Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Charges Against Chinese Hackers Are Now Common. Why Don't They Deter Cyberattacks?
https://www.npr.org/2019/02/05/691403968/charges-against-chinese-hackers-are-now-common-why-dont-they-deter-cyberattacks
==================================================================
Important Tweet below which could help shape a new direction in the article above. The synopsis below hopefully makes it easier to understand known/unknown devices if not already understood.
If the Chinese hackers had to logon to computers/devices that were unknown with stolen credentials (passwords), the network wouldn't recognize them, and they wouldn't be allowed on. If the computer had an activated Trusted Platform Module (TPM) that was recognized by the network (known device) and the user put in the proper PIN they would get onto the network (sensitive possibly) via a product like Wave VSC 2.0. Basically, this keeps attackers who are in possession of stolen credentials (passwords) from being able to get onto a sensitive network by using their computer/device since their device is unknown.
Why not use Steven Sprague's recent tweet while also including other critical industries? Unfortunately, his tweet was probably suggested by him many years ago, and the Chinese are still beating out the United States' cybersecurity and the arrests seem to not faze them.
The tweet was:
More on the news Power and Gas infrastructure at risk. @RivetzCorp Time to upgrade Cyber policy "Only Known devices connected to sensitive networks and data." #trustedcomputing #securitybuiltin
— steven sprague (@skswave) January 31, 2019
This password-stealing phishing attack comes disguised as a fake meeting request from the boss
https://www.zdnet.com/article/this-password-stealing-phishing-attack-comes-disguised-as-a-fake-meeting-request-from-the-boss/
Called to a meeting with the CEO? Don't be so sure.
A widespread phishing campaign is targeting executives across a number of industries with messages asking to reschedule a board meeting in an effort to steal logins and passwords.
Spotted by researchers at security firm GreatHorn, the phishing messages spoof the name and email address of the CEO of the company being targeted and uses a subject line including the company name and a note about the meeting to gain the attention of potential victims. Users are more likely to fall for attacks they believe to come from their boss.
The contents of the phishing email is simple: it says a board meeting has been rescheduled and asks users to take part in a poll to choose a new date.
If users click the link, they're taken to a webpage which appears to be a login page for Microsoft Outlook and Office 365, but this is in fact a phishing site — any information entered into it will go directly into the hands of the attackers.
The attack is slightly different if the email is viewed on a mobile device — the display name is changed to 'Note to Self' but the contents of the message stays the same.
With the phishing email targeting high-level executives like CFOs, CTOs and SVPs, a successful attack could provide attackers with access to highly sensitive data across the corporate network — and the compromised accounts could also be used to help conduct further malicious campaigns.
The fake meeting phishing attack appears to be prolific — researchers at GreatHorn say it was found targeting one in seven of the firm's customers. In each case, the attackers were eliminated before damage could be done.
It's believed that the campaign is still active and that the phishing URL claiming to be windows related — is still up.
Users are therefore warned to be aware of the campaign and to be suspicious of any emails containing a subject line following a pattern of: New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update)
=================================================================
The article presents a great reason to put into action Steven Sprague's known devices tweet on Twitter!- 'Time to upgrade Cyber policy "Only known devices connected to sensitive networks and data"'
More on the news Power and Gas infrastructure at risk. @RivetzCorp Time to upgrade Cyber policy "Only Known devices connected to sensitive networks and data." #trustedcomputing #securitybuiltin
— steven sprague (@skswave) January 31, 2019
Microsoft hopes crowdsourced A.I. algorithms will help avoid the next global cyberattack
https://www.cyberscoop.com/microsoft-cybersecurity-challenge-artificial-intelligence-georgia-tech-northeastern-university/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=84141644&utm_medium=social&utm_source=twitter&hss_channel=tw-720664083767435264
If you’ve developed an artificial intelligence tool capable of predicting the next ransomware outbreak, Microsoft wants to hear about it. And they’re willing to pay.
More than 300 data scientists, security practitioners and academics are involved in an initiative to help Microsoft determine which Windows machines are the most vulnerable to malicious software. The competition challenges participants to assess the probability a device will be hit with malware based on different factors about the machine, ranging from the firewall configuration to the antivirus software and CPU.
Microsoft announced the competition on Dec. 13, giving participants three months to develop an algorithm that can predict whether a Windows 10 or Windows XP computer, for example, is likely to be infected with the next major virus, organizers said. The competition offers a glimpse at how cybersecurity will blend with artificial intelligence and machine learning, as major companies invest in experiments that could help them avoid another cyberattack on the scale of WannaCry or NotPetya.
“We’re looking at artifacts from the computers that have been infected in the past and predicting ahead of time which computers are likely to fall victim to the same kinds of campaigns,” said Brendan Saltaformaggio, an assistant professor of electrical and computer engineering at the Georgia Institute of Technology, which is helping organize the competition along with Northeastern University and Microsoft’s Windows Defender research team.
“Cybersecurity has largely been a reactive field where there’s an attack and we try to figure out how it happened,” he said. “Bringing in A.I. will give us the ability to inoculate against these attacks before they occur.”
Researchers will be provided with 9.4 GB of anonymized data culled from Windows Defender, Microsoft’s antivirus tool. Data includes browser information, the operating system in use and a machine’s geolocation, among other details. Teams that predict attacks with the highest accuracy will be awarded a combined total of $25,000 in prizes.
Participants making random guesses might be able to predict attacks with a 50 percent accuracy rate, according to Mansour Ahmadi, a post-doctoral research associate at Northeastern University. The highest scorers in this competition had nearly achieved 70 percent within five days, he said.
Such figures provide hope that researchers will hit at least a 80 percent success rate within three months, Ahmadi said.
It looks like a safe investment, too. A U.S. government assessment determined the 2017 NotPetya virus cost global businesses some $10 billion in what was perhaps the most expensive cyberattack ever, according to Wired magazine. The WannaCry ransomware outbreak, which spread via a vulnerability in Windows operating systems, is estimated to have cost between $4 billion and $8 billion.
“With things like ransomware remediation, it’s very expensive, so if we can prevent that we can save a lot of money,” said Ahmadi. “If we can detect early symptoms, we can avoid more expensive procedures.”
=================================================================
If firewalls and antivirus don't effectively work against the latest ransomware then SEDs that are remotely initialized by Wave's SED management solution could be a formidable final layer against ransomware. How accurate will these future algorithms be if they can't capture the effectiveness of firewalls and antivirus?
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
eCommerce credit card fraud is nearly an inevitability
https://www.helpnetsecurity.com/2019/01/31/ecommerce-credit-card-fraud/?_lrsc=69800179-36ab-405a-933c-9b65c8df6afe&cm_mmc=OSocial_Twitter-_-Security_Security+Brand+and+Outcomes-_-WW_WW-_-Elevate&cm_mmca1=000034XK&cm_mmca2=10010257
Riskified surveyed 5,000 US-based consumers aged 18 and older about their online shopping behaviors, experience with and prevalence of credit card fraud, repeat shopping likelihood and customer satisfaction to develop a full picture of how consumers react to a number of common shopping experiences.
The results are worrisome for both consumers and merchants, as roughly half of respondents reported experience with credit card fraud and 30% had their purchase wrongly declined, with a corresponding negative impact on their satisfaction and return shopping.
For US consumers, eCommerce credit card fraud is nearly an inevitability. Overall, 49% of consumers surveyed reported having been a victim of credit card fraud, where their card information was illegally used by someone else. But that percentage grew with age, suggesting that becoming a victim is only a matter of time. Among all respondent groups aged 31 or older, a majority of consumers were the victims of credit card fraud.
Unfortunately for merchants, the obvious costs of fraud aren’t the only costs. 49% of customers reported that they do not return to an online retailer after a fraud incident has taken place, meaning that the merchant will pay the cost of the fraud and lose future customers.
But that’s only part of the cost of fraud. Merchants often decline orders out of caution, and previous research conducted by Riskified found that fear of fraud costs even more than the fraud itself, as merchants unnecessarily reject good customers. This survey bears that out, as 30% of respondents reported having an order declined, and 57% of those declines happen to returning customers, squandering the good will merchants had built. The survey further found that roughly 42% of shoppers who experienced a decline moved on, either abandoning the purchase completely (28%) or shopping with a competitor instead (14%).
Even shoppers who aren’t declined may move away from a purchase. 84% of respondents reported abandoning an order before completing the purchase, with many of these shoppers blaming the checkout process. 37.3% abandoned a purchase because of a complicated checkout, while 34.9% blamed a bad mobile experience.
“It’s really difficult for any single retailer to effectively manage their fraud, and this survey shows just how damaging it is when they fail to do so,” said Eyal Raab, vice president of business development. “Merchants need to be able to meet their customers where and how they want to shop, but offering options like omnichannel fulfillment or digital gift cards opens them up to threats. Making accurate decisions and approving good orders not only increases revenue now, it also makes happier, more loyal customers in the future.”
Impact of household income on fraud and reimbursement:
•48% of households with an annual income of $1M or more have reported legitimate purchases as fraudulent. This was by far the highest level of false claims of fraud, with no other income bracket even reaching 40%.
•Meanwhile, lower income households were least likely to be reimbursed for charges fraudulently made with their cards. Only 35% of lower income households were refunded the full amount of the fraudulent activity.
Customers blame merchants for fraud:
•Among victims of credit card fraud, more than 1 in 4 (29%) blamed the merchant that approved the fraudulent purchase.
Friction leads to cart abandonment:
•Cart abandonment continues to be a big problem for merchants, and 84% of survey respondents reported abandoning a purchase in progress.
•While some of that is unavoidable for merchants – unexpected shipping costs and a change of heart led to significant cart abandonment – a difficult checkout process is often the culprit. More than 71% of cart abandoners blamed the checkout process – for being overly complicated, not mobile optimized or seeming untrustworthy – as the reason they abandoned their purchase.
Shoppers watch their wallets:
•38% of respondents admitted they have or may have created multiple email addresses to gain additional online shopping discounts. While not illegal, this type of discount abuse can seriously impact merchants’ bottom lines.
=================================================================
The article below is a great solution to big problems revealed in the article above! The current solutions are not taking care of the problems as evidenced by this article. The market should be ready for a solution like Wave's and Bell Id's (Bell Id was bought out I believe, but the new company still could be a part of a great solution with Wave)!
=================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud
https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud
card-present transactions enabled for E-Commerce by integrating TPM technology.
Lee, MA -
July 31, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) announced it is partnering with chip lifecycle management solutions company, Bell ID, to offer a joint solution aimed at reducing online payment fraud. The solution will be marketed primarily to card issuing banks, as well as online merchants, governments, and enterprises worldwide.
Using Bell ID’s Trusted Service Manager and Secure Element in The Cloud (SEiTC) server, alongside Wave’s ERAS for TPM management and Wave’s endpoint identity and monitoring expertise, the combined offering provides robust protection for transactions and stored payments. The companies have executed a letter of intent and anticipate the signing of a definitive agreement in August.
The incident rate of card-not-present (CNP) fraud has been growing steadily over the past several years. According to a recent FICO Banking Analytics Blog, CNP fraud now accounts for close to half of all credit card fraud. Countries that have already adopted the EMV® card specification have seen CNP fraud rates increase. In the United States, CNP fraud is expected to rise significantly over the next eighteen months, as the EMV standard is put into effect. The EMV directive, which implements a global standard for a secure chip-based payment application, will make merchants liable for any fraud resulting from transactions on systems that are not EMV-capable.
“Wave’s robust product portfolio is very complementary to Bell ID’s strongly positioned solution set in the financial services market,” said Bill Solms, CEO, Wave Systems. “We see the EMV transition creating high demand for more secure transaction capabilities, and are confident that together we can provide financial institutions with a comprehensive solution for payment authorization and storage.”
“Bell ID has been a pioneer in developing and delivering cloud-based payment platforms,” adds Pat Curran, Executive Chairman at Bell ID. “We also have extensive experience in delivering EMV solutions globally and have witnessed fraud transition online as point-of-sale terminals in face-to-face transactions become more secure. We are therefore delighted to extend our offering with Wave to provide a secure online transaction and storage payment solution, which will mitigate against an expected rise in online fraud and provide a trusted link between device identity and internet services.”
Pay the ransom? Corporate lawyers say meeting some hackers' demands may be worth it
https://www.cyberscoop.com/ransomware-pay-hackers-worth-risk-lawyers/
Conventional wisdom says ransomware victims shouldn’t pay their attackers, but a panel of legal experts suggested Thursday that standing firm might not always be the smartest play in the real world.
FBI officials, corporate bigwigs and public sector security bosses in recent years all have advised their colleagues to keep their wallets closed when ransomware hits. There’s no honor among thieves, the logic goes, and even if you pay hackers to buzz off, who’s to say they will follow through on promises to unlock encrypted data? But there are scenarios in which small and medium-sized businesses should carefully consider their decision, Mark Knepshield and Matthew Todd said during a panel discussion at the Legalweek conference in New York.
“I would say, if it’s a small amount, pay it,” said Knepshield, a senior vice president at insurer McGriff, Seibels and Williams. “It’s likely just be the easiest way out of your situation.”
In a poll surveying Legalweek attendees, 86 percent said they would not pay a ransom if attackers threatened to publish stolen material online within 24 hours. That follows the traditional legal advice, with the FBI encouraging hacked businesses not to pay, in part because meeting extortionists’ demands could help thieves expand their operations.
“Law enforcement has to have a policy, and that has to be their policy,” said Todd, a principal consultant at Full Scope Consulting and a former chief security officer in the financial sector.
However the evolution of ransomware attacks over the past year has forced firms to reconsider, Todd said. Well-resourced criminal organizations have replaced comparatively low-level “spray-and-pay” operations. Those groups leave behind a trail of evidence insurers, attorneys and corporate security teams can quickly research to understand their chances of recovering stolen information.
“Like with the city of Atlanta, with the source code that was coming in, even if they had paid the ransom, I don’t think the individuals who launched the attack would have had the sophistication to be able to un-do the [encryption] keys,” Todd said. “You need to ponder it carefully.”
Paying small ransoms may also help frustrated security bosses avoid a browbeating from higher-ups who are more concerned with resuming business than examining the forensic evidence in the midst of an attack. Forfeiting $500 to hackers could hasten that process, and give the chief information security officers an out with his or her boss.
“Being cyber resilient just means being able to explain yourself to shareholders when something goes wrong,” said Roberta Sutton, who founded RAS Enterprise Risk Management services after working with insurers. “We got breached all the time [in the past] but we never reported them because [hackers] never walked out with any of the data, at least that we could tell.”
=================================================================
As a preventative measure the SED management solution from Wave and SEDs typically would be much more effective to use than waiting for a possible ransomware attack. And as indicated in the previous post, future ransomware attacks could be very much underestimated by the market. The cost of SED management and SEDs is reasonable and the benefits from the SED management with SEDs stopping ransomware are very high. The Wave SED management solution has many other benefits as well(see below). Wave has the added advantage of being able to manage SEDs/TPMs with many different manufacturers. I believe that having that capability under Wave is unique and very beneficial to a prospective client.
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
No vendor lock-in
SED technology was created and standardized by a consortium of the best in the infosec industry, a standards body called the Trusted Computing Group (TCG). This means you can buy your drives wherever you want, from whatever vendor you want—any SED built to the TCG’s Opal specification can be managed by Wave.
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Pick your platform
Wave SED management is available via the cloud or on-premise servers. Ask us for more details about which platform is right for your deployment.
Key Features:
Easy security compliance
• Active monitoring, logging and reporting of all user and device events
Data protection
• Local changes are prohibited
• Drive locking is supported in sleep or standby (S3) modes
• Manage clients inside or outside the firewall and on non-domain machines
Simplicity
• Everything is automatically encrypted—users don’t have to identify which data is sensitive
• Windows password synchronization and single sign-on
• Add or remove users remotely
• MMC snap-in is familiar and easy—less administrator training
• Role management allows delegation of tasks with customized or predefined roles.
No compromises
• Encryption is completely transparent to your users—they won’t even notice it's there
• Customizable pre-boot message at authentication screen
Global cyber attack could cost up to $193bn, study shows
https://www.computerweekly.com/news/252456612/Global-cyber-attack-could-cost-up-to-193bn-study-shows
A coordinated global cyber attack could have an economic impact of up to $193bn, an insurance industry-backed report claims
Cyber defence tools alongside appropriate insurance are essential in the light of an insurance industry report on the potential cost of a global cyber attack, say security industry representatives.
A coordinated global cyber attack spread by email could have an economic impact of between $85bn and $193bn, according to a report by the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative that assesses cyber risks.
CyRiM’s objectives include research into the definition of cyber risk, the creation of a set of cyber event scenarios for impact quantification, the creation of benchmark cyber loss models, and the development of a non-intrusive cyber security exposure assessments capability.
According to CyRiM, the “lack of sound data, the rapidly changing cyber threat environment, developing regulation and policy landscape, and the global nature of cyber risk with potential for high accumulation risk, constrains the development of the current cyber risk insurance market”.
The report, co-produced by Lloyd’s of London, Aon and other CyRiM partners, explores a hypothetical scenario in which companies’ devices are infected with malware that threatens to destroy or block access to files unless a ransom is paid.
The attack is launched through an infected email, which, once opened, is forwarded to all contacts and, within 24 hours, encrypts all data on nearly 30 million devices worldwide. Companies of all sizes and in all sectors would be forced to pay a ransom to decrypt their data or to replace their infected devices.
The report estimates that a cyber attack on this scale could affect more than 600,000 businesses worldwide.
In the least severe scenario, retail suffers the highest total economic loss globally ($15bn), followed by healthcare ($10bn) and manufacturing ($9bn). In the most severe scenario, retail and healthcare would be the most affected ($25bn each), followed by manufacturing ($24bn).
According to the research, the economic impact would be the greatest in the US ($46bn-$89bn) driven mainly by the infection of “premier-sized”companies, followed by Europe, where $30bn-$76bn is at stake, with retail, business and professional services, and manufacturing likely to be the hardest-hit sectors.
Despite the high costs to business, the report shows that the global economy is under-prepared for such an attack, with 86% of the total economic losses uninsured, leaving an insurance gap of $166bn.
Ed Macnair, CEO of cloud security company CensorNet, said there is no doubt that the potential economic impact of cyber attacks is increasing.
“Should an event like this occur, it would be devastating, but this seems like the very worst-case scenario,” he said, pointing out that the research is based on a phishing attack.
“The kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are that many more than that do. Of course, phishing attacks are getting smarter and can catch out even the savviest, but modern security tools can also prevent such a rapid propagation of infection,” said Macnair.
“Security tools have got much smarter over the last few years with more and more integration, and could, in theory, be picked up by an email security tool and blocked from being sent on. Then email security speaks to a web security tool, and malicious links are blocked from opening in web clients.”
Cyber insurance is a good idea to have, said Macnair, but without preventative tools in place, it is the same as insuring household contents and leaving the door unlocked, he said. “It’s there as a back-up and, if you do everything right, insurance shouldn’t be needed.”
The report estimates that the total claims paid by the insurance industry in this scenario would be between $10bn and $27bn.
“Comparing the insurance loss estimates to the economic losses shows insurance industry losses are between 9% and 14% of the total economic loss, which shows there are high levels of underinsurance for this type of cyber attack,” the report said.
With the estimated 2019 “cyber affirmative insurance premium” globally at $6.4bn, the research shows the insurance industry is “significantly exposed” to a contagious malware event.
According to the report, the scenario shows that the reliance of the global economy on connectivity significantly increases the scope of the damage caused by malware and, for the first time, quantifies the impacts of a global, systemic, ransomware attack.
“The scenario challenges assumptions of global preparedness for a cyber attack of this nature and sends a clear message to organisations, individual entities, industry associations, markets and policymakers that they must improve their awareness, and assessment of this threat,” the report said.
The report concluded that the expansion of the cyber insurance market is “both necessary and inevitable” and that scenarios such as those used in the research will help insurers expand their view of cyber risks and help them create “new products and services that make businesses and communities more resilient”.
=================================================================
Drive Trust Alliance Announces Free Fix for Lurking Ransomware Threats
https://www.prnewswire.com/news-releases/drive-trust-alliance-announces-free-fix-for-lurking-ransomware-threats-300569969.html
PITTSBURGH, Dec. 12, 2017 /PRNewswire/ -- There are many millions of computer hard drives, from every hard drive maker, that are especially open to devastating ransomware attacks. These drives are known as a TCG Self-Encrypting Drives (SEDs). If they are not properly initialized, there can be trouble with ransomware attacks. If these are properly initialized, there is little or no danger of these ransomware attacks.
Most Solid State Drives or SSDs and many hard disk drives in laptops, desktops, and servers worldwide fall into this uninitialized category. People worldwide use these SEDs today for boot drives, USB attached storage, and server storage. Very few even know the danger.
And ransomware is not a thing of the past. It continues. An unsuspecting victim clicks on an email attachment, or something on the web, and his data is encrypted by the attacker. The attacker then demands a ransom payment to unlock his data. Nobody is safe from a successful ransomware attack. As one government official has remarked, it is not a question of "if" it is a question of "when."
For over a decade these SED drives have been in distribution. All too often, software does not properly initialize the drives to prevent ransomware attacks. The hacker can then instantly employ the strong hardware drive encryption to encrypt the data on it. As Dr. Robert Thibadeau of DTA remarks, "Notably, even Microsoft Bitlocker often does not detect the Self-Encrypting Drive, and will use Software Bitlocker. Bitlocker then leaves the drive open to a ransomware attack that the guy didn't expect. The same is true for virus checkers and other security software."
The Drive Trust Alliance (DTA) has introduced a small Windows program, for free, SEDProtect.exe. This software will detect any vulnerable TCG Opal Self-Encrypting Drive connected to a computer. SEDProtect is based on DTA Open Source which can also be downloaded for inspection. See www.drivetrust.com/protect . The protection is simple and easy as typing an owner password for the drive. This need be done only once for the life of the drive.
To put these SEDs to safe use in USB Attached storage, DTA has introduced full featured software in DTA's Personality Series of USB SEDs. The USB Personality Series includes personal, small IT shop, family, archival, and forensic drives at the same low price. They are available on Amazon under "DTA hardware encrypting." Like SEDProtect, Personality Series USB software can also detect any other vulnerable USB drive that happens to be a TCG Opal SED, and will permit the owner to secure and manage that drive as well.
DTA urges everyone to check and protect their machines for TCG Opal SEDs. DTA (www.DriveTrust.com) has an educational and technical mission to improve the adoption of hardware-encrypting storage. Protected, the real owner of the drive can benefit from the self-encrypting drive's amazingly strong privacy and security assurances. Unprotected, ransomware wins.
==================================================================
Wave has an excellent SED management system for these SEDs in the market place! Because SEDs have been standardized on all SSDs and on business HDDs, there are many millions of SEDs in the market that could be managed by Wave to help prevent ransomware on computers. And according to this article ransomware could one day cause many billions in overall damage if computers aren't properly protected.
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
DOJ discloses government hack to expose reach of North Korean cyberattack
https://www.cnn.com/2019/01/30/politics/doj-north-korea-hack-operation/index.html
Washington (CNN) — FBI and Air Force investigators modified computer servers to collect information about a network of devices infected with a malware spread by North Korean hackers, the Justice Department announced Wednesday.
The operation, backed up by court orders and search warrants that enable the so-called government hacking, allowed law enforcement to map out the breadth of the network of infected devices, known as the Joanap botnet, and to notify victims in the US of the alleged North Korean cyberattack.
"This operation is another example of the Justice Department's efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution," said John Demers, the assistant attorney general in charge of the Justice Department's National Security Division, in a statement. "Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data."
Prosecutors have said that the North Korean hackers that propagated the malware were also behind the 2014 hack of Sony Pictures Entertainment.
Investigators first obtained search warrants and orders from a federal judge in June that allowed them to use FBI computers in California to mimic a server infected with the malware and communicate with real infected devices, known as peers.
"Computers within the network of computers infected by this North Korean malware ... will be prompted to communicate with FBI IPs, disclose their own lists of other known Peers, and pass addresses of the FBI IPs to other Peers in the network. This will allow the FBI to learn the Internet Protocol ('IP') addresses of the other Peers in the botnet, thus generating a map of the botnet," prosecutors explained in an application for a court order last year.
An amendment to the federal rule outlining the use of warrants passed in 2016 allows law enforcement to access information like this from remote servers that are associated with malicious conduct and whose locations are hidden.
Andrew Crocker, a senior staff attorney at the digital privacy advocacy group Electronic Frontier Foundation, said the Justice Department has used the new warrant rule to take down a botnet in the past, but said the techniques described in the warrant application appeared to be unique and "fairly sophisticated."
"The operation appears fairly sophisticated, describing the technical steps the government will take to ensure the computers it's accessing are actually infected, and trying to limit the type of data it collects in order to shut down the botnet and ultimately notify US users who are affected," Crocker said.
"With that said, these techniques are inherently invasive, both because of the possibility of unintended consequences and because the government is executing searches on many computers whose owners are not accused of any wrongdoing, but which have become infected," he said.
==================================================================
Botnets can be used to perform DDOS attacks, steal data, send spam and allow the attacker to access the device and its connection. If the organization's/government's network was using Wave ERAS where the devices as part of the network are known (with a TPM), DDOS attacks wouldn't work on the network since the botnet of devices are (unknown). Rogue attacks from the botnet wouldn't work either. Then all the trouble the FBI and Air Force are going through to resolve the issue would be unnecessary. The bad guys or DDOS wouldn't have been able to enter the network. Wave's solutions (ERAS in this case) sure seem to make so much more sense than a need to collect information and perform invasive searches about a botnet after the damage has been done. Wave should have a lot more business with the government given its outstanding solutions!
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
US-CERT Highlights Exchange Server Flaw Enabling Escalation-of-Privilege Attacks
https://redmondmag.com/articles/2019/01/30/exchange-server-escalation-of-privilege.aspx
The U.S. Computer Emergency Readiness Team this week noted that Exchange Server versions from Exchange Server 2013 on up have a vulnerability that could permit the impersonation of any user, leading to "control of an affected system."
This Exchange Server flaw was actually noted by Microsoft back in November in an advisory. It was assigned the common vulnerabilities and exposures number of CVE-2018-8581.
The CERT Coordination Center described it as a "NTLM relay attack" vulnerability, which affects Exchange Server 2013 and newer Exchange Server versions, in a vulnerability note. The vulnerability is present because Exchange Server fails to set "signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange Server."
An attack can occur if the attacker has "credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller," US-CERT noted. It can also happen without the attacker having an Exchange user's password, according to researchers. US-CERT recommended disabling Exchange Web Services push/pull subscriptions and removing Exchange privileges on the domain object, but noted that those measures aren't supported by Microsoft.
Microsoft had described the vulnerability as an elevation-of-privilege issue for Exchange Server, and suggested that a so-called "man-in-the-middle" type of approach would be needed to exploit it. Microsoft's advisory gave it an Exploitability Assessment ranking of "2," for "less likely" to be exploited, as well as an "Important" severity ranking. Right now, there's no software patch for the vulnerability, nor is there a workaround. Instead, Microsoft's advisory suggested altering the Registry to delete a DisableLoopbackCheck value as a stop-gap approach.
However, a Jan. 29 post by the SANS Institute's Internet Storm Center suggested that Microsoft's recommendation won't address the vulnerability:
Note that the deletion of registry key as specified in Microsoft's advisory for CVE-2018-8581 does not fix this vulnerability! It prevents a malicious user from impersonating another user on the Exchange server, but not on a Domain Controller, through LDAP. Additionally, I have installed patches on an Exchange 2016 servers, and the registry key was not removed (even though Microsoft's advisory says that they will remove it).
The SANS Institute post indicated that "Exchange 2013, 2019 and 2019 have been confirmed as vulnerable." The vulnerability isn't present on Exchange Server 2010 because it has a signing capability that's lacking in the later products. The vulnerability status of Exchange Server 2007 is "unknown at this time."
Trend Micro's Zero Day Initiative team apparently first described how the Exchange Server vulnerability works back in December. The vulnerability allows anyone to impersonate anyone else on an Exchange Server-based network. It could be used in spear-phishing campaigns.
"While this bug certainly could be used for some interoffice hijinks, it's much more likely that this vulnerability would be used in a spear phishing campaign, data exfiltration, or other malware operation," the ZDI team wrote.
Security researcher Dirk-jan Mollema provided his description of the vulnerability in this blog post. He suggested that Exchange Servers have privileges within an organization's Active Directory that are too high. The vulnerability could be used to escalate privileges to the "Domain Admin" level via "golden tickets," based on the ZDI team's analysis. It's especially possible to carry out the exploit when the attacker uses "NTLM over HTTP," he added.
"This [vulnerability] can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I've seen that use Exchange," Mollema wrote.
Mollema also suggested that compromised credentials aren't needed to perform the attack: "If an attacker is only in a position to perform a network attack, but doesn't have any credentials, it is still possible to trigger Exchange to authenticate."
Mollema offered a bulleted list of suggestions on how to address the Exchange Server vulnerability. It includes removing the "unnecessary high privileges that Exchange has on the Domain object" and enabling LDAP signing. Organizations can also "block Exchange servers from making connections to workstations on arbitrary ports," among other tips. He also recommended carrying out Microsoft's recommendation.
The Center for Internet Security also weighed in on the Exchange Server vulnerability in a Jan. 29 advisory. The nonprofit group assigned it a risk of "High" for large entities and "Medium" for small ones, in contrast to Microsoft's weightings.
Microsoft's advisory does suggest that it will deliver a future cumulative update to Exchange Server that will delete a problematic registry value with regard to NTLM, although the timing wasn't mentioned.
"To address this vulnerability, a registry value which enables NTLM authentication on the network loopback adapter needs to be removed," the advisory stated. "Future cumulative updates will ensure that this registry setting is configured correctly during installation of the cumulative update."
=================================================================
Spear-phishing and malware (see underlines in article) are two items that Wave can combat against very effectively for organizations by using the Wave VSC 2.0 and Wave Endpoint Monitor solutions. Having both of those solutions under one company should make Wave a formidable player in cybersecurity and even stronger with its other solutions.
=================================================================
Microsoft Exchange Vuln Enables Attackers to Gain Domain Admin Privileges
https://www.darkreading.com/microsoft-exchange-vuln-enables-attackers-to-gain-domain-admin-privileges/d/d-id/1333758?_mc=KJH-Twitter-2019-01
Excerpts:
The attack is possible because of the extensive privileges available by default in Exchange and therefore cannot be patched against, security researcher Dirk-jan Mollema of Netherlands-based Fox-IT wrote in a blog post describing the new exploit. Mollema also released a proof-of-concept tool dubbed "PrivExchange" demonstrating how the attack works.
An attacker with a foothold on a Windows network can use the publicly availability exploit to gain domain administration rights, he warns. "The domain controller is the key to the whole kingdom," Dormann says. "Somebody that gains access to the domain controller owns the entire network."
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console
Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)
<p><em>Microsoft, Windows, and BitLocker are either registered trademarks or trademark of the Microsoft group of companies.</em></p>
https://www.wavesys.com/products/wave-virtual-smart-card
The VSC 2.0 also protects against stolen credentials!
https://www.wavesys.com/
FireEye: New APT goes after individual targets by hitting telecom, travel companies
https://www.cyberscoop.com/apt39-fireeye-telecom-travel-comapnies-middle-east/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=83835372&utm_medium=social&utm_source=twitter&hss_channel=tw-720664083767435264
A newly identified threat group linked to Iran is surveilling specific individuals of interest by stealing data primarily from companies in the telecommunications and travel industries, a report from FireEye published Tuesday.
FireEye is adding the group to its list of advanced persistent threats as APT39. While not outright saying the group is state-sponsored, researchers said that APT39 appears to be be acting in support of Iranian state interests. That assessment is based on the group’s toolset overlap with other Iran-linked groups like APT33, APT34, Newscaster and Chafer.
Still, FireEye says APT39’s apparent objective and its choices of malware variants warrant classifying it as a new group.
“APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals that serve strategic requirements related to Iran’s strategic national priorities,” Cristiana Kittner, FireEye principal analyst of cyber-espionage analysis, told CyberScoop by email.
It’s not clear who those individuals are, but FireEye says at least some targets are tied to other governments, which “suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making,” the report says.
APT39’s activities have a global reach, but the group is more focused the Middle East, FireEye says. The report says the group has been observed targeting entities in Saudi Arabia, Iraq, Egypt Turkey, the United Arab Emirates, Qatar, Norway, South Korea, the United States and Australia — and is suspected to have targets in in Kuwait and Israel.
FireEye suggests that by targeting travel and telecommunications companies, APT39 can look for data pertaining to customers that are persons of interest to Iran.
“Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms,” Kittner said. “APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale.”
FireEye says APT39 uses a combination of custom-made and publicly available hacking tools to compromise its targets. It typically starts with a spearphishing campaign, the report says, using malicious files and links to “domains that masquerade as legitimate web services and organizations that are relevant to the intended target.” Successful phishing results in a backdoor infection, after which the group uses common and custom tools to escalate privileges on the compromised computer and conduct reconnaissance.
Kittner said the group has been active as recently the past six months, although there’s been a “regular pace of activity from APT39 since 2014.”
“APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,” the report says.
=================================================================
The market could be substantially benefiting by using Wave Endpoint Monitor and Wave VSC 2.0 solutions. WEM for spotting Advanced Persistent Threats (APTs), and Wave VSC 2.0 for making the phishing of login credentials not worthwhile to the hacker due to VSC 2.0 second factor (TPM). Where anti virus software is inadequate, Wave Endpoint Monitor shines! The previous post highlights some of the important parts of WEM and malware protection and there is some great reading on APTs. Under Key Features below APTs are covered and is applicable to the article above.
==================================================================
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Windows 8 Tablet Compatibility
• Get the same device integrity assurance on Windows 8 Pro & Enterprise tablets that you want for your enterprise PCs - with Wave Mobility Pro - Tablet Edition
Fileless Infection Steals Creds with Bank Trojan
https://www.infosecurity-magazine.com/news/fileless-infection-steals-creds?utm_source=twitterfeed&utm_medium=twitter
A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.
In a blog post, researchers wrote that the banking Trojan employs "fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”
Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.
Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.
Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it's likely a Ursnif infection.”
An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.
"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.
“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."
==================================================================
This article just illustrates some of what Wave has been saying about malware (see underline/bold below) and a great solution to combat the problem is Wave Endpoint Monitor!
==================================================================
https://www.wavesys.com/malware-protection
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking.
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
An open standard means Wave works with everything
Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.
Be proactive on compliance
No new regulations here—yet. But government agencies recognize malware as a growing threat. In 2011, NIST published guidelines for basic input/output system (BIOS) integrity measurement, the BIOS being what initializes a computer when it boots up. When this critical system is malware’s target, the consequences are big. The guidelines describe what’s needed to establish a chain of trust for the BIOS: Has it been tampered with? NIST actually looked to Wave for feedback on this document (see the acknowledgments). We know what’s needed, because Wave Endpoint Monitor is already doing it.
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Windows 8 Tablet Compatibility
• Get the same device integrity assurance on Windows 8 Pro & Enterprise tablets that you want for your enterprise PCs - with Wave Mobility Pro - Tablet Edition
Most IT Pros Share and Reuse Passwords: Report
https://www.infosecurity-magazine.com/news/most-it-pros-share-and-reuse/
Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study published on the EU’s Data Protection Day.
Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.
However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.
Some 69% admitted they had shared passwords with colleagues, and over half (51%) reuse an average of five passwords across business and personal accounts. Over half (55%) don’t use two-factor authentication at work and 67% do not use it for personal accounts.
These findings are especially concerning given that IT professionals should theoretically be leading by example in organizations and society at large by following best practices in security and privacy. They also hold the keys to privileged corporate accounts and so represent a major target for hackers.
Even more concerning is the fact that 51% of those polled said they’d suffered a phishing attack at home and 44% at work, but over half (57%) of these claimed it didn’t affect their password behavior.
Thanks to the GDPR, consumers and organizations around the world are becoming more privacy-aware. Google was recently fined €50m in France in the first major investigation by regulators, with experts predicting many more will follow for both privacy and security infractions.
Aside from the 'stick' of regulatory fines, the likes of the ICO are hoping that the 'carrot' of improved transparency, operational efficiency, competitive differentiation and security, will encourage organizations to get compliant.
A Cisco study of over 3000 global security and privacy professionals released last week claimed that only 37% of GDPR-ready companies experienced a data breach costing more than $500,000, versus 64% of the least GDPR-ready firms.
In addition, those investing in GDPR compliance experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks as opposed to 5.4 weeks for the least GDPR-ready organizations.
UK firms were among the leaders globally, with 69% claiming to be GDPR-ready, compared to just 42% in China and 45% percent in Japan.
=================================================================
Yubico offers keys for 2FA that can be lost or too often fumbled. With Wave VSC 2.0, the second factor (TPM) is already built in to the computer, and no need to wait for a key (that is lost or for a new employee) to be sent. With the help of employees marketing through partner distribution channels, Wave VSC 2.0 and Wave's other solutions could bring about strong growth for Wave!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
White Paper is at the end of the initial summary at the link above and should be required reading for anyone interested in Wave VSC 2.0!
Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement
https://www.nytimes.com/2019/01/23/business/dealbook/yahoo-cyber-security-settlement.html
Shareholders haven’t been successful in holding companies accountable for data breaches.
That changed in the first month of 2019.
The former officers and directors of Yahoo agreed to pay $29 million to settle charges that they breached their fiduciary duties in their handling of customer data during a series of cyberattacks from 2013 until 2016. Three billion Yahoo user accounts were compromised in the attacks. The settlement ended three so-called derivative lawsuits filed in Delaware and California against the company’s former leadership team and board, including Marissa Mayer, Yahoo’s former chief executive. Insurance coverage will pick up the tab.
The settlement, approved this month by a Superior Court judge in Santa Clara, Calif., marked the first time that shareholders have been awarded a monetary damages in a derivative lawsuit related to a data breach. There have been very few breach-related derivative lawsuits, and all had been dismissed by the courts or settled without a payment to the shareholders.
A derivative lawsuit is a legal mechanism that gives the owners of a company — the shareholders — a way to hold corporate directors and management accountable for their actions. Shareholders file a claim on the company’s behalf, with any money recovered going to the corporation, not the individual shareholders, because the violation harmed only the organization.
Under the Yahoo settlement, the lawyers walk away with about $11 million in fees and expenses, with the remaining $18 million paid to Yahoo, now called Altaba after Verizon acquired Yahoo’s internet business in 2017.
A $29 million settlement might seem trivial for a company that has a market capitalization of $38 billion. But it signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory. That is especially so in cases like Yahoo’s, in which shareholders allege egregious misconduct at the highest levels of an organization.
Those allegations might explain why the Yahoo case was settled.
Insurers don’t typically cough up tens of millions of dollars to settle derivative cases, which can be tough for shareholders to win. They must show that board members breached their fiduciary responsibilities by consciously disregarding their duties. The chief justice of the Delaware Supreme Court has called these claims “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
The parties jointly told the court that the settlement was fair, in the best interest of all parties, and that a series of data security improvements have been worked out to minimize the chances that this will happen again. But the facts of the case most likely led the insurers to conclude that their exposure could be greater than the settlement.
The reason is that the actions alleged in the lawsuit are outrageous. The nearly 120-page complaint — which is heavily redacted — reads at points more like a criminal indictment than a lawsuit. It accuses Yahoo’s former leaders of engaging in an elaborate, yearslong plot to cover up hacks going back to 2013 and conducting a “sham” investigation to “conceal the largest hacking incident in U.S. history.”
Yahoo was a pioneer of the internet era, and the core of its business was providing ways for users to communicate with one another confidentially. Yet Yahoo failed miserably at this fundamental mission, according to the shareholders’ complaint. The expectations for consumer privacy and data security are far different for an internet company than a corner hardware store. The insurance carriers clearly understood this fact.
The company’s settlement with the Securities and Exchange Commission in April provided further fodder to justify a settlement. The S.E.C. tagged Altaba with a $35 million penalty for failing to make a timely disclosure of the data breach, the commission’s first action for a cybersecurity disclosure violation.
But it’s the details of the S.E.C. settlement that most likely proved the most troubling for the insurers. According to the S.E.C., “In late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access or acquisition of hundreds of millions of its user’s personal data.” The agency further alleged that “Yahoo senior management and relevant legal staff did not properly assess the scope, business impact or legal implications of the breach” and “did not share information regarding the breach with Yahoo’s auditors or outside counsel.”
Yahoo didn’t disclose the breach until September 2016, when it was negotiating the sale of its internet business to Verizon. Although the transaction was completed, the acquisition price was lowered by $350 million to $4.48 billion. That made for bad optics, a fact that the insurers probably recognized.
Any company that figured it had little to fear from shareholders after a breach should now think twice. And in the meantime, this is definitely not the time to cut back insurance for officers and directors.
=================================================================
I recall SKS years ago urging Yahoo to join the Trusted Computing Group. If they had, they may have been introduced to Wave VSC 2.0 before the Yahoo incident had escalated and kept the destruction to a minimum. Given the consequences outlined in this article, organizations, board members, CEOs, and officers should seriously consider the tremendous benefits they would be getting in having better security at less than half the cost (Wave VSC 2.0).
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/wave-alternative
==================================================================
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
continued at the link above.
A safe for sensitive data in the car: Volkswagen relies on TPM from Infineon
https://www.automotiveworld.com/news-releases/a-safe-for-sensitive-data-in-the-car-volkswagen-relies-on-tpm-from-infineon/
Volkswagen is one of the first car makers to deploy the OPTIGA™ Trusted Platform Module (TPM) 2.0 from Infineon Technologies AG as a security solution for the connected car
Volkswagen is one of the first car makers to deploy the OPTIGA™ Trusted Platform Module (TPM) 2.0 from Infineon Technologies AG (FSE: IFX / OTCQX: IFNNY) as a security solution for the connected car. The chip is designed to protect the vehicle’s communication with the outside world. For example, when car-sharing users or third-party services such as parcel delivery into a car’s trunk require access. Furthermore, the TPM is suited to secure software updates over the air by the car manufacturer.
TPMs have proven themselves in the computer industry for many years and are now increasingly being used in connected devices in the Internet of Things. Infineon is the first semiconductor manufacturer to offer an automotive-qualified TPM for the connected car. The chip meets international security standards and is certified by independent authorities.
Like a doorkeeper, the TPM particularly protects the vehicle’s external interfaces, for example in the infotainment system or the telematics unit. It checks the identities of senders and recipients of digital data, such as the manufacturer’s backend server. It encrypts and decrypts the data and helps make sure that only data the driver or manufacturer actually wants makes its way into the car.
The cryptographic keys needed for these security functions are stored within the TPM as in a safe. Infineon imports the initial keys in a specially certified security environment. Since all other keys can be generated, used and stored within the TPM itself, they never have to leave it and are protected against being spied on via the network. The TPM is also hardened against physical attacks. Even if someone removes the chip from the vehicle, the keys are well protected from being read.
The OPTIGA TPM 2.0 is also designed to accommodate the long product life cycles of cars. Its firmware, including cryptographic mechanisms (“crypto-agility”), can be updated remotely making sure that its security technology is always state-of-the-art.
Infineon has decades of experience in automotive electronics and hardware-based security. With the new OPTIGA TPM 2.0 and its AURIX™ family of microcontrollers, Infineon provides a comprehensive portfolio of application-specific security solutions that address key challenges in the automotive industry.
==================================================================
Look how far the TPM has come! If Volkswagen is using the TPM, it makes sense that many other companies should be activating (Wave ERAS) and using (Wave product links below) their TPMs. Wave is a gateway to the use of that TPM security in corporate computer/tablet fleets. This news should allow for a massive expansion of that with the help of Wave employees.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-self-encrypting-drive-management
These products are basically summed up in the Wave Alternative (this should be required reading for anyone interested in Wave):
https://www.wavesys.com/wave-alternative
================================================================
The previous posts can help show why these Wave products are highly beneficial to the market with articles as examples. Wave has great cybersecurity. The market just needs to be shown.
To Sell Europe on Cyber Security, IBM Turns to Big Rig Operations Center
https://www.bloomberg.com/news/articles/2019-01-22/to-sell-europe-on-cyber-security-ibm-turns-to-big-rig-operations-center
Custom truck allows Big Blue to conduct onsite training, event security
Caleb Barlow, vice president of International Business Machines Corp.’s X-force threat intelligence cybersecurity team, wants to know.
I’ve just fielded a call from a woman claiming to be a reporter about to publish a story that 75 million customer records have been stolen from my company and posted on the internet. I have no idea what the answer is to Barlow’s question.
As a journalist, I’ve covered cyberattacks and data breaches before, but it’s my first time being on the other end of that phone call. And as I forgot to take the name of the reporter, I just failed my first test in responding to a cyber attack on Bane & Ox, a Fortune 100 financial firm.
Luckily for me, neither Bane & Ox nor the cyberattack are real. They’re part of a simulation IBM is hosting to showcase the capabilities of the latest addition to its cybersecurity arsenal: a custom-built 18-wheel truck trailer containing a mobile security operations center.
IBM is using the Big Rig – painted black and emblazoned with IBM’s logo and “X-Force Command” in giant white lettering on its side – to train corporate teams in how to respond to cybersecurity incidents.
A year-and-a-half in development, IBM unveiled the mobile cybersecurity unit in October. After a brief tour of the U.S., it shipped the truck in December to the U.K., where on Monday it was parked in a small lot behind the National Theatre on the bank of the River Thames in London. IBM plans to take it on a mini-Grand Tour, stopping off in Dublin, Amsterdam and Madrid. When not roving, the truck will be based at IBM’s research lab in Hursley, near Winchester, England.
As it wends its way through Europe, IBM is bringing in corporate teams for cybersecurity excercises, Barlow said.
The first four-hour training session is free. If teams wants to conduct additional training beyond that, then IBM charges, he said.
The exercises IBM conducts in the mobile unit are designed to be as realistic as possible. In the scenario I participated in, the pressure ramps up quickly: after the initial phone call from a reporter alerting Bane & Ox to the data breach, there’s a ransomware attack, employees trapped in an elevator that may have been hacked, customers calling to ask if their money is safe, rumors flying on social media, and a group of reporters that shows up at headquarters demanding answers.
Barlow said the idea was to get executives to understand what it would be like to have to operate in the adrenaline-charged atmosphere and to try to build the mental “muscle memory” they would need to respond to a real incident.
The custom Big Rig is also a marketing billboard for Big Blue. It’ll be used to interest university students and school children in cybersecurity careers as well as to provide a command post for IBM’s own cybersecurity experts at major events like sporting championships and political conventions, Erno Doorenspleet, IBM’s global executive security adviser, said.
Inside, the 23-ton trailer with expandable side panels – made for IBM by Iowa-based Featherlite Trailers and hauled by a Mercedes-Benz Actros heavy-duty tractor unit – is a fully-equipped 20-seat operations center, with banks of chairs, flat screen monitors and phones, all facing a massive high-definition video wall. It also has onboard a 100-terabyte VMWare data center – involving all solid state memory to avoid the need for any spinning parts that might be damaged by the truck’s movement while underway. The whole system can be powered by a 47-kilowatt generator, with enough fuel onboard to run for two days.
Although the company declined to say how much it had spent on the mobile operations center, Barlow said it was part of 155-million-pound ($200 million) investment IBM has made in cyber incident response since 2016.
That was the year IBM began conducting cyberincident response simulations for corporate customers at a facility in Cambridge, Massachussetts. Barlow said 2,500 IBM clients had been through this training. But, Barlow said, his team realized that more than a quarter of the companies attending the Cambridge “Cyber Range” were European and that IBM needed to find a way to make it easier for continental companies to access this training without having to fly to the U.S.
Nick Coleman, a former U.K. government security official who’s now IBM’s Cybersecurity Global Leader, said that the demand for cybersecurity incident response training was particularly acute in Europe, citing figures from a 2018 U.K. government report that while 40 percent of U.K. companies reported having experienced a data breach and 74 percent said such breaches were a “high priority,” only 13 percent said they had an incident response process in place.
==================================================================
Current cybersecurity and its frailties keep the Fireyes and IBMs flourishing. Why not invest in prevention or cyber defense (Wave Alternative and Wave Products) and save your organization from having to try to reinvigorate your business after a breach or cyberattack?! Investing in better prevention or cyber defense (Wave Alternative and Wave Products) seems so much wiser than the current cybersecurity methods which can lead to Fireye and IBM.
=================================================================
Wave Product links below:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-endpoint-monitor
==================================================================
Recommended read: Wave Alternative:
https://www.wavesys.com/wave-alternative
En garde! 'Cyber-war has begun' – and France will hack first, its defence sec declares
https://www.theregister.co.uk/2019/01/22/france_cyber_war/?es_p=8424077
Parly-vous cyber-security? No plan to surrender, military bug bounty coming
FIC2019 France’s defence secretary Florence Parly today declared “Cyber war has begun.”
And she said the Euro nation's military will use its “cyber arms as all other traditional weapons… to respond and attack,” as well as setting up a military bug bounty program.
Parly made her pledges during a speech to the Forum International de Cybersecurite (FIC) in the northern French town of Lille. Her speech was on a topic that most Western countries shy away from addressing directly in public.
“The cyber weapon is not only for our enemies,” said France’s defence secretary this afternoon, speaking through a translator. “No. It’s also, in France, a tool to defend ourselves. To respond and attack.”
Her remarks will be seen as moving the debate about offensive cyber capabilities – not just so-called “active defence” but using infosec techniques as another weapon in the arsenal of state-on-state warfare – to a new level. Coming from a prominent NATO member and EU country, it could set the tone for future discussion of nation states' offensive cyber doctrines.
As well as having “published the main lines of that [offensive] doctrine” of the use of cyber weapons last week, Parly called for “more co-operation and partnerships and convergence with our European allies because if a threat is over the heads of all of us, that’s the cyber threat and it has no border.”
"Today I would like to make a proposition to our defence industrialists," she continued. "Let’s unite our strengths to protect, from the cyber threat, our supply chain."
Parly also revealed that France’s Ministry of Defence (MoD) has established no less than a military bug bounty program, saying: “When I talk about trust it goes very far. A partnership has been done between [France’s military] cyber command and the startups. That is called Yes We Hack. I announce it.
"At the end of February we are going to announce the first bug bounty of the MoD. Ethical hackers were recruited in the cyber operational research [department] and they’re going to track down the faults of our systems. If they find some they will be rewarded for it.”
Britain, which prides itself on its defensive hacking capabilities, as well as taking a much more muted line about its offensive cyber capabilites, tends to shy away from talking about its own hacking plans openly. That said, the UK's abilities in the area have been quietly acknowledged by officials.
France’s new approach to its industrial supply chain will raise some eyebrows on the far side of the English Channel as well. Parly said she “intends to engage” with SMEs to further develop France’s cyber defences, adding: “we need to create links between the MoD and our defence industrialists, between ministry and SMEs, and we need to work for a [EU] of cyber defence.”
In contrast, Britain’s Ministry of Defence spends a relatively small £80m a year on funding good ideas from SMEs, with the vague hope that the better ones will be adopted by the ministry for frontline use. While cyber forms a part of the Defence Innovation Initiative, France appears to have gone all in with a dedicated push to develop offensive cyber capabilities in full partnership with its private sector.
This is a sharp contrast to the UK, where large defence contractors (“primes” in the lingo) are the ones snapping up contracts for major military cyber work. Whether, in the post-Brexit world, the UK will change tack and adopt elements of the French approach remains to be seen. ®
=================================================================
France and so many organizations across the globe seem to continue to have pockets of ineffectiveness in their cyber defenses. Accounting for known devices (one with a TPM in an organization's network) and being able to kick unknown devices or the bad guys (one without a TPM and not part of the network) off an organizations' network could save France and other countries from ever having to question pulling the trigger on an offensive attack.
If Ingram Micro or like distributor who has sold Wave products enlightened France and other countries not in the Wave know about Wave and The Wave Alternative and expressed the capabilities that Wave can do on defense, Wave could do a turnaround.
==================================================================
Two links with examples and a summary of what known devices can do for organizations!
https://www.wavesys.com/wave-alternative
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
==================================================================
More links to excellent defensive Wave products below:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
Cybercrime could cost companies trillions over the next five years
https://www.helpnetsecurity.com/2019/01/21/cybercrime-could-cost-companies-trillions/
Companies globally could incur $5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards that protect critical assets, according to Accenture.
Based on a survey of more than 1,700 CEOs and other C-suite executives around the globe, the report — Securing the Digital Economy: Reinventing the Internet for Trust — explores the complexities of the internet-related challenges facing business and outlines imperatives for the CEO’s evolving role in technology, business architecture and governance.
The report notes that cybercrime from a wide range of malicious activities poses significant challenges that can threaten business operations, innovation and growth, and the expansion into new products and services, ultimately costing companies trillions of dollars.
The high-tech industry faces the highest risk, with more than $753 billion hanging in the balance, followed by the life sciences and automotive industries, with $642 billion and $505 billion at risk, respectively.
“Internet security is lagging behind the sophistication of cybercriminals and is leading to an erosion of trust in the digital economy,” said Omar Abbosh, who leads Accenture’s Communications, Media & Technology operating group globally. “Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs. To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.”
Among the key findings: Four in five respondents (79 percent) believe that the advancement of the digital economy will be severely hindered unless there is dramatic improvement to internet security, and more than half (59 percent) of respondents said the internet is getting increasingly unstable from a cybersecurity standpoint and they are unsure how to react.
At the same time, three-quarters (75 percent) of respondents believe that addressing cybersecurity challenges will require an organized group effort, as no single organization can solve the challenge on its own. With heightened concerns about internet security, more than half (56 percent) of executives would also welcome stricter business regulations imposed by a central organization or governing body.
“The internet wasn’t built with today’s level of complexity and connectivity in mind, which is why it takes just one click — whether inside or outside the company walls — to fall prey to a devastating cyberattack,” said Kelly Bissell, senior managing director of Accenture Security. “No organization can tackle the challenges posed by cyber threats on its own; it’s a global challenge that needs a global response, and collaboration is key. To shape a future that thrives on a strong and trustworthy digital economy, senior executives need to look beyond the bounds of their organization, team with an ecosystem of partners, and secure their entire value chains — across every partner, supplier and customer.”
The rapid emergence of new technologies is creating additional challenges, as four in five respondents (79 percent) admit that their organization is adopting new and emerging technologies faster than they can address related cybersecurity issues, with three-quarters (76 percent) noting that cybersecurity issues have escaped their control due to new technologies such as the internet of things (IoT) and the industrial internet of things (IIoT). A majority (80 percent) also said protecting their companies from weaknesses in third parties is increasingly difficult, which isn’t surprising given the complexity of today’s sprawling internet ecosystems.
Also, on the minds of many senior executives: consumer data protection. Fueled by security concerns, 76 percent of respondents believe that consumers can’t trust the safety of their online identities when too much of their personal data is already available without restrictions.
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-virtual-smart-card
Collection #1 Data Dump the “Tip of the Iceberg”
https://www.infosecurity-magazine.com/news/collection-1-data-dump-the-tip-of/?utm_source=dlvr.it&utm_medium=twitter
A recently discovered trove of breached data is just a small part of a major 871GB haul up for sale on the dark web which could contain billions of records, according to experts.
The 87GB Collection #1 dump was first publicized late last week when noted researcher Troy Hunt was alerted to the files hosted on a popular cloud site. After cleaning up the data he found it contained nearly 773 million unique email addresses and over 21 million “dehashed” passwords.
It has since emerged that this data is two to three years old, gathered from multiple sources, and that the same seller, dubbed ‘Sanixer’ on Telegram, has much more recently obtained data to sell.
Authentication security vendor, Authlogics, claims to have the data from Collection #2, 3, 4, and 5 in its possession and is loading it into its breached password database.
It estimates the new trove of data comes to roughly 784GB, nine-times the size of Collection #1, and could contain over seven billion records in its raw state.
In fact, Sanixer may have even more breached and leaked data to sell: the cyber-criminal told researcher Brian Krebs that taken together, all the other packages they have up for sale are less than a year old and total over 4TB in size.
These include one dubbed “ANTIPUBLIC #1” and another titled “AP MYR&ZABUGOR #2.”
The bottom line is that users need to invest in password managers to store and support long-and-strong unique credentials for all the main sites/accounts they have online, and to opt for multi-factor authentication where it’s available.
One security vendor warned in its 2019 predictions report at the end of last year that credential stuffing tools would become increasingly popular among the black hat community as they look to monetize troves of breached data.
“Because of the volume of data breaches in the past years and the likelihood that cyber-criminals will find a lot of users recycling passwords across several websites, we believe that we will see a surge in fraudulent transactions using credentials obtained by cyber-criminals from data breaches,” Trend Micro claimed.
“Cyber-criminals will use breached credentials to acquire real-world advantages such as registering in mileage and rewards programs to steal the benefits. They will also use these accounts to register trolls on social media for cyber-propaganda, manipulate consumer portals by posting fake reviews, or add fake votes to community-based polls — the applications are endless.”
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote.
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Cumbria health trust hit by 147 cyber attacks in five years
https://www.bbc.com/news/uk-england-cumbria-46931509
The NHS in Cumbria has been hit by more than 150 cyber attacks in five years, the BBC can reveal.
Of these, 147 were directed at University Hospitals of Morecambe Bay NHS Trust (UHMBT), which runs hospitals in Barrow, Kendal, Morecambe and Lancaster.
The trust said it had spent £29,600 in 2017 dealing with the effects of cyber attacks.
The "vast majority" were "untargeted and unsuccessful", it said.
Lee Coward, the trust's head of information technology, said its "very rigorous reporting" process mean it was possible it had reported "higher volumes of identified cyber 'attacks' than other organisations".
"We spend a lot of time and resources on ensuring our IT systems are safe," he continued.
University of Cumbria senior lecturer in policing and criminology Iain Stainton said the number of attacks on UHMBT was "extraordinary".
The National Cyber Security Centre average was 10 per week across the UK, he said.
'Extraordinary' attacks
A Freedom of Information (FOI) request by BBC News found the rest of the county's councils and NHS trusts were, by comparison, targeted 14 times in total between 2014 and 2018.
Emergency patients had to be transferred from Whitehaven to Carlisle in 2017 because hackers demanding ransom money had locked NHS staff out of computer systems.
Copeland Borough Council spent £2m recovering from an attack later the same year, it said.
Independent elected mayor Mike Starkie said the effect on the council had been "devastating".
"And it wasn't recognised either," he said.
"We had 60 anti-virus systems running and only three of those actually detected that there was anything in the system.
"None of them picked up actually what it was."
University of Cumbria senior lecturer in policing and criminology Iain Stainton said the number of attacks on UHMBT was "extraordinary".
The National Cyber Security Centre average was 10 per week across the UK, he said.
=================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
==================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpt:
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
South Korea reckons mystery hackers cracked open advanced weapons servers
https://www.theregister.co.uk/2019/01/17/south_korea_defense_ministryt_hacked/
No idea who could have been behind this one...
The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by xxxxx xxxxx unknown hackers.
Korea's Dong-A Ilbo reports that the targeted machines belonged to the ministry's Defense Acquisition Program Administration, the office in charge of military procurement.
The report notes that the breached machines would have held information on purchases for things such as "next-generation fighter jets," though the Administration noted that no confidential information was accessed by xxxxx xxxxx the yet-to-be identified infiltrators.
xxxxx xxxxx The mystery hackers got into the machines on October 4 of last year. Initially trying to break into 30 machines, the intruders only managed to compromise 10 of their targets.
After traversing the networks for more than three weeks the intrusion was spotted on October 26 by the National Intelligence Service, who noticed unusual activity on the procurement agency's intellectual property servers.
An investigation eventually unearthed the breach, and concluded that xxxxx xxxxx the mystery hackers did get into a number of machines but didn't steal anything that would be of use to xxxxx xxxxx a hostile government .
The incident was disclosed earlier this week in a report from a South Korean politician.
"It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration," Dong-A Ilbo quotes Lthe politico as saying.
"Further investigation to find out if the source of attacks is North Korea or any other party."
The report notes that the attack on the Defense Acquisition Program Administration appears to be part of a larger effort by xxxxx xxxxx an unknown group to infiltrate networks throughout the South Korean government in order to steal data.
The government says it is working on "extra countermeasures" to prevent future attacks by xxxxx xxxxx mystery foreign groups. ®
================================================================
In this situation Self Encypting Drives (managed by Wave) and Wave ERAS could have prevented a potential disaster. Is letting unknown devices (bad guys) roam the network for more than three weeks or at all a good idea? Wave has a better plan and is illustrated in the highlighted summary below. Frustrated hackers will move on to easier targets. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Decrease expenses with virtual smart cards
You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.
If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.
Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1.
Key Features are at the link-
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Hackers Use PayPal to Phish with Ransomware
https://www.infosecurity-magazine.com/news/hackers-use-paypal-to-phish-with/?utm_source=dlvr.it&utm_medium=twitter
A new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam.
Attackers are stealing a page from Daedalus and are killing two birds with one stone by including a link to make a payment. To obtain the decryption key, victims can follow the link to the PayPal phishing page, where their login credentials are stolen. The combination of two threat vectors makes this attack particularly dangerous for unsuspecting victims.
The new attack method combines “a ransom note that direct victims to a PayPal phishing page...Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.
For victims who pay with Bitcoin, the threat actors also requested that victims send an email with a reference number, which is provided in the ransom.
“Malicious actors are continually becoming more sophisticated. With this particular campaign involving phishing as an immediate follow-up threat vector to the ransomware, this attack has the potential to cause significant harm,” said DomainTools’ senior security adviser, Corin Imai.
“Not only will victims be dealing with the impact of ransomware, but many will also be directed to a carefully crafted phishing site that will attempt to steal their credentials. As seen in past attacks, ransomware campaigns have targeted individuals with the threat of releasing compromising content or rendering their computers useless, leaving victims feeling that they have no choice but to pay up. The best advice in this scenario is to be hyper-vigilant, double-check URLs, and when in doubt, don’t click.”
more at link above-
==================================================================
Nearly all SSDs (Solid State Drives) come as SEDs (Self Encrypting Drives). If these are initialized properly the DTA (Drive Trust Alliance) claims that ransomware shouldn't be a problem. Having an SED increases the Trust Score from Wave Knowd and having a TPM increases the score as well and would prevent the user from having a user id and password phished as in the article above. These two security enhancers falling under the Wave Knowd (currently in retirement) endpoint identity service could have substantial benefits to Paypal and its customers. Wave has more experience in managing the TPM and SED than most security companies and those protections could fall under premier security from Wave. The TPM is becoming ubiquitous and the SED is on its way. Its the kind of security that one should expect from a company like Paypal and its stature. imo. Paypal is referenced since it was in testing with Wave Knowd under NSTIC and this article came up. This great technology shouldn't be in retirement imo. and could work with many other companies! Paypal's 2FA doesn't cover what Knowd does with the added security it has available for users for higher Trust Scores.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Lee, MA -
May 9, 2013 -
Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.
“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”
To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.
“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”
Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.
“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”
ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.
Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?
Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.
Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.
Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.
Oklahoma gov data leak exposes FBI investigation records, millions of department files
https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigations/
Updated: An Oklahoma Department of Securities server allowed anyone to download government files.
Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations.
According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a US government department which deals with securities cases and complaints.
The database was found through the Shodan search engine which registered the system as publicly accessible on 30 November 2018. The UpGuard team stumbled across the database on 7 December and notified the department a day later after verifying what they were working with,
To ODS' credit, the department removed public access to the server on the same day.
"The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server," the researchers say.
Update 18.47 GMT: An Office of Management and Enterprise Services spokesperson told ZDNet:
"All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."
In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records.
"The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities' network integrity," the researchers say.
The data was stored in various formats. Email inbox storage backups represented a significant proportion of the leaked data, as well as virtual machine backups of ODS machines.
The stored information also included spreadsheets of IT credentials for accounts with Thawte, Symantec Protection Suite, Tivoli, and others; a BlueExpress database of account details for third parties submitting security filings; credentials required for remote access to ODS workstations; training documents; email histories, and files relating to ODS investigations.
Speaking to Forbes, Vickery added that there was a treasure trove of data relating to FBI cases. These files contained archives of enforcement actions dating back seven years including bank transaction histories, emails back-and-forth between those involved in cases, and copies of letters from subjects involved in investigations conducted by the FBI.
In a statement, the ODS confirmed there had been an "inadvertent exposure of information during installation of a firewall," and after the exposure was discovered it was "immediately secured."
"A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them," the department added. "The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed."
This incident might encourage ODS to take cybersecurity more seriously in the future. According to UpGuard metrics, the organization's web domain has the worst risk of breach score of all websites on the ok.gov domain.
=================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Cyber-Jackpot: 773M Credentials Dumped on the Dark Web
https://threatpost.com/773m-credentials-dark-web/140972/
Thousands of individual breaches make up the database, one of the largest troves of stolen credentials ever seen.
A database of breached emails totaling 773 million unique addresses has turned up on a popular underground hacking forum, giving cybercriminals one of the largest jackpots ever seen when it comes to account-compromise efforts.
Troy Hunt was first alerted to the cache, which totals 87GB of data, after it was seen being hosted on the MEGA cloud service (it has since been removed). The data was organized into 12,000 separate files under a root folder called “Collection #1,” which gives the trove its name. Soon after that, the whole shebang turned up on the cyber-underground.
In examining the data, Hunt found that there are 1.16 billion unique combinations of email addresses and passwords listed. And after deduping and cleaning up the database, Hunt was left with about 773 million unique email addresses – the single largest collection of breached emails ever to be loaded into his compromised-credentials look-up service, Have I Been Pwned (HIBP).
There are also 21 million unique passwords in the database: “As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements,” Hunt said in a posting on Thursday.
Thousands of Breaches
As for the sources of the data, there are literally thousands of compromises at the root of the database.
“The post on the forum referenced ‘a collection of 2000+ dehashed databases and combos stored by topic’ and provided a directory listing of 2,890 of the files,” Hunt said.
This list includes a few previous breaches that Hunt recognized, but also others that are new. In all, out of about 2.2 million people that use HIPB’s notification service, 768,000 of them are implicated in this data dump. And there are also around 140 million email addresses that HIBP has never seen before.
“This gives you a sense of the origins of the data but again, I need to stress ‘allegedly,'” Hunt said. “I’ve written before about what’s involved in verifying data breaches and it’s often a non-trivial exercise…it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.”
With so many different sources feeding into it, Collection #1 did not just appear fully formed one day.
“This massive collection of data harvested through data breaches has been built up over a long period of time, so some of the account details are likely to be outdated now,” Sergey Lozhkin, security expert at Kaspersky Lab, told Threatpost. “However, it is no secret that despite growing awareness of the danger, people stick to the same passwords and even re-use them on multiple websites.”
Data-Spill Timeline
What’s clear is that the data was in broad circulation for some time before Hunt was aware of it, based on the number of people that contacted him privately and the fact that it was published to a well-known public forum.
“In terms of the risk this presents, more people with the data obviously increases the likelihood that it’ll be used for malicious purposes,” he said. After all, the longer criminals are able to use the data without consumers knowing about it, the more likely they are to succeed.
Those malicious purposes are likely to consist of credential-stuffing, which is a technique used by hackers to gain fraudulent access to an account. It uses automated scripts to try multiple username/password combos against a targeted website. Successful account compromises from credential-stuffing are typically tied to the fact many users reuse the same credentials on multiple accounts.
“This collection can be easily be turned into a single list of emails and passwords: and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working,” said Lozhkin.
From there, attackers can wreak all kind of havoc. “The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data,” said Lozhkin.
It’s not unusual for these kinds of data dumps to go unnoticed for a length of time; overall, it takes an average of 15 months for a credential breach to be reported, according to Shape Security..
“Half of all credential spills were discovered and reported within the first four months of the compromise. However, because some spills take years to discover. It took an average of 15 months between the day that an attacker accessed the credentials to the day the spill was reported in 2017,” according to a report from Shape Security on credential breaches.
The Threat to Businesses
Credential-stuffing attacks are often aimed at one service or company, as was the case with Dunkin Donuts back in November.
“Massive data breaches like Collection #1 create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords,” said Distil co-founder Rami Essaid, via email. “While this is often framed as a problem for the individuals who own the passwords, any online business that has a user login web page is at risk of becoming the next breach headline.”
Aside from the consumer impact, these kinds of attacks also affect businesses, he added. In May 2018, the Distil Research Lab conducted a study of 600 website domains that include login pages, which found that after the credentials from a data breach have been made publicly available, websites experience a 300 percent increase in volumetric attacks. In the days following a public breach, websites experience three times more credential stuffing attacks than the average of two to three attacks per month.
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid explained. “The massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website.”
The potential losses tied to credential spills is $50 million a day globally, Shape Security said.
=================================================================
Given the size of this credential dump, the potential for future breaches for organizations without a product like Wave VSC 2.0 is enormous! It would be cool if Wave VSC 2.0 at 'less than half the cost' could benefit many organizations/users that so badly need 'better security.'
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
See above link for the Wave VSC White Paper.
The American Military xxxxs at Cybersecurity
https://motherboard.vice.com/en_us/article/7xy5ky/the-american-military-sucks-at-cybersecurity
A new report from US military watchdogs outlines hundreds of cybersecurity vulnerabilities.
The Department of Defense is terrible at cybersecurity. That’s the assessment of the Pentagon's Inspector General (IG), who did a deep dive into the American military’s ability to keep its cyber shit on lockdown. The results aren’t great. “As of September 30, 2018, there were 266 open cybersecurity-related recommendations, dating as far back as 2008,” the Inspector General said in a new report.
The new report is a summary of the IG’s investigations into Pentagon cybersecurity over the previous year. It looked at 20 unclassified and four classified reports that detailed problems with cybersecurity and followed up to see if they’d been addressed. Previously, the IG had recommended the Pentagon take 159 different steps to improve security. It only took 19 of them.
Cybersecurity issues affected all branches of the military and ranged from the serious to the mundane. At a server site connected to America’s ballistic missile defense systems, inspectors “found an unlocked server rack despite a posted sign on the rack stating that the server door must remain locked at all times.”
According to the IT security officer on staff at the time, “network operations staff were troubleshooting issues with the server in the rack we found unlocked and failed to notify the [redacted] assistant security manager once they completed maintenance on the server so he could lock it.”
At the same site, officials also weren’t encrypting data transferred from computers via USB sticks and removable hard drives. “According to the security manager…[redacted] encrypted less than one percent of Controlled Unclassified Information stored on removable media.”
These bad security practices are taking place at the buildings running America’s missile defense systems. These are the people watching the skies and responsible for protecting US cities in the event of a nuclear attack from a foreign country, and they can’t be bothered to encrypt data or lock up their server racks.
If the military personnel is bad, then contractors are worse. Investigators dug into the cybersecurity practices of seven contractors working for the US Missile Defense Agency and found multiple vulnerabilities. “Of the seven contractors we analyzed, we found that [five] did not always or consistently use multifactor authentication to access unclassified networks that contained [ballistic missile defense systems] technical information,” the inspectors wrote.
The contractors also failed to run their own risk assessments, encrypt USB drives and hard drives, and use strong passwords. “System administrators for [five contractors] did not configure networks and systems containing [ballistic missile defense systems] technical information to lock user sessions after 15 minutes of inactivity,” investigators found. Meaning anyone logging into a computer full of classified missile defense data could leave it unattended for anyone else to access. The computer would never log itself out.
Bad passwords
America’s weapons systems also remain easy to hack with basic tools. An October report from the Government Accountability Office pointed out flaws in the Pentagon’s weapons systems that made them particularly vulnerable to cyberattacks. An IG follow up found that Air Force officials in particular still don’t “ensure that cybersecurity was integrated into weapon systems during design. Instead, weapon systems’ cybersecurity was addressed through a set of activities and products that were not fully integrated, creating overlaps and gaps in the program cybersecurity.” The Air Force still hasn’t bothered to change its default passwords on multiple weapon systems using store bought technology and the Air Force isn’t following its own cybersecurity protocols when designing and launching new weapons systems.
The Pentagon’s cybersecurity problems are bad enough to affect missile defense and fancy new weapons, but they’re also hurting regular soldiers. The IG pointed out that Army medical treatment facilities are cybersecurity nightmares where lax security procedures make patient medical records easily accessible.
According to Army regulations, passwords must be 15 characters long, contain an upper and lowercase letter, a number, and a symbol. At multiple medical facilities, investigators found that administrators bent the rules to allow for simpler passwords. “In each instance, the system administrators state that they did not properly configure passwords because they considered existing network authentication controls sufficient to control access to individual systems,” inspectors said.
Like the weapon systems and ballistic missile defense contractors, Army health records were very easy to hack, poorly password protected, and computer terminals weren’t programmed to auto logout users.
The problems between the various branches are remarkably similar, something that investigators noted in the new report. According to the Pentagon’s watchdog, cybersecurity failures are a leadership problem. No one at the top is holding everyone else accountable.
“The largest number of weaknesses identified in this year’s summary were related to governance,” the investigators explained. “Without proper governance, the [Pentagon] cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.”
=================================================================
If only the PR below got more attention. Even though it has been a few years, Wave VSC 2.0 could put the military, contractors and the government on a better security path. imo.
==================================================================
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
For more information about Wave Virtual Smart Card 2.0, visit: https://www.wave.com/products/wave-virtual-smart-card
==================================================================
https://www.wavesys.com/
Massachusetts Amends Law Protecting Consumers From Security Breaches
https://www.bleepingcomputer.com/news/security/massachusetts-amends-law-protecting-consumers-from-security-breaches/
=================================================================
Other states could follow Massachusetts lead and this could incentivize companies to be buyers of Wave VSC 2.0!
Wave VSC 2.0 in this area seems like it could have robust sales with other areas to follow.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
more is at the link - White Paper
TA505 Crime Gang Debuts Brand-New ServHelper Backdoor
https://threatpost.com/ta505-servhelper-malware/140792/
The latest malware from TA505 has been seen targeting banks, retailers and restaurants with two different versions.
A new backdoor named ServHelper has been spotted in the wild, acting as both a remote desktop agent as well as a downloader for a RAT called FlawedGrace.
According to Proofpoint, the prolific cybercriminal gang known as TA505 developed ServHelper, which has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. It’s named after the file names that are associated with the infection; and, a sample from one campaign used command and control (C2) URIs containing “/rest/serv.php.”
The primary motive is, as usual, financial: “TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families,” said Proofpoint researchers, in a posting this week.
Researchers said that the remote desktop version, a.k.a. the “tunnel” variant, was seen in November spreading via a few thousand spam messages that contained Microsoft Word or Publisher attachments with macros that, when enabled, download and execute the malware. This version focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP).
“Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to hijack legitimate user accounts or their web browser profiles and use them as they see fit,” according to Proofpoint.
A similar campaign consisting of tens of thousands of email messages surfaced later in November, according to Proofpoint. In addition to financial institutions, this campaign also targeted the retail industry. The messages also contained Microsoft Word or Publisher attachments with macros, along with Microsoft Wizard attachments. This campaign used the downloader variant of ServHelper, the researchers said. The version is stripped of the tunneling and hijacking functionality and is used as a basic downloader.
In December, TA505 mixed it up with another downloader-variant campaign. It targeted retail and financial services customers again, but this time used a mixture of Microsoft Word attachments with embedded malicious macros; PDF attachments with URLs linking to a fake “Adobe PDF Plugin” webpage (which linked to the malware); and direct URLs in the email body linking to a ServHelper executable. It also added a new malware payload.
“In this campaign, we observed ServHelper download and execute an additional malware that we call FlawedGrace,” according to Proofpoint. “FlawedGrace is a robust remote access trojan (RAT) that we initially encountered in November 2017, but have rarely observed since.”
Per the malware’s debug strings, the last significant development of FlawedGrace took place during the end of 2017. The ServHelper campaigns were distributing version 2.0.10 of the malware, which is related to the more widely known FlawedAmmy RAT.
In general, it appears that TA505 is enjoying its new toy: ServHelper is being actively developed.
“New commands and functionality are being added to the malware in almost every new campaign,” Proofpoint researchers noted.
TA505, a well-resourced organized cybercrime ring, is known for ongoing malware authoring and development, with everything from fully-fledged backdoors to what seems like beta-stage code making appearances in its campaigns. In this case, ServHelper is unlikely to be a flash in the pan.
“Threat actor TA505 is both consistent and prolific,” Proofpoint researchers said. “When the group distributes new malware, it may be a blip (like Bart ransomware, which was only distributed for one day in 2016) or like Locky ransomware it may become the dominant strain of malware in the wild. We will continue to observe the distribution of these three malware variants but, at this time, they do not appear to be one-offs, but rather long-term investments by TA505.”
They added, that also extends the trend that emerged in 2018, in which threat actors increasingly focused on distribution of downloaders, information stealers, RATS and “other malware that can remain resident on victim devices for far longer than destructive, smash-and-grab malware like ransomware.”
To the latter point, it’s worth noting that TA505 was responsible for hundreds of Dridex campaigns beginning in 2014, in addition to the massive Locky campaigns that came later. In all cases, hundreds of millions of malicious messages were distributed worldwide.
=================================================================
See the links below for background on a great way to combat this Remote Access Trojan (RAT) and other malware. imo.
https://www.wavesys.com/malware-protection
https://www.wavesys.com/products/wave-endpoint-monitor
New tool automates phishing attacks that bypass 2FA
https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
Trust in two-factor authentication has slowly eroded in the last month after release of Amnesty International report and Modlishka tool.
A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA).
Named Modlishka --the English pronunciation of the Polish word for mantis-- this new tool was created by Polish researcher Piotr Duszynski.
Modlishka is what IT professionals call a reverse proxy, but modified for handling traffic meant for login pages and phishing operations.
It sits between a user and a target website --like Gmail, Yahoo, or ProtonMail. Phishing victims connect to the Modlishka server (hosting a phishing domain), and the reverse proxy component behind it makes requests to the site it wants to impersonate.
The victim receives authentic content from the legitimate site --let's say for example Google-- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.
Any passwords a user may enter, are automatically logged in the Modlishka backend panel, while the reverse proxy also prompts users for 2FA tokens when users have configured their accounts to request one.
If attackers are on hand to collect these 2FA tokens in real-time, they can use them to log into victims' accounts and establish new and legitimate sessions.
The video below shows how a Modlishka-powered phishing site that seamlessly loads content from the real Google login interface without using templates, and logs credentials and any 2FA code that a user might be seeing.
-see link for video.
Because of this simple design, Modlishka doesn't use any "templates," a term used by phishers to describe clones of legitimate sites. Since all the content is retrieved from the legitimate site in real time, attackers don't need to spend much time updating and fine-tuning templates.
Instead, all attackers need is a phishing domain name (to host on the Modlishka server) and a valid TLS certificate to avoid alerting users of the lack of an HTTPS connection.
The final step would be to configure a simple config file that unloads victims onto the real legitimate sites at the end of the phishing operation before they spot the sketchy-looking phishing domain.
In an email to ZDNet, Duszynski described Modlishka as a point-and-click and easy-to-automate system that requires minimal maintenance, unlike previous phishing toolkits used by other penetration testers.
"At the time when I started this project (which was in early 2018), my main goal was to write an easy to use tool, that would eliminate the need of preparing static webpage templates for every phishing campaign that I was carrying out," the researcher told us.
"The approach of creating a universal and easy to automate reverse proxy, as a MITM actor, appeared to be the most natural direction. Despite some technical challenges, that emerged on this path, the overall result appeared to be really rewarding," he added.
"The tool that I wrote is sort of a game changer, since it can be used as a 'point and click' proxy, that allows easy phishing campaign automation with full support of the 2FA (an exception to this is a U2F protocol based tokens - which is currently the only resilient second factor).
"There are some cases that require manual tuning (due to obfuscated JavaScript code or, for example, HTML tag security attributes like ‚integrity'), but these are fully supported by the tool and will also be improved in the future releases," Duszynski told ZDNet.
An Amnesty International report released in December showed that advanced state-sponsored actors have already started using phishing systems that can bypass 2FA already.
Now, many fear that Modlishka would reduce the entry barrier to allow so-called "script kiddies" to set up phishing sites within minutes, even with far fewer technical skills required. Furthermore, this tool would allow cyber-crime groups to easily automate the creation of phishing pages that are easier to maintain and harder to detect by victims.
When we asked why he released such a dangerous tool on GitHub, Duszynski had a pretty intriguing answer.
"We have to face the fact that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly," he said.
"This status quo, and lack of awareness about the risk, is a perfect situation for malicious actors that will happily exploit it."
Duszynski said that while his tool can automate the process of a phishing site passing through 2FA checks based on SMS and one-time codes, Modlishka is inefficient against U2F-based schemes that rely on hardware security keys.
Modlishka is currently available on GitHub under an open source license. Additional information is also available on Duszynski's blog.
=================================================================
Wave VSC 2.0- Better security at less than half the cost!
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-virtual-smart-card
Iranian hackers suspected in worldwide DNS hijacking campaign
https://www.zdnet.com/article/iranian-hackers-suspected-in-worldwide-dns-hijacking-campaign/
Mysterious group hijacks DNS records to reshape and hijack a company's internal traffic to steal login credentials.
US cybersecurity firm FireEye has uncovered an extremely sophisticated hacking campaign during which a suspected Iranian group redirected traffic from companies all over their globe through their own malicious servers, recording company credentials for future attacks.
Affected organizations include telecoms, ISPs, internet infrastructure providers, government, and sensitive commercial entities across the Middle East, North Africa, Europe, and North America.
FireEye analysts believe an Iranian-based group is behind the attacks, although there is no definitive proof for exact attribution just yet.
Researchers said the entities targeted by the group have no financial value, but they would be of interest to the Iranian government.
Analysts also said they found that some of the victims' infrastructure were accessed during these attacks by Iranian IP addresses that have been previously observed while FireEye responded to other attacks --which were attributed to Iranian cyber-espionage actor in the past.
In a technical report released today, FireEye provides an insight into these attacks, which have been happening since at least January 2017.
The FireEye analysts behind this report described the scope and impact of this campaign on Twitter as "huge."
Attackers didn't just spear-phish victims to collect email credentials, like most cyber-espionage groups tend to do, but instead modified DNS records for company IT resources to reshape internet traffic inside organizations and hijack the parts they wanted.
FireEye says it identified three different techniques used for these attacks, each just as complex as the next:
Technique 1: Attackers change DNS records for victim's mail server to redirect it to their own email server. Attackers also use Let's Encrypt certificates to support HTTPS traffic, and a load balancer to redirect victims back to the real email server after they've collected login credentials from victims on their shadow server.
Technique 2: Same as the first, but the difference is where the company's legitimate DNS records are being modified. In the first technique, attackers changed DNS A records via an account at a managed DNS provider, while in this technique attackers changed DNS NS records via a TLD (domain name) provider account.
Technique 3: Sometimes also deployed as part of the first two techniques. This relies on deploying an "attacker operations box" that responds to DNS requests for the hijacked DNS record. If the DNS request (for a company's mail server) comes from inside the company, the user is redirected to the malicious server operated by attackers, but if the request comes from outside the company, the request is directed to the real email server.
All these attacks rely on the attackers' ability to change a company's DNS records, which very few people inside a company can do.
This often requires access to accounts at domain registrars, companies that provide managed DNS services, or on internal DNS servers, a company might be running.
"While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account," FireEye said, clarifying that its investigation into this global hacking campaign is still very much ongoing.
The US cyber-security firm also pointed out that this type of attack is very hard to defend against because attackers are not accessing a company's internal network in most cases, and aren't likely to trigger alarms with local security software.
The first steps to fight against this attacks, as FireEye recommends, is to enable two-factor authentication for DNS and TLD management accounts, and then set up alerts for any changes to DNS A or NS records changes.
=================================================================
The two product links below from Wave could be very helpful in protecting the range of companies/organizations mentioned in this article.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Government Shutdown Brings Certificate Lapse Woes
https://www.darkreading.com/vulnerabilities-and-threats/government-shutdown-brings-certificate-lapse-woes/d/d-id/1333641
Among the problems: TLS certificates are expiring and websites are becoming inaccessible.
The partial shutdown of the federal government is having an impact in ways both anticipated and not. One that probably falls under the latter is expiring TLS certificates that leave some .gov websites marked as "unsafe" or completely inaccessible from most browsers.
Websites from NASA, the Department of Justice, and the Court of Appeals are among those using one of the 80 certificates that have not been renewed since the beginning of the shutdown.
"The government shutdown has left a mark on the digital world. Several government websites now greet users with a 'CERT_DATE_INVALID' warning in place of the website itself. At best, this isn't a good look for the departments concerned. At worst, the thousands of Americans who rely on these websites are left cut off from the services they need," says Martin Thorpe, enterprise architect for Venafi.
Some experts say the issue goes beyond mere Web page inaccessibility. "I think the biggest risk is far beyond expired SSL certificates. How many critical governmental systems are currently unmaintained, outdated, and thus vulnerable?" asks High-Tech Bridge CEO Ilia Kolochenko. "It seems to be a great opportunity for nation-state hacking groups to exploit US momentary weakness to steal or alter extremely sensitive information."
Franklyn Jones, CMO at Cequence Security, agrees with Kolochenko and points to specific risks in the moment. "It creates a great opportunity for bad actors to launch automated bot attacks, testing previously stolen credentials to gain access to private accounts on government sites," he explains.
=================================================================
Using Wave VSC 2.0 and Wave Knowd (for consumers who don't have access to Wave VSC 2.0 and currently in retirement) could take care of the 'testing previously stolen credentials to gain access' problem in the article. These products would work effectively during times of shutdown and protect the users of these government sites. imo. Wave could sell Embassy Security Center (ESC) or ETS to manage users' TPMs for Wave Knowd (SaaS). Or it could be bundled in with Wave Knowd software (if it already was?). imo
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
Lee, MA -
May 9, 2013 -
Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.
“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”
To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.
“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”
Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.
“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”
ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.
Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?
Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.
Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.
Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.
Why Fixing The Internet Isn’t That Hard
https://www.informationsecuritybuzz.com/articles/why-fixing-the-internet-isnt-that-hard/
The Internet is a scary place right now, similar to the old American Wild, Wild West, where well-armed gangs of bad guys faced off with common town folk, taking and destroying anything they wanted with near impunity. Hackers routinely steal so many data record each year that a new 100M record data breach barely makes the news. More email is malicious than legitimate. Thousands of fake web sites get created and deleted in a single day. Ransomware takes down hospitals, police departments, and entire cities. There are over a hundred million new, unique, malware programs created each year. And defenders have to be worried about every human adversary that wants to take advantage of their organisation’s data and resources, from advanced nation-state attackers to wily teenage script kiddies. Planes are hacked, power grids attacked, and nuclear centrifuges are spun out of control. You’re afraid to have an Internet-connected web-cam in your house. Each year it only seems to get worse.
But it doesn’t have to be this way. There are ways to make the Internet significantly more secure. Perhaps not completely crime-free, but at least functioning like today’s modern real world where crime is held to an acceptable level of minimum activity. It can be done.
Fixing the Internet
The Internet was not created with computer security in mind. It was created as an experiment to see if a huge national inter-network could be created to connect multiple stand-alone computers. The challenge was to reliably connect as many computers as was possible. Most of the critical underlying original protocols and technologies (like TCP/IP, HTTPS, and DNS) were created in the 1970’s and 1980’s and didn’t have huge security considerations. When the Internet blew up in the late 1980’s, the insecure protocols were brought along. Security was bolted-on and improved as needed. As anyone considering security will tell you, bolting it on after the product is delivered is no way to effectively secure the product.
So, what will it take to significantly reduce cybercrime on the Internet?
There are many ways to do this, but most of the thoughtful plans that have been discussed include the following common design features:
•Default, pervasive authentication of devices, users, and applications
•Default encryption and integrity
•Centralised, but distributed security services, functioning much like DNS does today
I’ll discuss each more below, but the idea is that there are so any cybercriminals on the Internet because they almost always never get caught. In the US in the 1920’s and 1930’s this used to be true for bank robbers when it was easy for a gun-toting robber to pull up to a bank and head out minutes later with boatloads of cash. The fact that they almost never got caught led to more bank robbers and bank robberies until society finally decided to fight back. Then banks started locking safes, putting cashiers behind bullet proof glass, carrying less and so on. Police got better at stopping and capturing and bank
pretty soon robbing a bank became a risky occupation. The days of Bonnie & Clyde were over. The same thing has to happen to the Internet.
Default Real Authentication
It starts by having default, pervasive “real” identification of every connected device, user, and application. Most cybercriminals can’t be caught because we can’t identify them. This stops when we start requiring everyone on the Internet to authentication with their real, verified identity. This is already starting to happen on major social media web sites where real people are indicated as the real person they claim to be with a green checkmark or similar. Same thing here, except for the authentication will be accomplished and verified anytime the person wants to get on the Internet, no matter which web site they go to, and no matter how they have connected.
Sure, you’re going to have people and legitimate scenarios where anonymity is desired or needed, and for those cases, you’ve got two options. One, they can logon using pseudo-anonymity where some identity services confirms their real identity but allows them to use known fake identity. But if law enforcement needs to find out who the fake identity is the identity service will tell them.
For those people and instances who demand complete anonymity, well, there will always be a part of the Internet that will allow it. It’s just that the majority of the Internet who doesn’t want to interact with unknown individuals (which are more likely to also include hackers and malware writers), we won’t have to. Unlike today, my email server won’t automatically accept any email sent its way. If it’s an unverified identity, I may choose to discard that email, or maybe it undergoes heavier inspection before it gets to my inbox. Same thing with a bank or stock trading web site. They will probably require that people are who they say they are before doing business.
The idea is that right now the Internet is mostly pervasive anonymity. Anyone can claim to be anyone across almost every web site and service. I can claim to be Bill Gates on any web site he hasn’t already registered on. A far more secure Internet requires the opposite. It requires that most people (and devices and applications) be effectively identified, so that the person I’m doing business or communicating with is who they say they are and not some rogue actor. And when I download an application, it is from who it says it’s from and hasn’t been modified since it was published. The same thing applies to my device. Already you’re starting to see sites that notice when you sign on with a new device (or even software configuration, such as a different browser) and ask you to do additional authentication. We are on our way to this new Internet world.
Default Encryption and Integrity
Here’s the toughest one to get done. By default, every bit of data and communications is encrypted by default and checked for integrity. Technologically, it’s not hard to pull off. Much of the world’s web sites and organisations are already using HTTPS, which means encryption. But like the same dilemma we face with today’s Internet authentication, we need encryption and integrity to be built-in defaults for all traffic and data.
The hard part is getting the world’s governments to agree to allow it to happen. Many of the world’s governments (like China) are absolutely against their citizens using any form of encryption (or any form that the government cannot bypass). Most other governments, including the US and the UK, and every law enforcement agency doesn’t want more encryption. They want less. Encryption makes their jobs harder. Default encryption would make their jobs exponentially harder if not impossible. Most of the world’s governments would fight, fight, fight the idea that everyone on the Internet was encrypted by default.
The reason you need default encryption and integrity is to ensure that what is sent on behalf of someone’s real, verified identity, is what they sent. Without default encryption and integrity (of communications, identity, and data), you couldn’t as easily tie back what a person sent or did back to the verified identity. Without encryption and integrity, a malicious interloper could modify the message or communications’ stream without the sender and receiver knowing it. With default encryption and integrity, the hacker and eavesdropper’s task becomes significantly harder.
Centralised Security Services Like DNS
Lastly, we need one or more centralised security services, which function much like DNS. Many of the organisations in this world know where the daily badness is coming from. They watch and keep track of all the bad actors and have a pretty good idea of what locations and IP addresses they are using, often up to the second. We need to take that sort of information and make it free, widespread, and easy to share (like DNS).
The idea is that when badness is identified (such as a spammer sending out millions of phishing emails), that the origination of that badness is shared with every device (e.g. routers, firewalls, etc.) and software (e.g. email, browsers, etc.) that cares to know. Then if your device or software received a connection from a known bad location, it could drop or handle it accordingly.
Here’s another example. Suppose you’re a good person without a history of sending malware, but somehow your computer gets infected by a phish-sending spambot. In this new Internet, the person or device that infected you would be easier to find, stop, and prosecute. And while your computer was spewing phishes, the world could be proactively alerted that your node is sending badness and at the moment was untrustworthy. You wouldn’t have to notify anyone. And after you got your computer cleaned up, the Internet security service could mark your device as a trustworthy device again, and people could be free to accept your communications normally again. And if you got infected again and again, maybe the service would start to mark you as questionable, at least until after you proved to it that you had taken the appropriate steps to keep badness of your device.
No Need to Invent New Technologies
The best part of this is that we already have all the technologies and protocols we need. No one has to invent anything new. All that has to happen is for the people that manage and control the Internet to come together and decide what is required, and then implement it. The current Internet could even be left running and anyone objecting to the new system could be left on the old version. But the new version would be safer and faster. Imagine how much faster the Internet would be if most email was legitimate and if quadrillions of denial of service packets were not there. You can stay on the old version, but the vast majority of Internet users would gladly give up their default anonymity to compute on a version that gave them far more default security.
What Will It Take to Make It Happen?
After over 30-years of fighting Internet crime, I’ve come to the conclusion that we will never move to make the Internet a far safer place to compute until some big, cataclysmic, 9/11-like digital equivalent event happens. Something like the Internet going down for a few days or the stock market or banking system going down for a day would probably do it.
Why do I think it will take a huge event to make it happen?
Well, for one, I’ve been waiting for Internet security to get better for 30 years and it hasn’t happened naturally. In fact, it seems to get worse each year. To make a far more secure Internet, it’s going to take a global set of leaders (and their governments) to agree on common goals. And you can’t get the people around your dinner table, much less around the world, to agree on what needs to be done to make the Internet far safer…at least until some bigger motivator causes it to happen.
Think about all the things we do to travel by commercial plane today. We have to verify our identity. We can’t just hand someone our ticket (yes, you used to be able to give your ticket to anyone and they could fly using it). We have to show our verified IDs to at least two different sets of guards. We can only have certain things on our person or our luggage. We have to take off our shoes and throw away any water bottles, and so on. The pilot’s cabin is now secured by metal doors and many flights contain anonymous, armed agents.
All of those required safety features came about just after 9/11. Can you imagine how travellers would have reacted to the airlines before 9/11 if they would told they would have to take off their belts, remove their shoes, and throw away any carried-on liquid or gel bigger than a small toothpaste container? There would have been a riot of complaints and a drop-in air travel. Instead, after 9/11, travellers willing do whatever it takes to get past the airline enforcement guards. They may groan and not be happy, but they are willing do it, and we are safer.
A Safe Internet Will Come
This isn’t new. This is what happens to every infrastructure and civilisation. All societies naturally move from wild, more chaotic cultures to safe, more stable societies. Most of the involved citizens willingly give up some of their anonymity and past freedoms in exchange for more safety. A century ago, anyone who wanted to drive a car could. Children routinely drove heavy equipment and cars. Now, a legal driver must meet a base set of requirements (including age and good eyesight), verify their identity, take a written and physical driving test, and get re-certified every few years. If you can’t do that, you’re not legal to drive in any civilised society on Earth.
You used to be able to get water from your well. Now you have to prove your identity to your water company and you get relatively cheap and safe drinking water at a price and amount that much of the uncivilised world can’t even imagine. The same thing is happening with the Internet. It’s going to move from the Wild, Wild West to a safe, more civilised society. Gun slingers can’t legally destroy a town anymore. Bank robbers usually get caught. The only question is how long it will take and what it will take to make a far safe Internet a reality.
=================================================================
The author was once employed by Microsoft according to my recollection and makes some interesting points. Wave could help in a big way to the title and some of the contents of this article. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/wave-alternative
The shutdown's cybersecurity costs
https://www.axios.com/government-shutdown-cybersecurity-essential-workers-029b10b1-06a0-4c7f-afcb-803347ff24a2.html
The government is on hiatus. Enemies of the U.S. are not.
Why it matters: During the government shutdown, essential personnel are exempt from the furlough — so in theory, anyone preventing cybersecurity calamities is still showing up for work. But experts believe the loss of support staff makes the cybersecurity effects of a shutdown bad in the short term and worse in the long term.
Show less
The fallout: Consider the difficulty of maintaining security in government networks before a government shutdown. Now try doing that with fewer people.
•"Defending federal networks is already an act of triage, due to personnel shortages, legacy IT overhang, uneven risk management practices and a hostile threat environment. Furloughs make a hard job even harder," said Andrew Grotto, a former White House cybersecurity adviser for Presidents Obama and Trump and a current employee of Stanford's Hoover Institution.
•While critical personnel are still on duty during a shutdown, he added, "What that means as a practical matter is that these people have to do even more than usual."
Those problems will stick around after the shutdown. It's likely, say multiple former federal employees Codebook spoke to, that federal networks will fall behind on basic hygiene tasks.
•"Government shutdowns tend to affect support activities disproportionately, such as hiring or vetting contracts. Thus, over time, personnel slots will go unfilled and contracts will expire, making it difficult to sustain the workforce or upgrade equipment," noted Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry group Cyber Threat Alliance.
In the long term, this could do irreparable damage to the federal government's ability to hire cybersecurity talent.
•The unemployment rate for trained cybersecurity personnel is famously at 0%, the private sector pays better and the only advantage the government has in hiring is the importance of the work and the gratitude of a nation.
•Willingness to shutter the government doesn't speak too highly to the perceived value of the job or its employees.
•*Government people go to work because of the mission, and we’re kicking them in the teeth," said Phil Reitinger, president and CEO of the Global Cybersecurity Alliance.
Departments devoted to cybersecurity policies will grind to a halt.
•The National Institute of Standards and Technology, which is developing a widely awaited privacy framework, is seeing its staff reduce to 49 out of its normal cohort of roughly 3,000 employees.
•The Department of Homeland Security's newly christened Cybersecurity and Infrastructure Security Agency will be without a substantial amount of support staff. By DHS' tally, 43% of the workforce — over 1,500 employees — are furloughed.
Security-related investigations and prosecutions at the FBI and Department of Justice will continue with all employees carried over.
The bottom line: Furloughing cybersecurity staff creates both short-term and long-term vulnerabilities.
•"Cyber threats don’t operate on Washington’s political timetable, and they don’t stop because of a shutdown," said Lisa Monaco, former assistant to the president for homeland security and counterterrorism.
Go deeper: The fear of a painful shutdown is kicking in
=================================================================
Wave's products are ones that require less labor especially when concerned with limiting unknown devices from getting on the network. While this strategy/product (Wave ERAS) keeps the bad guys from entering the network, the more labor intensive strategy (governments'/companies') allows the bad guys on the network to be tracked and possibly subdued or not. imo. Better security at less than half the cost could be a good backup plan for shutdowns like this (much less critical labor needed) or probably a better plan than the existing one.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Is Privileged Access Management still a pain?
https://www.helpnetsecurity.com/2019/01/08/privileged-access-management/
Every week seems to bring the story of a new customer data breach, but regardless of the individual details, the majority of incidents have one trait in common. The chances are high that the breach was made possible through the compromise of privileged accounts and passwords, usually acquired through social engineering via phishing emails.
Once credentials have been stolen, unauthorised access can often go undetected for weeks or even months at a time, enabling the intruder to undertake a huge level of data exfiltration or lay the foundations for an even greater attack. One of the most dangerous outcomes is for the attacker to escalate their activities and gain access to a privileged account.
What makes a privileged account so important?
Commonly also called superusers, privileged accounts are one of the fundamental building blocks of the IT environment, used by humans, applications and services to run tasks requiring elevated permissions. Accordingly, privileged accounts have many advanced powers and permissions, including creating and modifying other user accounts, freely remote access into all machines on the network, and retrieving sensitive data. They can even make significant changes to the network infrastructure itself.
Gaining control of a privileged account is a huge coup for a cybercriminal as these powers can be used to facilitate many different malicious actions. Armed with superuser credentials, attackers can bypass normal security controls to access sensitive data and install malware anywhere on the network with impunity. They can also disguise their activity by erasing audit trails and destroying evidence, greatly increasing their potential dwell time and confounding investigations by the security team.
The ability to protect superuser accounts from being compromised can make the difference between a minor network intrusion and a breach that devastates the organisation. However, despite their importance and the threat they pose in the wrong hands, many IT users are careless with privileged accounts. Even users who have access to these accounts as part of their role may not fully appreciate their power and how dangerous their misuse can be.
Being equipped with a Privileged Access Management (PAM) solution is one of the best ways to keep privileged accounts under control and well-protected. These tools make it much easier to govern access to privileged accounts and can be used to monitor and limit active sessions to prevent misuse. However, some IT teams have come to fear PAM tools, considering them expensive, resource heavy, and overly complicated.
Lingering disrepute
Much of the maligned reputation around PAM stems from experiences with legacy software. In many cases, previous generations of PAM solutions were overly complex and difficult to implement. The installation process could require the use of specialised professionals and could sometimes take several months or even years to fully complete – or perhaps remain unfinished indefinitely. The combination of specialists and lengthy implementation times meant that many IT teams decided the cost of PAM simply wasn’t worth it.
It should be noted that these experiences often come from a very different time in cyber security. For many years, the best way to protect sensitive information and assets was to build a fence around them. With all data flowing in and out through a single access point, the traditional perimeter could keep out the majority of threats. Under this set up, IT teams could more readily assume that their networks would be protected without the use of PAM.
Today however, the perimeter approach is no longer effective and is easily circumvented if attackers can gain access to login credentials. Remote working practices have also greatly increased the surface area for attack and made it even easier to slip through the perimeter. Likewise, traditional security tools don’t flag when someone is using legitimate resources for inappropriate activities, making them ill-suited for this new model.
Starting a fresh PAM journey
Employing PAM capabilities is essential for an organisation to protect its privileged accounts from falling into the wrong hands, so any IT teams still put off by past lessons can now have a positive PAM experience as it is no longer costly, complex or requires specialised skills.
PAM is an important priority for all organisations and any previous challenges can be overcome by beginning with thorough planning and assessment. The main priority is to identify all accounts with elevated powers and ensure there are clear policies about proper usage and responsibilities. The account audit required to get started with PAM can help demonstrate compliance with the GDPR, PCI, ISO and other regulations and can also directly help to turn up evidence of unusual behaviour that indicates a breach or credential misuse.
Establishing a solid foundation will make the process of managing and securing privileged accounts much more scalable and flexible, helping organisations avoid the lengthy and expensive implementation processes of old. The rapidly expanding market now includes many different options for PAM solutions that can be easily installed out-of-the-box without the need for specialised skills and expertise. For example, PAM-as-a-Service can now easily be consumed from the cloud – securing privileged access to critical assets without the need for implementation.
The right PAM solution will leave organisations in a much stronger position to protect their privileged accounts from cyber criminals who have adopted credential theft and escalation as their main modus operandi. With proper planning and a flexible and scalable approach, companies can reap the benefits without the implementation headaches of legacy solutions.
=================================================================
If an IT administrator is going to protect privileged access why not protect all access? How would the Privileged Access Management (PAM) protect accounts that are nefariously upgraded to privileged access? See link below for such an incident. Wave VSC 2.0 - Better security at less than half the cost!
=================================================================
Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months
https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/
"RID Hijacking" technique lets hackers assign admin rights to guest and other low-level accounts
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=144344217
===============================================================
Wave VSC 2.0 would protect privileged and low-level accounts and prevent the low-level accounts from nefariously being upgraded to privileged. imo. See above ihub link for more information.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Boards need to be active partners in cyber defence
https://www.computerweekly.com/news/252455381/Boards-need-to-be-active-partners-in-cyber-defence
Board members must be active governance partners in collaborative cyber defence, says US regional information sharing and analysis organization
Defending against cyber attackers requires collaboration across organisational functions and between organisations, according to a report by the Advanced Cyber Security Center (ACSC).
The report urged boards to adopt a comprehensive and dynamic understanding of their organisations’ cyber security responsibilities and to maintain regular direct access to CISOs and risk officers in conjunction with CIOs and other executives.
The report, based on a survey of 20 ACSC member CISOs and CIOs from diverse organisations and interviews with external experts, was intended to provide a perspective on the current state of board engagement in cyber security.
It also described the benefits and challenges of maturing board engagement and included recommendations for model board engagement.
The New England-based ACSC is a federally registered regional information sharing and analysis organisation (ISAO) aimed at encouraging cross-sector collaboration and promoting effective practices to help organisations strengthen their cyber defences.
According to the report, in most cases the board partnership with management is still “at an early stage” or in a “maturing phase” in its ability to provide strategic guidance and help guide management’s strategic risk judgements.
Because most boards do not yet have sufficient expertise in technology or cyber security to serve as strategic thought partners on cyber risk, the report recommended that they should recruit board members with broad digital or technology expertise, develop an annual curriculum of cyber briefings, provide ongoing training and use third-party assessments.
A key finding of the survey was that placing cyber security in an organisational silo at the operational or board level makes it difficult to develop a comprehensive and nuanced understanding of cyber security’s impact on business risk.
Boards generally spend one meeting a year on cyber security, delegating responsibility to the risk or audit committee, leaving the full board with little time to develop expertise on the cyber risks, the survey showed.
The report recommended that CISOs and CIOs should present jointly at board meetings to provide a comprehensive view of digital strategies and security.
“Boards as a whole should review cyber security more consistently as a business risk and the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews,” the report said.
The survey showed that as cyber security budgets continue to grow, two issues have arisen The first is “budget fatigue” and the second is that cyber security investments are seen as “separate” from IT investments and so do not represent a complete picture of security spend.
In terms of overseeing cyber security and digital transformation budgets, the report recommended that boards should present digital transformation budgets as a whole, with cyber security investments as an element of overall IT-related decisions about where to invest in growth and security.
Boards and management require cyber risk frameworks that provide a means to make informed risk judgements, the report said, noting that cyber security has not yet developed the standard risk frameworks that financial and audit risk functions have.
In the light of this fact, the report recommended that boards should prioritise and support senior management’s development of a new generation of outcome-based cyber risk management frameworks. “In the meantime, executives should use only a few operational metrics with boards,” it said.
Michael Figueroa, executive director of the ACSC, said the report examines the reality that, for the most part, boards are not in a position to provide strategic guidance on cyber risk.
“In particular, the report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision-making and operations as they relate to cyber risk management,” he said.
=================================================================
If board members and CISOs were asked to read the Wave Alternative and if the CISOs could be asked to compare their cyberdefenses with Wave VSC 2.0, Wave ERAS, Wave SED management and Wave Endpoint Monitor, they could very well see the light to a better cyber future!! imo.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
'You can't relax': Here's why 2-factor authentication may be hackable
https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html
•Cybercriminals can now use a type of phishing to get around two-factor authentication, typically a code sent your cellphone that is needed to log in, according to cybersecurity firm KnowBe4.
•KnowBe4 used LinkedIn for its demo, but said many other websites are also vulnerable.
•The code for the attack is now public, according to KnowBe4.
In a quest to make online accounts safer, many services now offer two-factor authentication. The system typically sends a code to a user's mobile phone that they need log in, along with a username and password.
Cybersecurity professionals have advised enabling two-factor to add an extra layer of security — but according to at least one expert, this may not be a silver-bullet. Kevin Mitnick, who was once the FBI's most wanted hacker and now helps companies defend themselves, found that two factor authentication can be vulnerable.
"Just by enabling two-factor authentication, you can't relax…a smart attacker could get access to your account," Mitnick said in an interview with CNBC. He is the chief hacking officer at KnowBe4, a cybersecurity company that trains people to spot phishing, or spoofed emails.
Mitnick told CNBC he found out about the vulnerability when it was posted online for anyone to find.
"The tool to actually pull these attacks off has been made public. So any 13-year-old could download the tool and actually carry out these attacks," he said.
According to Mitnick, the attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link.
Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker's server and they were able to get the session cookie, the expert explained.
"If we can steal the user session cookie, we could become them, and we don't need their username, their password, or their two-factor," Mitnick said.
Mitnick showed CNBC that he was able to enter that code into his browser. "When I hit refresh I'm going to be magically logged into the victims account," he said.
Mitnick used LinkedIn to demo the attack for CNBC, but said many other websites are also vulnerable. The email he clicked on looked like a real LinkedIn connection request — but actually came from a fake domain, lnked.com. He said most people may not realize the difference.
"It's not LinkedIn that's vulnerable. It's the actual user… It's a security flaw with the human," Mitnick said.
In a statement, Mary-Katharine Juric, a LinkedIn spokesperson, told CNBC that the professional network took Mitnick's demonstration "very seriously," and that LinkedIn has "a number of technical measures in place to protect our members from fraudulent activity including phishing scams."
She added: "When we detect this type of activity, we work to quickly remove it and prevent future re-occurrences. We strongly encourage members to report any messages or postings they believe are scams, and utilize our member help center as a resource to educate and protect themselves from frauds online."
This attack is part of what is known as social engineering, when hackers take advantage of human behavior to get you to do something, like click on a link. Another way to protect yourself is to pay close attention to email you get, even if you use two-factor authentication.
"Social engineering if you do it right can be used to get into almost anything," said Stu Sjouwerman, KnowBe4'S CEO.
To protect from attacks like this one, some companies are making tools called security keys.
Instead of sending a code to your cell phone, security keys — which look like a keychain — contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. Recently, Google released its own version of the device, which it calls the Titan Security Key.
"The security key stores its own password and requires the site to prove it's legit before releasing the password and getting you signed in," said Mark Risher, Google's director of product management for security and privacy.
"It's not ubiquitous by a long shot but we are encouraged to see more and more sites and apps," he added.
=================================================================
See link below for information on tokens and why the laptop with a TPM (and Wave VSC 2.0) could be better than a security key.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote.
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Hacker leaks data on Angela Merkel and hundreds of German lawmakers
https://techcrunch.com/2019/01/04/germany-data-breach-lawmakers-leak/?sr_share=twitter&utm_source=tctwreshare
A hacker has targeted and released private data on German chancellor Angela Merkel i and other senior German lawmakers and officials.
The data was leaked from a Twitter account, since suspended, and included email addresses, phone numbers, photo IDs and other personal data on hundreds of senior political figures.
According to a government spokesperson, there was no “sensitive” data from the chancellor’s office, but other lawmakers had more personal data stolen. Other portions of the leaked data included Facebook and Twitter passwords. Some had their credit card information stolen, and chat logs and private letters published in the breach.
Germany’s Federal Office for Information Security said in a statement that it was “extensively investigating” the breach, but does not believe there was an attack on the government’s networks.
It’s been reported that the hacker may have obtained passwords to access social media accounts. Often, hackers do this by tricking a phone company into “porting out” a person’s phone number to another SIM card, allowing them to password reset accounts or obtain two-factor codes.
The hacker leaked data on senior lawmakers across the political spectrum, but noticeably absent were accounts for the country’s far-right Alternative for Germany party.
The hack is reminiscent of a data breach involving the Democratic National Committee in 2016, which targeted the Democrats in the U.S. in the months running up to the U.S. presidential election. The U.S. government later attributed the hack to Russia, which prosecutors say tried to influence the election to elect Donald Trump to the White House. The Justice Department brought charges against seven suspects earlier this year for being part of the so-called “Fancy Bear” group of hackers, working on behalf of the Russian government.
Little is known about who is behind the leak of German lawmakers’ data. The German government has not speculated about who — or if a nation state — may have been behind the attack. But the alleged hacker said in a statement linked from their Twitter account that they “operated alone and does not belong to any organization or similar on Twitter.”
According to security experts who’ve seen portions of the data, the hacker spread the stolen information across several sites and mirrors, making it “really hard to take down.”
Germany’s minister for justice Katarina Barley called the breach a “serious attack,” one that aimed to “damage confidence in our democracy and institutions,” according to the BBC.
It’s not the first time that the German parliament has faced security issues. In 2015, attackers stole gigabytes of data on lawmakers, which Germany’s domestic spy agency later accused Russia of being behind the breach.
Russia has repeatedly denied launching cyberattacks.
=================================================================
If Germany and other countries had been using Wave products, events like these wouldn't have happened. imo. Better security at less than half the cost!!
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Phishing Tactic Hides Tracks with Custom Fonts
https://threatpost.com/phishing-custom-fonts/140563/
The phishing campaign is using a new technique to hide the source code of its landing page – and stealing credentials from customers of a major U.S.-based bank.
An insidious phishing method evades detection using a never-before-seen technique that leverages custom fonts to cover its tracks.
Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looks like a login page for a major U.S. bank – but in reality the page is bent on stealing banking customers’ credentials, Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. The phishing kit uses custom web fonts to obfuscate the source code for the landing page – making it seem harmless.
“While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding,” researchers at Proofpoint said in a Thursday analysis of the technique.
Upon further analyzing the landing page, researchers were surprised to find that the source code of the page includes unexpectedly encoded display text – even when it has been copied and pasted into a text file.
Behind this trick are Web Open Font Format (WOFF) files, which are web font files created in an open format that delivers webpage fonts. The base64-encoded woff and woff2 files install a substitution cipher.
Essentially the substitution ciphers replace the expected alphabetical letters shown to the victim on the page (“abcdefghi…”) with other letters in the source code.
For potential victims looking at the page, the trick means their browser renders the ciphered text as plaintext – essentially making the true purpose of the landing page harder to detect.
These substitution functions are also identified in the CSS code for the landing page, differing from those used in other phishing kits, which are frequently implemented in JavaScript.
The phishing technique has one other trick up its sleeve: Using the images of the bank’s branding in scalable vector graphics format, so that the logo and its source do not appear in the source code. That sidesteps the process of linking to actual logos and other visual resources, which could potentially be detected by the impersonated brand.
Dawson said that the phishing kit was first observed being used in May 2018 – but it is possible that the kit appeared in the wild earlier. And, it’s still being used, with a number of active domains hosting the kit.
Potential victims as always should be extremely careful about clicking URLs and going directly to bank websites instead of following links.
“This is really just one more way in which threat actors are looking to hide their tracks,” Dawson told us. “Whether that is through a variety of code mechanisms or new novel ways of getting around detection, it’s all just a matter of being more effective.”
=================================================================
Wave VSC 2.0 helps protect against a clever phishing trick like the one in this article even if the phishing landing page is not detected. This is a strong advantage over products that try to detect the phishing. imo.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Feature:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Strong Security
Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Toxic Data: How 'Deepfakes' Threaten Cybersecurity
https://www.darkreading.com/application-security/toxic-data-how-deepfakes-threaten-cybersecurity-/a/d-id/1333538?_mc=KJH-Twitter-2018-12
The joining of 'deep learning' and 'fake news' makes it possible to create audio and video of real people saying words they never spoke or things they never did.
"Fake news" is one of the most widely used phrases of our times. Never has there been such focus on the importance of being able to trust and validate the authenticity of shared information. But its lesser-understood counterpart, "deepfake," poses a much more insidious threat to the cybersecurity landscape — far more dangerous than a simple hack or data breach.
Deepfake activity was mostly limited to the artificial intelligence (AI) research community until late 2017, when a Reddit user who went by "Deepfakes" — a portmanteau of "deep learning" and "fake" — started posting digitally altered pornographic videos. This machine learning technique makes it possible to create audio and video of real people saying and doing things they never said or did. But Buzzfeed brought more visibility to Deepfakes and the ability to digitally manipulate content when it created a video that supposedly showed President Barack Obama mocking Donald Trump. In reality, deepfake technology had been used to superimpose President Obama's face onto footage of Jordan Peele, the Hollywood filmmaker.
This is just one example of a new wave of attacks that are growing quickly. They have the potential to cause significant harm to society overall and to organizations within the private and public sectors because they are hard to detect and equally hard to disprove.
The ability to manipulate content in such unprecedented ways generates a fundamental trust problem for consumers and brands, for decision makers and politicians, and for all media as information providers. The emerging era of AI and deep learning technologies will make the creation of deepfakes easier and more "realistic," to an extent where a new perceived reality is created. As a result, the potential to undermine trust and spread misinformation increases like never before.
To date, the industry has been focused on the unauthorized access of data. But the motivation behind and the anatomy of an attack has changed. Instead of stealing information or holding it ransom, a new breed of hackers now attempts to modify data while leaving it in place.
One study from Sonatype, a provider of DevOps-native tools, predicts that, by 2020, 50% of organizations will have suffered damage caused by fraudulent data and software. Companies today must safeguard the chain of custody for every digital asset in order to detect and deter data tampering.
The True Cost of Data Manipulation
There are many scenarios in which altered data can serve cybercriminals better than stolen information. One is financial gain: A competitor could tamper with financial account databases using a simple attack to multiply all the company's account receivables by a small random number. While a seemingly small variability in the data could go unnoticed by a casual observer, it could completely sabotage earnings reporting, which would ruin the company's relationship with its customers, partners, and investors.
Another motivation is changing perception. Nation-states could intercept news reports that are coming from an event and change those reports before they reach their destination. Intrusions that undercut data integrity have the potential to be a powerful arm of propaganda and misinformation by foreign governments.
Data tampering can also have a very real effect on the lives of individuals, especially within the healthcare and pharmaceutical industries. Attackers could alter information about the medications that patients are prescribed, instructions on how and when to take them, or records detailing allergies.
What do organizations need to consider to ensure that their digital assets remain safe from tampering? First, software developers must focus on building trust into every product, process, and transaction by looking more deeply into the enterprise systems and processes that store and exchange data. In the same way that data is backed up, mirrored, or encrypted, it continually needs to be validated to ensure its authenticity. This is especially critical if that data is being used by AI or machine learning applications to run simulations, to interact with consumers or partners, or for mission-critical decision-making and business operations.
The consequences of deepfake attacks are too large to ignore. It's no longer enough to install and maintain security systems in order to know that digital assets have been hacked and potentially stolen. The recent hacks on Marriott and Quora are the latest on the growing list of companies that have had their consumer data exposed. Now, companies also need to be able to validate the authenticity of their data, processes, and transactions.
If they can't, it's toxic.
=================================================================
Some more reasons to have organizations' sensitive information protected by Wave VSC 2.0 and Wave SED Management. Using the Wave Alternative could save organizations a lot of money and headaches.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Happy New Year! see post
The Best Data Breach Tactics to Deploy Now
https://www.infosecurity-magazine.com/opinions/data-breach-tactics-deploy/?utm_source=dlvr.it&utm_medium=twitter
A top-of-mind question for business leaders across all industries is how to eliminate the risk of a data breach. In addition to removing sensitive data from your business process, there are two other tactics you should deploy: application-level encryption and strong authentication.
Though it is generally accepted that encrypting sensitive data will protect your organization, most people in the security business don’t realize that not all encryption is equal. Even when using NIST-approved algorithms with the largest key sizes available, data is still at risk.
How is that possible? Well, all other things being equal in the cryptographic sense, two design decisions matter when encrypting data: 1) Where the data is being cryptographically processed and 2) How are cryptographic keys being managed?
First, let’s address processing. If data is encrypted and decrypted in any part of the system (e.g., the hard disk drive, operating system, database) other than the business application using that data, significant residual risks remain despite the encryption.
An attacker needs to only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data, because the decrypting layer below will already have decrypted the sensitive data before sending it to layer above in the stack.
Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data, as it affords the attacker the smallest target (in order to compromise sensitive data within the application layer, the attacker will have had to find a vulnerability within the application – or the administrator's credential - and access regions of memory accessible only to the application or the administrator).
This also ensures that, once data leaves the application layer, it is protected no matter where it goes (and conversely, must come back to the application layer to be decrypted).
In terms of how cryptographic keys are managed and protected, if you use a general-purpose file, keystore, database or device to store your keys, this would be the equivalent of leaving company cash in a general-purpose desk or drawer. In the same way that you need a safe to store cash in a company, you need a purpose-built key management solution designed with hardened security requirements to protect cryptographic keys.
These solutions have controls to ensure that, even if someone gains physical access to the device, gaining access to the keys will range from very hard to nearly impossible. If the key management system cannot present sufficiently high barriers, even billion-dollar companies will fail to protect sensitive data – as many recently have and continue to do.
Though the details and complexity of cryptography can seem taxing, it is important to recognize that an encryption solution provides the last bastion of defense against determined attackers. It is well worth a company’s time to give both application-level encryption and key management the proper attention.
While encryption is a best practice, so is strong authentication. In fact, it should be the first line of defense. Strong authentication is the ability to use different cryptographic keys combined with secure hardware (in the possession of the user) to confirm that the user is who they claim to be.
While digital certificates on smartcards provided such capability for over two decades, they are expensive and difficult to use and support, even in highly technical environments. The FIDO Alliance is attempting to simplify this problem by eliminating passwords entirely; some early solutions have already made it to market this year, with successful deployments under way.
With strong authentication as the first line of defense and application-level encryption backing it up, even if an attacker managed to slip past network defenses – as they always seem to do – there will be little opportunity to compromise sensitive data.
While no security technology is absolutely fool-proof, when implemented correctly, these two security technologies raise the bar sufficiently high to “encourage” the vast majority of attackers to move onto easier targets.
=================================================================
Its interesting that two of Wave's products, Wave VSC 2.0 (2FA) and Wave SED management (encryption) provide premier protection that could be used to thwart attackers. This article basically discusses the same strategy (2FA and encryption) that Wave had long ago for protecting sensitive information. Better security at less than half the cost. Wave has better backing in ESW Capital than a company like StrongKey (company of writer). imo. To see Wave's two flagship products essentially confirmed in an article like this for protecting sensitive information is great.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Smart home charging networks vulnerable to cyber attacks
https://www.electrive.com/2018/12/16/smart-home-charging-networks-vulnerable-to-cyber-attacks/
Kaspersky Lab, an IT specialist firm from Russia, warns that electric vehicle chargers supplied by a “major vendor” are vulnerable to cyber attacks that could damage the home grid. Experts from Fraunhofer SIT have looked into the issue as well and developed a solution scenario.
While the Fraunhofer experts have been modelling said cyber attacks on charging stations, the engineers from Kaspersky Lab practically managed to break into home charging systems currently on the market.
Particularly one provider exhibited problems the experts say, but they have since all been solved. While the press release does not state the name of the supplier, a paper detailing the analysis has ChargePoint’s Home charging station at the centre.
However, Kaspersky Labs warns in general, that while electric cars are being fire-walled regularly so to speak, charging stations, particularly those enabling remote operation are vulnerable to attacks.
For example, the researchers found a way to initiate commands on the charger and to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the electric car, the second one could potentially cause the wires to overheat on a device that is not protected by a trip fuse.
All an attacker needs to do to change the amount of electricity being transmitted is obtain Wi-Fi access to the network the charger is connected to. Since the devices are made for home use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by bruteforcing all possible password options, which is quite common: according to Kaspersky Lab statistics 94% of attacks on IoT in 2018 used this method. Once inside the home network, the intruders can easily find the charger’s IP-address and then exploit any vulnerabilities.
For home users, Kaspersky Labs recommend to regularly update all smart devices to the latest software versions. Moreover, using strong passwords but also isolating the smart home network from the network used by the personal devices for basic Internet searching is advisable.
Meanwhile, experts at Fraunfofer SIT have been looking into similar issues, however concentrating on public devices. Like Kaspersky, Fraunhofer SIT also assumes that charging stations are an easy target for IT-based attacks. Yet, in this case, hackers could manipulate the charging stations to charge for free indefinitely or to capture personal data for example.
To prevent such attacks, they modelled a solution that was recently presented at a conference in Berlin and is called the Trusted Platform Module. The hardware connects to the charging station permanently and enables to check remotely whether the charging station firmware remains in perfect condition.
The Fraunhofer solution was developed as part of the DELTA project (data security and integrity in electric mobility) that looks at charging and billing in compliance with legal metrology (Eichrecht).
=================================================================
If the TPM is used in checking firmware integrity, shouldn't this application be phenomenally impacting TPMs across the globle?! Shouldn't all TPMs be enabled by now?! Wave could help with turning on TPMs by using ERAS and Wave ESC could manage the TPM.
=================================================================
ERAS can turn on TPMs in large numbers.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Excerpt:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
First-Ever UEFI Rootkit Tied to Sednit APT
https://threatpost.com/uefi-rootkit-sednit/140420/
Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.
LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.
The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.
“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.
The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software’s LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.
Each time the system restarts, the code executes on boot, before the OS loads and before the system’s antivirus software is launched. That means that even if the device’s hard drive is replaced, the LoJack software will still operate.
According to Vachon, the bad guys are making good use of this with LoJax. This weaponized, customized version of Absolute Software’s wares dates back to a vulnerable 2009 version, which had several key bugs, chief among them a configuration module that was poorly secured with weak encryption.
“This vulnerability allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software,” he said. In the case of LoJax, the single byte contained Sednit command-and-control domains that ultimately delivered the rootkit payload.
The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent. The rpcnetp.exe installs and reaches out to the system’s Internet Explorer browser, which is used to communicate with the configured domains.
“Once I have a foothold on the machine I can use this tool to deploy the UEFI rootkit,” Vachon explained, adding that the hacker tool takes advantage firmware vendors allowing remote flashing. “UEFI rootkit is located in the BIOS region of the serial peripheral interface (SPI) flash memory,” he said.
Once the UEFI rootkit is installed, there’s not much a user can do to remove it besides re-flashing the SPI memory or throwing out the motherboard, Vachon said.
In May, Arbor Networks spotted LoJack being reused by Sednit agents to develop LoJax. But it wasn’t until September that Sednit began to use it in live campaigns, observed by ESET. These are targeting mostly government entities located in the Balkans, as well as Central and Eastern Europe.
ESET said it identified a customer who had been infected by the rogue version of the LoJax. And last month, the Pentagon made a good-faith gesture to be more open and started uploading malware samples from APTs and other nation-state sources to the website VirusTotal. The first two samples were rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for the UEFI rootkit.
By enabling Windows Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
==================================================================
It would make sense that after secure boot and the TPM is enabled in Windows 8.1 that Windows 7 should have their TPMs activated as well. With Windows 10 TPMs being enabled as well, Wave ERAS could have helped in activating a full fleet (Windows 7, 8, 8.1 and 10) of computer TPMs in a company such that they are able to keep unknown devices off the company/organization's network. In short, organizations only having TPMs activated on Windows 8.1 (rather than the full range of OSes: 7, 8, 8.1, and 10) could be missing out on better cybersecurity. Organizations having Wave VSC 2.0 and Wave Endpoint Monitor also would enhance their cybersecurity posture. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-endpoint-monitor
How to Use Multi-Factor Authentication When You Don't Have Cell Phone Access
https://www.business2community.com/cybersecurity/how-to-use-multi-factor-authentication-when-you-dont-have-cell-phone-access-02153446
4 benefits that Wave VSC 2.0 has over what is in this article:
1. No phone needed for SMS and Wave VSC 2.0 doesn't present a problem when the cell phone has no access.
2. Simpler to set up and use. imo.
3. No token needed (or to lose) because the TPM provides the second factor of authentication.
4. 'Sometimes you will have to go through the full recovery process for each account you've secured using a third party provider.' Wave VSC 2.0 recovery process is simpler and more effective. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote.
Key Features:
Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications