We all should be concerned about the privacy settings in Windows 10. And we should be glad that the EU has the regulatory authority to do something about it.
from EU Still Concerned about Windows 10 Privacy Settings
We all should be concerned about the privacy settings in Windows 10. And we should be glad that the EU has the regulatory authority to do something about it.
Image Source: https://www.howtogeek.com/232791/pups-explained-what-is-a-potentially-unwanted-program/ Computer security courses cover malicious software (malware), but the material rarely address Potentially Unwanted Programs (PUPs). What is a PUP? First, PUPs go by many names, including bundleware, junkware, adware and for mobile devices, Potentially Unwanted Applications (PUAs). I would actually characterize PUPs into two distinct categories; nuisance programs and security threats. […]
The post How to Identify and Prevent PUPS and Portable Apps appeared first on Phoenix TS.
Key Takeaways from Cisco Live Berlin 2017 Digital Transformation is the Core of Every Business 2016-2017 introduced the era of Digital Transformation. Digital transformation is the change associated with the application of digital technology in all aspects of human society. Digital transformation inherently enables new types of innovation and creativity to increase business competency rather […]
Are you pluggin’ along looking for vulnerabilities? The heart of Tenable vulnerability detection comes from the individual tests called plugins – simple programs that check for specific flaws. Each plugin contains a vulnerability description, fix recommendations, and algorithms for detection. Tenable products receive new plugins nightly, which keep the tests current and relevant.
SecurityCenter® has at least four places to research plugins:
1. Click on your userid (top right) to find the Plugins. This is the quickest source while working on SecurityCenter. You can also use a URL such as: https://<SecurityCenterhostname>/#plugins
2. On the analysis screens and plugin screens, click the i icon next to the Plugin ID This is the most informative source.
3. Click on Analysis / Vulnerabilities and choose the Vulnerability Detail List (VDL) tool to find many explanations related to individual plugins.
4. Log in as administrator. The initial Overview dashboard (bottom right) lists the plugins currently loaded in SecurityCenter.
You can also find plugins in other Tenable products.
Nessus® takes a few clicks to drill down to plugins. Go to Policies / New Policy / Advanced Scan /Plugins. Then select a family on the left and a plugin on the right:
You can also see Nessus plugin information in scan results and by drilling down on individual plugin results. This provides similar information as VDL in SecurityCenter.
Tenable.io™ provides very similar information as Nessus, both in content and location (see Tenable.io Vulnerability Management for information about this new application).
You can use three places on the Internet to research plugins:
Each plugin source has its advantages and peculiarities. They vary in the information provided. Here are the nine sources, comparing their advantages and unique details.
This source provides many fields to search on. I use Plugin Name or Plugin ID most often.
This view has several unique characteristics. First, it shows the plugins currently in SecurityCenter:
Second, this source enables you to search against the audit files that have been activated in your SecurityCenter installation. For example, you can see the compliance password tests:
Clicking the small i icon results in voluminous information. If you carefully search through the Details tab’s Solution section, you can find the plugin’s source filename:
A second Source tab (top right) displays the plugin’s actual scripting in Tenable’s proprietary Nessus Attack Script Language (NASL):
Not all plugins are provided in NASL. Others plugins are compiled to protect confidential techniques.
You can find a gold mine of information in the VDL analysis tool. This is usually the best resource for researching plugin results.
After logging in as admin, I like to sort by modified date to see when plugins arrived. The date for the newest plugin downloads should be less than 24 hours (except for an offline SecurityCenter). I also like to see what issues the recent plugins address.
Finding plugin information takes several steps. Nessus also provides many fields about a plugin.
To identify risk severity, Nessus shows both CVSS versions two and three in the detailed view.
Similar to Nessus.
This has been my favorite interface to work with for quick lookups. It also lists plugins by families. The Plugins portal includes several pages:
Example: A customer asked if Tenable had any tests for nginx. I typed in nginx, searched with Plugin Name, and was surprised by how many plugins were listed.
TIP: Though the page suggests using double quotes for an exact search, I have not had success with that search technique.
Be aware that this page is showing Nessus plugins only. To see the PVS™ plugins, go to bottom left of the page, click Product Resources, and then click PVS Plugins.
This portal provides technical discussions between customers and Tenable support staff. I often search it to see how others use a particular plugin.
This site is especially helpful for late-breaking vulnerabilities. Here is an example with the recent GRIZZLY STEPPE exploit:
Even if you forget the first eight sources, you will probably remember to use Google (or another search tool). It often points to information from sources 7 and 8.
Tip #1: What is the best plugin?
I nominate Nessus Scan Information, #19506. I chose this plugin even though it does not do any vulnerability testing. It gathers many scan forensics like how long the scan took, if the credentials worked, what scanner was used, and more.
This plugin is often used as part of a daily discover scan to identify a new host on the network. See my blog about Favorite SecurityCenter Asset Lists for details.
What is your favorite plugin? Let us know at the Tenable Community. Also feel free to request plugins you would find helpful that we currently do not provide.
Tip #2: Can customers code plugins?
Yes. Some sage advice comes from Ron Gula, Tenable co-founder, in a Tenable Community posting:
Tenable does not officially support custom NASLs as part of our support program but if you look in the API section you will see plenty of responses from Tenable staff answering questions about NASLs in general.
Most of the time, what people need to do with a NASL is actually already covered by another NASL or covered more easily by writing an .audit policy.
You can easily add tests to an audit file with PowerShell commands for Windows targets, or with a Linux command or script.
Tip #3: How do I set up a plugin-specific scan?
Identify the plugin IDs and their family that you want to use in the policy. Scan policies that are crafted with only individual plugins do not change their contents after nightly updates.
The Nessus User’s Guide provides excellent directions on setting up the scan.
SecurityCenter provides a helpful search filter for locating the individual plugins to build a new scan policy:
Tip #4: What dates can I find on plugins?
Plugins have four different dates: vulnerability release, patch release, initial plugin release, and latest date for plugin modifications. You can find two additional dates in the plugin results: when the vulnerability was originally discovered on a particular system and when the vulnerability was last observed. The periodicity of the last two dates depends upon the frequency of scans.
Tip #5: Which plugins do not count against the IP license?
The answer is in the SecurityCenter User’s Guide, but know that this list does change:
Plugins are invaluable tests that Tenable provides for tracking down vulnerabilities. You can find detailed plugin information within the products or on the internet. While Tenable provides lots of good information, sharing tips with other users is often quite helpful. Please share your plugin tips or questions in the Tenable Community!
Trusted Computing Group has recently lost one of its great long-time champions. Frank Molsberry, who capably represented Dell for a number of years on the TCG Board of Directors, passed away on Feb. 16, 2017. Frank was known among TCG members for his sense of humor and quick wit, pragmatism and problem solving, and sense … Continue reading "Remembering Frank Molsberry"
One of the realities of today’s cybersecurity threatscape is not if you will be breached, but when, and how often. As good as cybersecurity is becoming - i.e. prevention solutions provide a 99.9 percent or higher detection rate for common malware - effective cybersecurity depends upon three pillars - prevention, detection and resolution - with the latter two required to address those situations where prevention isn’t enough.
|A compilation of notable security news and blog posts from the 20th of February to the 27th of February. This week, we look back at tech support scams, tax tips, updating your social media privacy settings, and more.
At a talk last week, the head of US Cyber Command and the NSA Mike Rogers talked about the US buying cyberweapons from arms manufacturers.
"In the application of kinetic functionality -- weapons -- we go to the private sector and say, 'Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].' Fill in the blank," he said.
"On the offensive side, to date, we have done almost all of our weapons development internally. And part of me goes -- five to ten years from now is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I'm still trying to work my way through that, intellectually."
Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch.
Already, Third World countries are buying from cyberweapons arms manufacturers. My guess is that he's right and the US will be doing that in the future, too.
Out of all the cybercrimes from malware to social engineering, the creepiest has to be a stranger watching your child through a webcam or baby monitor in their room. As this year’s Mobile World Congress starts in Barcelona, Avast researchers reveal that half a million smart devices in the city, including webcams and baby monitors, are currently vulnerable to cyber attack.
In recent news, Italian siblings 45-year-old Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero were arrested for having installed malware on a major bank president’s system, 2 former prime ministers, a sitting mayor, a former deputy governor of the Bank of Italy and thousands more. While many of the details are still being questioned, Continue Reading >
The post I Spy With My Little EyePyramid: Siblings Phish Italy appeared first on Security Through Education.
On February 17, 2017 a Google researcher stumbled onto a situation that some are calling Cloudbleed, where services running on Cloudflare servers were inadvertently causing chunks of uninitialized memory to be mixed with valid data. The Google researcher posted this description on the discovery. The uninitialized memory can contain encryption keys, passwords and other sensitive data. This data leakage is very critical due to the amount of caching found on the internet today. With the widespread caching services, the extent of the leakage may be very hard to determine. Cloudflare reports that the bug has been patched and resolved; you can read more about this bug on the Cloudflare blog.
As this breach is passive in nature, the cached data has not yet been reported to be exploited. With the risk of passwords, encryption keys and other Personally Identifiable Information (PII) as part of the possible data leak, your company must be able to determine if data has been compromised or not. There are several lists of domain names published on github.com. However, for customers using SecurityCenter Continuous View® (SecurityCenter CV™) with Passive Vulnerability Scanner® (PVS™) and Log Correlation Engine® (LCE®), you can easily track and identify which internal systems are using services running on Cloudflare systems. After identifying the hosts and services used, the security analysts can begin to understand the risk to your organization.
When using PVS and LCE, the best practice is to have the PVS real-time logs sent to LCE for further analysis. As part of the configuration of PVS, there is a section called Realtime Events. In the Realtime Events, there are two settings to enable Log Realtime Events To Realtime Log File and Enable Realtime Event Analysis. These settings enable PVS to log session level events similar to NetFlow. Next, you must set up the syslog settings to send the data to LCE. Once real-time event data is sent to LCE, you will be able to see who is communicating with services using Cloudflare. Additionally, you can install the LCE client on DNS servers, which enables LCE to track DNS queries.
SecurityCenter CV has several types of asset lists that you can use to identify traffic patterns or groups of hosts with similar vulnerabilities or risks. The asset list best suited for detecting Cloudflare is a Watchlist asset. The Watchlist asset is a group of IP addresses that are of interest and need to be monitored, but which may not be local to your environment; for example, Cloudflare IPs. We looked up Cloudflare IP address blocks using American Registry for Internet Numbers (ARIN). To create the asset, you can go to Assets and click Add. Next click on Type Watchlist, and give the asset the name Cloudflare add the following subnets to newly created asset:
Now click on Submit to save the asset. After creating the asset, and before proceeding to Analysis, allow the asset to update.
To locate the events that are evidence of hosts using services running Cloudflare, you must first go to Analysis > Events. According to the Cloudflare blog post, the dates of the greatest risk are February 13, 2017 to February 18, 2017. By expanding the filters, you can add in the explicit dates and the Cloudflare Asset. When adding the first date, be sure to set the time to 00:00; this will ensure that the filter starts at the beginning of February 13. Next, for the second date, set the time to 23:59, to ensure that the full day is captured.
The next step is to add the asset as part of the filter; this a two step process. First, click on select filters, and then add the Asset filter. The Asset filter is now available on the left hand side of the screen, and you can click All in the Asset field and enter the name of the Cloudflare asset:
Next click on Apply All to see the events related to Cloudflare. The first view you will see is the List of Event Types; these are the high level summary categories of events. For example, here are several event types that can help determine the risk your network is exposed to:
The web-access shows PVS tracking the type of HTTP calls made, such as web content, JPG files, PDF files, HTTP requests, and several others. Click on web-access, then select Jump to Raw Syslog Events in the upper right hand corner of the screen. Click on the plus sign + next to each log, and you can review the URL related HTTP request parameters. You can then review the details such as the source of the HTTP request and the URL visited. At this point, you must create a list of URLs that are related to your business risk and begin to investigate if your organization is at further risk.
Another great feature of tracking PVS event data with LCE is the ability to historically track vulnerabilities. In the following sample, you can see my lab has a Mac OS X system running a vulnerable browser. In this case, the vulnerability might not increase risk of the Cloudflare breach, but getting a good historic view of vulnerabilities detected by PVS is a great feature when combining PVS and LCE together.
SecurityCenter CV is a powerful tool when fully implemented, and can aid your investigations when there are large data breaches such as Cloudbleed. By using LCE to track real-time events in PVS, you have a good historic view of vulnerability data and protocol level events. Combining PVS and LCE enables your organization to see the traffic and understand the content of the session. As the context of the Cloudflare traffic is revealed, you can better understand and assess the risk to your organization. Tenable provides our customers with a full-featured threat and vulnerability analysis that far exceeds those of our competition.
This is an excellent survey article on modern propaganda techniques, how they work, and how we might defend ourselves against them.
Cory Doctorow summarizes the techniques on BoingBoing:
...in Russia, it's about flooding the channel with a mix of lies and truth, crowding out other stories; in China, it's about suffocating arguments with happy-talk distractions, and for trolls like Milo Yiannopoulos, it's weaponizing hate, outraging people so they spread your message to the small, diffused minority of broken people who welcome your message and would otherwise be uneconomical to reach.
As to defense: "Debunking doesn't work: provide an alternative narrative."
The annual RSA Conference is a lot of things to a lot of people (43,000 this year!). For me, it’s become an annual opportunity to step out of the stream and to look back at what has happened in the last year and peer forward at what’s to come. This year, I think we have […]… Read More
The New York State Department of Financial Services has proposed a cyber security regulation that is unique in its breadth. The original proposed regulation underwent a 45-day review period, after which it was changed. It is currently under another 45-day review period pending further changes and should be published in the next few weeks. The […]… Read More
The post The New York State Department of Financial Services: The Evolution of a Regulation – Part 1 appeared first on The State of Security.
Attackers have lots of ways of gaining access to a target’s information. One of their preferred attack vectors is exploiting careless end user behavior. This is especially true when it comes to users who don’t adequately protect their web accounts. For instance, bad actors targeted users of TeamViewer, software which allows IT professionals to gain […]… Read More
The post TeamSpy Data-Stealing Malware at It Again with New Spam Campaign appeared first on The State of Security.