ‘Corporate Surveillance, Digital Tracking, Big Data & Privacy’

Permalink

from 33c3, Wolfie Christl’s ‘Corporate Surveillance, Digital Tracking, Big Data & Privacy’

NCS Blog: DevOps and Separation of Duties

From my NCS blog post: Despite the rapid growth of DevOps practices throughout various industries, there still seems to be a fair amount of trepidation, particularly among security practitioners and auditors. One of the first concerns that pops up is...

from NCS Blog: DevOps and Separation of Duties

U.S. Top-Ranked Globally in 2016 Data Breaches, Finds Report

The United States takes the number one spot worldwide in data breaches disclosed last year, revealed a new report analyzing breach activity in 2016. Risk Based Security’s annual report released on Wednesday found that the U.S. accounted for nearly half – 47.5 percent – of all incidents, and a whopping 68.2 percent of all exposed […]… Read More

The post U.S. Top-Ranked Globally in 2016 Data Breaches, Finds Report appeared first on The State of Security.



from U.S. Top-Ranked Globally in 2016 Data Breaches, Finds Report

Anon, Maiden Fair…

via the American Association for the Advancement of Science (AAAS), comes this important privacy-and-web-brow...

from Anon, Maiden Fair…

Semafone Unveils Predictions for Call Centers in 2017

 Data security and compliance will become call centers’ top priority Guildford, U.K. – Jan. 26, 2017 – Semafone, which provides secure payment software for contact centers, shares its top predictions for call centers in 2017. In the year ahead, the company expects data security to be a top priority, as call centers take a more […]

The post Semafone Unveils Predictions for Call Centers in 2017 appeared first on Semafone.



from Semafone Unveils Predictions for Call Centers in 2017

Duress Codes for Fingerprint Access Control

Mike Specter has an interesting idea on how to make biometric access-control systems more secure: add a duress code. For example, you might configure your iPhone so that either thumb or forefinger unlocks the device, but your left middle finger disables the fingerprint mechanism (useful in the US where being compelled to divulge your password is a 5th Amendment violation...

from Duress Codes for Fingerprint Access Control

Zbot with legitimate applications on board

Recently, among the payloads delivered by exploit kits, we often find Terdot.A/Zloader - a downloader installing on the victim machine a ZeuS-based malware.

Categories:

Tags:

(Read more...)



from Zbot with legitimate applications on board

Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java

Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java By Kai Lu   In part I of this blog, we have finished the analysis of native layer and gotten the decrypted secondary dex file. Next, we continue to analysis it. For the sake of continuity, we keep continuous section number and figure number with part I of the blog.     The secondary dex file The following is the decrypted file, which is a jar format file.  It is loaded...

from Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java

Akamai’s Global Content Distribution Network: Replacing Recovery with Resilience

Many customers ask Akamai about Disaster Recovery testing and Business Continuity planning as a part of their due diligence or risk management process. Customers expect to see a governance document maintained by a central authority, a list of systems with...

from Akamai’s Global Content Distribution Network: Replacing Recovery with Resilience

Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part I: Debugging in The Scope of Native Layer

Recently, we found a new Android rootnik malware which uses open-sourced Android root exploit tools and the MTK root scheme from the dashi root tool to gain root access on an Android device. The malware disguises itself as a file helper app and then us...

from Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part I: Debugging in The Scope of Native Layer

Security Risks of the President's Android Phone

Reports are that President Trump is still using his old Android phone. There are security risks here, but they are not the obvious ones.

I'm not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network. But this is a consumer device, and it's going to have security vulnerabilities. He's at risk from everybody, ranging from lone hackers to the better-funded intelligence agencies of the world. And while the risk of a forged e-mail is real -- it could easily move the stock market -- the bigger risk is eavesdropping. That Android has a microphone, which means that it can be turned into a room bug without anyone's knowledge. That's my real fear.

I commented in this story.



from Security Risks of the President's Android Phone

Security Risks of the President’s Android Phone

Reports are that President Trump is still using his old Android phone. There are security risks here, but they are not the obvious ones. I'm not concerned about the data. Anything he reads on that screen is coming from the insecure network that we all use, and any e-mails, texts, Tweets, and whatever are going out to that same network....

from Security Risks of the President’s Android Phone

Differences Between Azure’s Web and Worker Roles

Here's an article I wrote in response to a question regarding the differences between Azure's web and worker roles. Hopefully, it clears up a few things.http://searchcloudsecurity.techtarget.com/answer/What-is-the-difference-between-web-role-and-worker...

from Differences Between Azure’s Web and Worker Roles

TrojanDownloader.Wask Analysis

The file is not packed. It has been written in MSVC (Possibly 2010). Following are the headers present in the PE structure. Below is the PEDUMP of the Trojan PE signature found File Type: EXECUTABLE... Go on to the site to read the full article

from TrojanDownloader.Wask Analysis

Process: Gaining and Elevating Access

Gaining and Elevating Access and its relation to Penetration Testing Background Penetration Testing is a process that typically consists of the following phases. Information Gathering Scanning and... Go on to the site to read the full article

from Process: Gaining and Elevating Access

In a bad mood? You might not be allowed to log on

'Brainwave biometrics' could one day be used to gauge our fitness to access certain resources

from In a bad mood? You might not be allowed to log on

Smashing Security #005: ‘Upskirt insecurity’

Join me and fellow computer security industry veterans Vanja Svajcer and Carole Theriault as we have another casual chat about whatever is on our minds. This week: An alleged hacker finds the downside to car rental, a New York Times Twitter account ann...

from Smashing Security #005: ‘Upskirt insecurity’

The IoT gateway next door

Internet of things products are small, networked and unfortunately have almost always little or no security. Sometimes this is down to a lack of willingness by the manufacturer but it is also partly due to the nature of the product – small and light also means that these devices have few resources for complex security features such as encryption and packet inspection. This leads to vulnerabilities, numerous attack vectors and ultimately to a bot device which can be abused by almost anyone. Following the latest large-scale attacks that primarily use IoT devices as a digital army there is a loud demand from those who want more legislation and governments to get involved. In a hearing before the Committee on Energy and Commerce of the US House of Representatives, the security guru Bruce Schneier stated that "catastrophic risks" would arise through the proliferation of insecure technology on the Internet.

from The IoT gateway next door