Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit
https://www.bleepingcomputer.com/news/security/us-ballistic-missile-defense-systems-fail-cybersecurity-audit/
A U.S. Department of Defense Inspector General report released this week outlines the inadequate cybersecurity practices being used to protect the United States' ballistic missile defense systems (BMDS ).
Ballistic missile defense systems are used by the U.S.A. to counter short, medium, intermediate and long range ballistic missiles that target the United States of America. As these systems are controlled by computers and software, they are at risk for being targeted by state-sponsored attacks that attempt to gain control of the systems, damage them, or steal classified information & source code.
On March 14, 2014, the DoD Chief Information Officer stated that the DoD must implement National Institute of Standards and Technology (NIST) security controls to protect their systems, which includes BMDS.
In a heavily redacted report by the DoD, it has been shown that BMDS facilities have failed to utilize required security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors, and did not perform routine assessments to make sure that these safeguards were in place.
In one facility, users were allowed to use single-factor authentication (only username + password) for up to 14 days during account creation. The report showed that in many cases, users would continue to use just a username and password for well past 14 days. At another facility, the domain administrator never bothered to configure policies that prevent users from logging in if they are not using multifactor authentication. Finally, one facility was using a system that does not even support multifactor authentication.
Vulnerabilities were also not properly patched and secured at numerous facilities. For example, a March 2018 scan of vulnerabilities at one facility showed that vulnerabilities found in a Janaury 2018 scan were never fixed. Other facilities contained vulnerabilities that were discovered in 2013 and had not been patched when they had conducted an April 2018 vulnerability assessment.
The reports also states that facilities were not encrypting data that was being stored on removable devices or using systems that kept track of what data was being copied. Some facilities stated that they did not know they even needed to encrypt data on removable devices.
"In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption," stated the DoD report. "Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]."
In addition to computer and data security issues, there were physical security issues as well. There were instances of server racks not being locked, for four years a door was reporting that it was closed when in fact it was open, people gained unauthorized access simply by pulling open doors, and security cameras were not always installed at required locations.
The recommendations by the DoD Inspector General's office is what you would expect. Fix these problems and follow required federal requirements. Unfortunately, Chief Information Officers from various facilities did not respond to the draft report and the Inspector General's office has now asked the Director, Commanding General, Commander, and Chief Information Officers to comment on the final report by January 8, 2019.
==================================================================
If Wave VSC 2.0 has proven itself already with a 'significant security requirements' of government (see article below) shouldn't it be used for many other areas of government?!?! BS, SKS, GK, and MW and others could bring the protection of Wave VSC 2.0 to the government as it could be very beneficial to them. This article just shows glaringly what is at stake without a product like Wave VSC 2.0. imo. Wave VSC 2.0 - Better security at less than half the cost.
==================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Android Malware Steals from PayPal Accounts
https://www.infosecurity-magazine.com/news/android-malware-steals-from-paypal?utm_source=twitterfeed&utm_medium=twitter
What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.
The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.
In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.
The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.
According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.
“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device. What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”
=================================================================
Wave was at one point testing authentication under NSTIC with Paypal using Android devices. Why not use Wave Knowd with android devices (Samsung) to have a better 2FA than what was done in the article?!?! Paypal could have better security for its customers and Samsung could have better security for its customers (see previous Samsung post)!! Wave must have already done extensive testing with Paypal and Samsung. imo.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked
https://www.theregister.co.uk/2018/12/11/lenovo_asia_pacific_staff_data_unencrypted_work_laptop_stolen/
That's thousands of employees' names, monthly salaries, bank details
Exclusive A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.
Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to its employees confessing the security snafu.
"We are writing to notify you that Lenovo has learned that one of our Singapore employees recently had the work laptop stolen on 10 September 2018," the letter from Lenovo HR and IT Security, dated 21 November, stated.
"Unfortunately, this laptop contained payroll information, including employee name, monthly salary amounts and bank account numbers for Asia Pacific employees and was not encrypted."
Lenovo employs more than 54,000 staff worldwide (PDF), the bulk of whom are in China.
The letter stated there is currently "no indication" that the sensitive employee data has been "used or compromised", and Lenovo said it is working with local police to "recover the stolen device".
In a nod to concerns that will have arisen from this lapse in security, Lenovo is "reviewing the work practices and control in this location to ensure similar incidents do not occur".
On hand with more wonderfully practical advice, after the stable doors were left swinging open, Lenovo told staff: "As a precaution, we recommend that all employees monitor bank accounts for any unusual activities. Be especially vigilant for possible phishing attacks and be sure to notify your financial institution right away if you notice any unusual transactions."
The letter concluded on a high note. "Lenovo takes the security of employee information very seriously. And while there is no indication any data has been compromised, please let us know if you have any questions."
The staff likely do. One told us the incident was "extremely concerning" but "somehow not surprising in any way. How on Earth did they let this data exist on a laptop that was not encrypted?"
The Register has asked Lenovo to comment. ®
==================================================================
If Lenovo had this lapse, it seems like there could be large numbers of other companies that find themselves in potentially the same situation. Time for companies to get the SED management product from Wave below and keep this from ever happening. imo.
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws
https://www.theregister.co.uk/2018/12/10/samsung_patches_accountstealing_hole/
If Artem Moskowsky owes you money, it's a good time to ask
A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft.
Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.
Moskowsky told The Register that the vulnerabilities were due to the way the Samsung.com account page handled security questions. When the user forgets their password, they can answer the security question to reset it.
Normally, the Samsung.com web application would check the "referer" header to make sure data requests only come from sites that are supposed to have access.
In this case, however, those checks are not properly run and any site can get that information. This would let the attacker snoop on user profiles, change information (such as user name), or even disable two-factor authentication and steal accounts by changing passwords.
"Due to the vulnerabilities it was possible to hack any account on account.samsung.com if the user goes to my page," Moskowsky explained.
"The hacker could get access to all the Samsung user services, private user information, to the cloud."
In one proof of concept, the researcher showed how an attack site could use the CSRF flaw to change the target's Samsung.com security question to one of the attacker's choosing. Armed with the new security question and its answer, the attacker would then use the "reset password" function to steal the target's Samsung account.
It turned out the situation was even worse than the researcher initially thought. Thinking there were only two CSRF vulnerabilites on the site, Moskowsky went to report the issue directly to Samsung – something that was also done through the Samsung.com website. While reporting the issue, he noticed a third bug, the one that would allow him to forcibly change security questions and answers.
"I first discovered two vulnerabilities. But then when I logged in to security.samsungmobile.com to check my report, I was redirected to the personal information editing page," Moskowsy explained.
"This page didn't look like a similar page on account.samsung.com. There was an additional 'secret question' field on it."
In total, three bugs were found and were rated medium, high, and critical, respectively. Moskowsky earned himself a payout of $13,300 for the find, a nice payout, but well short of the $20,000 he pocketed for spotting a major bug in Steam back in October.
Samsung did not respond to a request for comment on the matter. ®
=================================================================
If Samsung were using Wave software with a mobile TPM in its phones or with a TPM in its computers, flaws like the one that crop up in the article could be severely diminished in their impact. imo.
The TPM or mobile TPM (with the TEE) could be used as second factor of authentication with Wave's software and used by a preferred (or more secure) customer on Samsung's sites.
=================================================================
Wave Systems Signs 15-year License Agreement with Samsung
https://www.wavesys.com/buzz/news/wave-systems-signs-15-year-license-agreement-samsung
Security Week -
Wednesday, May 30, 2012 -
Wave Systems has signed a 15-year software license and distribution agreement with Samsung, enabling Samsung to bundle Wave’s EMBASSY Security Center (ESC) and TCG Software Stack (TSS) technology with devices that include a Trusted Platform Module (TPM), an industry standard security chip embedded in the motherboard of a computer or other electronic device.
In an SEC filing, Wave said it would receive a per-unit royalty based on Samsung’s sales of products that include its technology, but did not provide estimates in terms of expected revenue derived as a result.
Hackers bypassed Gmail & Yahoo’s 2FA to target US officials
https://www.hackread.com/hackers-bypassed-gmail-yahoos-2fa-to-target-us-officials/
The attack was carried out by Iran-backed charming kitten hackers and victims include dozens of US government officials.
Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers. As per the data obtained by Certfa, a cybersecurity firm based in London, the hacking group Charming Kitten is responsible for the break-in, which took place in November 2018 perhaps, in response to the re-imposing of strict economic sanctions on Iran by the US president Donald Trump.
Reportedly, Charming Kitten is involved in a targeted security breach against top US officials, and obtained emails of over a dozen US Treasury officials, those involved in the nuclear deal assigned between Tehran and Washington, DC think tank employees, Arab atomic scientists, and prominent figures from Iranian civil society.
Interestingly, the hackers made the mistake of leaving one of their servers open to the internet and this is how their hit list was identified by Certfa. According to Certfa’s report, the phishing campaign is a large-scale one as it involves breaching of emails of eminent US government officials, journalists, and activists, etc.
The campaign is particularly noteworthy because of the use of a novel technique that helped the hackers bypass the 2FA authentication protections that Gmail and Yahoo Mail and similar other services offer. Hence, the incident highlights the risks associated with the reliance on one-time passwords or one-tap logins that 2FA supports specifically if the password is sent via SMS message on the mobile phone.
To launch the attack, hackers obtained detailed information about their targets and wrote spear-phishing emails designed precisely to meet the operational security level of their targets. A hidden image was part of every email, the purpose of which was to alert the hackers when the target viewed the email.
As soon as the target entered the password into the fake Yahoo or Gmail login page, the hackers immediately received the credentials in real-time and entered the same on the target’s real login page. If a target’s account was protected through 2FA, the hackers redirected the target to another page that asked for a one-time password.
Certfa researchers discovered a list of 77 Yahoo and Gmail addresses on the exposed server. However, this is merely a fraction of the total targets of Charming Kitten but it still remains unclear if the hacker group breached the email accounts of all their targets successfully.
One of the targets of Charming Kitten includes the American Enterprise Institute scholar Frederick Kagan, who told Associated Press in response to the attack that:
The attack also reinforces the fact that cyberespionage is very deeply embedded into the US-Iran relationship.
=================================================================
After reading this article, there should be a line waiting to beat down the Wave/ESW door for Wave VSC 2.0! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
A critical bug in Microsoft left 400M accounts exposed
https://www.hackread.com/critical-bug-in-microsoft-left-400m-accounts-exposed/
A bug bounty hunter from India, Sahad Nk who works forSafetyDetective, a cybersecurity firm, has received a reward from Microsoft for uncovering and reporting a series of critical vulnerabilities in Microsoft accounts.
These vulnerabilities were present on users’ Microsoft accounts from MS Office files to Outlook emails. This means, all kinds of accounts (over 400 million) and all sorts of data was susceptible to hacking. The bugs, if chained together, would become the perfect attack vector for acquiring access to a user’s Microsoft account. All the attacker required was to compel the user to click on a link.
According to Sahad Nk’s blog post, a subdomain of Microsoft namely “success.office.com,” isn’t configured properly, which is why he was able to control it using a CNAME record. It is a canonical record that connects a domain to another domain. Using CNAME record, Sahad was able to locate the misconfigured subdomain and point it to his personal Azure instance to gain control of the subdomain and all the data that it received.
However, this isn’t a big issue for Microsoft; the real problem lies in the fact that Microsoft Office, Sway, and Store apps can be easily tricked into transferring their authenticated login tokens to the domain, which is in control of the attacker now, when a user logs in via Microsoft’s Live. The reason this happens is that a wildcard regex is used by vulnerable apps. This allows all the subdomains to be trusted, explained Aviva Zacks of SafetyDetective.
As soon as the victim clicks on a specially designed link, which the victim receives via email, he or she will log in using the Microsoft Live’s login system. When the victim enters the username, password, and the 2FA code (if enabled), an account access token will be generated to let the user logged in without needing to re-enter the login credentials.
If someone gets hold of this access token, it’s akin to obtaining the authentic user credentials. Hence, an attacker can easily break into the account without alerting the original owner of the account or even alarming Microsoft about unauthorized access.
The malicious link is designed in a way that it forces the Microsoft login system to transfer the account token to the controlled subdomain. In this case, the subdomain was controlled by Sahad however, if a malicious attacker was controlling it, it was possible to put a massive number of Microsoft accounts at risk. Most importantly, the malicious link appears authentic because the user is still entering through the legitimate Microsoft login system.
The bug was reported by Nk (who works for SafetyDetective) to Microsoft and the good news is that it has been fixed however the exact amount of bounty amount received by Nk is still unknown.
=================================================================
Prior to this bug being reported and for any other bug like it, Wave VSC 2.0 should be the better security the market is looking for since with it there doesn't need to be a 2FA code here, and the TPM present prevents a hacker from getting into the account. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Upcoming Bill Would Lock Down Agencies' Internet-Connected Devices
https://www.nextgov.com/cybersecurity/2018/12/upcoming-bill-would-lock-down-agencies-internet-connected-devices/153304/
But agency chief information officers could make exceptions, according to the legislation.
A House lawmaker wants federal agencies to prioritize cybersecurity when buying internet-connected devices.
The Internet of Things Federal Cybersecurity Improvement Act, which Rep. Robin Kelly, D-Ill., plans to introduce next week, would require all internet-connected devices purchased by the government to meet a set of basic cybersecurity standards. The bill would also pressure agencies to avoid using so-called "lowest price technically acceptable" criteria when choosing vendors for those devices.
Under the legislation, the government could only buy devices that accept security patches and allow users to change passwords. Vendors would also need to notify agencies of any security vulnerabilities they discover and issue software update as new threats arise.
“Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” Kelly said in an email to Nextgov. “As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
Under the bill, the Office of Management and Budget director would work with the General Services administrator, the secretaries of Defense, Commerce and Homeland Security, and leaders from the intelligence and national security communities to guarantee those standards and any others they deem necessary are included in federal contracts. They’d have 180 days to do so.
The Homeland Security secretary and OMB director would also have 180 days to create a database of non-compliant devices and list others that no longer receive security updates.
The legislation serves as the House counterpart to the Internet of Things Cybersecurity improvement Act, which Sen. Mark Warner, D-Va., introduced last year.
While the bills share much of the same language, Kelly’s version would give agency chief information officers more authority to waive device requirements in certain circumstances.
Her bill also explicitly requires the OMB director and GSA administrator to guide agencies in limiting the use of lowest price technically acceptable criteria when selecting device vendors. Doing so would give the government more leeway to buy from companies that place a high value on security, which could incentivize others to adopt stricter standards for their own tech.
The idea is that paying more for security upfront would save agencies money in the long run.
The bill "leverages federal purchasing power to create pro-security market pressure and … serves as a model for the implementation of similar standards elsewhere," said Harvard University law and computer science professor Jonathan Zittrain.
Kelly released a draft of the bill in August 2017 and updated the legislation to reflect feedback from OMB, security advocates and the tech industry, she said. The original version, for instance, would have created an advisory board to explore effective standards for the internet of things, but that measure was cut from the final text.
“My goal was to create the best possible legislation to harden government-purchased and used [internet of things] devices,” she said. “We have made significant changes in order to build support and ensure a definition appropriate for the ever-evolving world of [the internet of things].”
=================================================================
Existing TPM based computers should be required to be activated to protect these devices, and this could provide feedback for the IOT devices that would be 'hardened'. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Australia passes world's first law authorizing encryption backdoors
https://www.cyberscoop.com/australia-encryption-backdoors-law-passes/
Australia’s Parliament on Thursday passed the world’s first law requiring technology companies to give law enforcement officials access to encrypted messages and communications.
The law authorizes police to compel companies to create a security vulnerability, often called a backdoor, that would give investigators access to an individual’s communication without that person’s knowledge. It marks a major milestone in the so-called “crypto wars” over the public’s ability to “go dark” via the powerful encryption available on commercial devices.
Authorities in Australia, U.S., and U.K. for years have argued such access is necessary to help police combat encryption in modern technology that protects them from traditional interception techniques. Privacy advocates, technologists and businesses including Apple have criticized the Australian bill and similar proposals elsewhere, saying such plans would introduce portals for government abuse and malicious hackers alike.
Companies that fail to obey the law risk being fined.
“This ensures that our national security and law enforcement agencies have the modern tools they need, with appropriate authority and oversight, to access the encrypted conversations of those who seek to do us harm,” said Christian Porter, Australia’s attorney general.
International officials who have pushed for their own measures now will watch the next phase of the “going dark” debate unfold in Australia.
“Once you’ve built the tools, it becomes very hard to argue that you can’t hand them over to the U.S. government, the U.K. – it becomes something they can all use,” Lizzie O’Shea, a human rights lawyer, told the New York Times this week.
O’Shea previously wrote in a Times editorial that other nations in Five Eyes intelligence sharing alliance — made up of Australia, Britain, Canada, New Zealand and the U.S. — have pushed for Australia to “lead the charge” in finding a way to crack encrypted data. The country does not have a bill of rights, making it “a logical place to test new strategies” for breaching apps like WhatsApp and Signal.
“The truth is that there is simply no way to create tools to undermine encryption without jeopardizing digital security and eroding individual rights and freedoms,” she wrote. “Hackers with bad intentions will do their utmost to take advantage of any such tools that companies are forced to provide the government.”
=================================================================
The TPM is considerably better than software alone at protecting a client's computer. This law should give organizations/users even more reason to activate this amazing piece of hardware in their computers. For without the activation, the user is depending on software to protect his/her computer.
Wave's ERAS is a product that could help the TPM be activated en masse. Because of this new law Scrambls and/or Chadder could be worth a new look. imo.
U.S. Readies Charges Against Chinese Hackers
https://www.wsj.com/articles/u-s-readies-charges-against-chinese-hackers-1544206196
Government-linked hackers allegedly engaged in a multiyear scheme to break into U.S. technology service providers
-see link for article
================================================================
Will the U.S. or China activate their TPMs first en masse or do it simultaneously? It appears that one country could have a distinct defensive advantage over another by activating their TPMs first! See Wave ERAS below for one of those advantages!
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Windows 10 Security Questions Prove Easy for Attackers to Exploit
https://www.darkreading.com/endpoint/windows-10-security-questions-prove-easy-for-attackers-to-exploit/d/d-id/1333404
New research shows how attackers can abuse security questions in Windows 10 to maintain domain privileges.
Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.
In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.
Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.
"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."
Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, he said. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.
"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.
In addition to having answers that can be found on social networks, the security questions "are not monitored. There are no policies around it – it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts, Baz added.
Unlocking Admins' Answers
Before describing how this approach works, it's important to add context first. In recent years, attackers have not only sought domain access but a means of maintaining a reliable and low profile on the domain. The process of becoming a domain admin has become much easier, Baz added. "A couple of years ago, it was thought this could take months ... it has shrunk into hours," he says.
To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.
Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.
An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.
Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy – and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.
What's more, security questions and answers aren't carefully protected. "The questions today are not monitored, are not changed. Probably most of IT admins are not even aware of their existence at the time being," Baz continued. "The implications ... for now [are] permanent access to all Windows 10 machines in the network quite easily and in low-profile manner."
The security questions also don't come with auditing capabilities, Sela added. "Even [for] IT administrators that would like to be aware of that, out of the box, Windows doesn't give them a way to monitor the status of those security questions."
Best Practices and Deleting Security Questions
Admins should constantly monitor security questions to make sure they are unique, or disable them by periodically changing them to random values, Baz and Sela said.
"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.
Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.
=================================================================
Companies with Windows 10 computers may want to use Wave's Helpdesk - assisted PIN reset in Wave VSC 2.0 instead of the unreliable security questions method used by Windows 10. The article presents a very good case for using Wave's Helpdesk - assisted PIN reset. Its another good selling point for Wave VSC 2.0. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
This phishing scam group built a list of 50,000 execs to target
https://www.zdnet.com/article/this-phishing-scam-group-built-a-list-of-50000-execs-to-target/
CEO fraud group has a big list of potential victims; just hope you aren't on it.
A group of online scammers has generated a list of 50,000 of executives including CFOs and other finance chiefs to use as targets for their schemes.
The list was discovered by security company Agari after the scammers unwisely targeted the company with one of its scams, prompting the company to investigate further.
The group - which Agari is calling London Blue - seems to specialise in business email compromise (BEC) scams. While there are many variations, the basic aim is to trick someone within an organisation - usually working in finance - to send funds to a bank account controlled by the crooks, thinking that the transfer is a request from someone senior inside their own organisation. Long before the mistake is discovered the funds have been moved or withdrawn.
The phishing emails sent by groups like this typically contain no malware, making it much harder for them to be spotted by standard automated security measures; many major security breaches now start with a phishing email. Also known as CEO frauds these can be extremely lucrative for the crooks, devastating for the company hit, and very hard for police to tackle. The FBI puts the cost of these scams at somewhere around $12bn.
Agari's analysis shows how sophisticated these groups are becoming.
"London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules)," the company said
The security company said it came across the list of execs as part of its research. The scammers had generated the list in early 2018 to be used in future BEC phishing campaigns. Of the names on the list, 71 percent were CFOs, two percent were executive assistants, and the remainder were other finance leaders. Several of the world's biggest banks each had dozens of executives listed, the company said. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments. Over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the US; other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands and Mexico.
"In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing--using specific knowledge about a target's relationships to send a fraudulent email--and turned it into massive BEC campaigns," the company said. It said the group was likely based in Nigeria but also had members elsewhere including the US and UK.
=================================================================
As I understand it, Chadder was built partly based on Scrambls. It would make sense for these 50,000 CFOs/CEOs to have Chadder to confirm a bank transfer as a secondary means of confirmation. imo. Then marketing Chadder to the rest of company employees could be an easier marketing proposition.
Quora discloses mega breach impacting 100 million users
https://www.zdnet.com/article/quora-discloses-mega-breach-impacting-100-million-users/
Account info, passwords, emails, private messages, and user votes were exposed
Quora, one of the largest question-and-answer portals on the Internet, said today that hackers gained access to its servers and stole information on approximately 100 million of its users, which represents almost half of the site's total userbase.
The company disclosed the breach today but said it discovered the hack last week, on Friday. Quora is still investigating the incident but said it already determined that hackers accessed the following types of user information:
•Account information (e.g., name, email address, encrypted password, data imported from linked networks when authorized by users)
•Public content and actions (e.g., questions, answers, comments, upvotes)
•Non-public content and actions (e.g., answer requests, downvotes, direct messages)
"The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious," said Adam D'Angelo, Quora CEO.
"Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content," he added.
"It is highly unlikely that this incident will result in identity theft, as we do not collect sensitive personal information like credit card or social security numbers," the company added later today in a help page regarding the incident.
The site has already taken steps to log out all Quora users who may have been affected. Users who used a password to secure their account have already had their password invalidated and will need to choose a new one the next time they log in.
Quora said it's in the process of notifying all users who it believes were impacted by the hack. The company said that not all users were affected and that "some were impacted more than others."
The tech site also said it already took steps to "contain the incident" and prevent future unauthorized access to its servers. The company said it's still looking into the cause of the breach together with a digital forensics firm. Quora also notified law enforcement.
This is the second hack of a major tech firm in the past week after Dell announced a similar breach of its Dell.com online accounts last week.
U.S. Financial Firms to Further Increase Cybersecurity Spending
https://www.bloomberg.com/news/articles/2018-12-03/u-s-financial-firms-to-further-increase-cybersecurity-spending
U.S. banks and other financial firms are projecting higher spending on cybersecurity as they face bigger threats and more attacks.
In a survey of 100 senior security officers, 84 percent said their firms are planning to spend more this year on cybersecurity, up from 78 percent a year ago, data-security provider Thales eSecurity said in a report to be released Tuesday. About 36 percent of companies said they experienced an intrusion in 2018, up from 24 percent in last year’s survey.
Some of the largest U.S. banks already have boosted cybersecurity spending to almost $1 billion a year following high-profile attacks at companies such as Equifax Inc. and Anthem Inc. Financial firms also have increased information-sharing and set up industrywide backup systems for client data to prevent financial-system disruptions during a major hack.
Some of the spending might not be on target. The vast majority of financial firms are still spending too much on defending personal computers despite awareness that’s the least effective strategy, the Thales survey found. More attention should be paid to network security, said Andy Kicklighter, director of product marketing at the firm.
“The emphasis needs to shift to protecting data,” he said in a phone interview. “Companies are afraid that data protection will disrupt their business, but that’s a concern of yesterday. There are a multitude of solutions today that won’t disrupt or slow down regular business while protecting the data.”
=================================================================
If Wave can sign up a Fortune Global 500 financial services company for its VSC 2.0 then certainly it could sign up a lot of financial firms to use VSC 2.0. This article shows that 84% are planning on spending more money on cybersecurity this year. Given the better security of VSC 2.0 and the weaknesses of its competitors the sales process should be rather quick for many. imo. Also, 36 percent of those companies that experienced an intrusion could change and only allow known and approved devices on their network via Wave's ERAS.
================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
MITRE Changes the Game in Security Product Testing
https://www.darkreading.com/endpoint/mitre-changes-the-game-in-security-product-testing/d/d-id/1333374
Nonprofit has published its first-ever evaluation of popular endpoint security tools - measured against its ATT&CK model.
There were no grades, scores, or rankings, but today's official release by MITRE of the results from its tests of several major endpoint security products could signal a major shift in the testing arena.
MITRE, a nonprofit funded by the US federal government, in its inaugural commercial tests pitted each product against the well-documented attack methods and techniques used by the Chinese nation-state hacking group APT3, aka Gothic Panda, drawn from MITRE's widely touted - and open - ATT&CK model.
Endpoint detection and response (EDR) vendors Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA, and SentinelOne played blue team with their products against a red team of experts from MITRE. Unlike traditional third-party product testing in security, the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) approach uses open standards, methods, and the vendors perform live defenses with their products.
The testing operates in a collaborative manner. "They invited the vendors in to help them drive the tool and show how they find [attacks]," says Mark Dufresne, vice president of research for Endgame. "MITRE was sitting right there, and the product wasn't just chucked over the wall" and tested like in many other third-party tests.
"It was a collaborative and conversational, versus transactional, model," he says.
MITRE tracks and documents how the tools are tuned and configured, and how they do or don't detect an offensive move by its "APT3" red team, for example. The results get published on MITRE's website for anyone to see and study.
"We really want this to be a collaborative process with the vendors; we want them to be part of the process," says Frank Duff, MITRE's lead engineer for the evaluations program. The goal is both to improve the products as well as share the evaluations publicly so organizations running those tools or shopping for them can get an in-depth look at their capabilities, according to Duff.
MITRE chose APT3's methods of attack, which include credential-harvesting and employing legitimate tools used by enterprises to mask their activity. Each step of the attack is documented, such as how the tool reacted to the attacker using PowerShell to mask privilege-escalation. ATT&CK is based on a repository of adversary tactics and techniques and is aimed at helping organizations find holes in their defenses. For security vendors, ATT&CK testing helps spot holes or weaknesses in their products against known attack methods.
The collaborative and open testing setup represents a departure from traditional third-party testing. Vendors and labs traditionally have had an uneasy and sometimes contentious relationship over control of the testing process and parameters. Longtime friction in the security product test space erupted into an ugly legal spat in September, when testing firm NSS Labs filed an antitrust lawsuit against cybersecurity vendors CrowdStrike, ESET, and Symantec, as well as the nonprofit Anti-Malware Testing Standards Organization (AMTSO), over a vendor-backed testing protocol.
The suit claims the three security vendors and AMTSO, of which they and other endpoint security vendors are members, unfairly allow their products to be tested only by organizations that comply with AMTSO's testing protocol standard.
"The whole testing landscape is a real mess," Endgame's Dufresne says. "[But] as a vendor, it's important to be there."
NSS Labs, which is a member of AMTSO, was one of a minority of members that voted against the standard earlier this year; the majority of members support it and plan to adopt it. "Our fundamental focus is if a product is good enough to sell, it's good enough to test. We shouldn't have to comply to a standard on what and how we can test," said Jason Brvenik, chief technology officer at NSS Labs, in an interview with Dark Reading after the suit was filed.
Traditional third-party tests, such as those conducted by NSS Labs, AV-Test, and AV-Comparatives, focus mainly on file-based malware, Endgame's Dufresne explains, looking at whether the security product blocks specific malware. "We do participate in those ... but they truly miss a huge swath of overall attacker activity."
MITRE's Duff says there are different security product tests for different purposes. ATT&CK is all about openness and providing context to the evaluation, he says. "All different testing services have their own purpose, value, and approaches. This is our approach, and we are hoping it resonates to the public."
Even so, malware-based testing isn't likely to go away. "I think some buyers like to see a number" like those tests provide, Endgame's Dufresne says.
Greg Sim, CEO of Glasswall Solutions, says third-party testing was overdue for a change. Even when they garner high scores from the antimalware testing labs, some products continue to fail in real-world attacks, he says. "I think there's going to be a different model," he says, noting that his firm has run tests with MITRE, which it considers an example of a reputable third party for testing.
Another security vendor executive who requested anonymity says MITRE's entry into the testing arena came just at the right time. "Emulating tradecraft of a known adversary, nation/state - for us on the vendor side, we’re saying, 'Hallelujah, they are doing it the right way,'" he says.
MITRE's new testing service represents new territory for the nonprofit, but that doesn't mean its federal government work will subside. Vendors pay a fee, which MITRE would not disclose. "MITRE historically has focused on doing testing of solutions for US government customers or sponsors. That role is not going anywhere," Duff notes.
MITRE hasn't yet set a timeframe for its next series of tests, he adds, but the team will pick another APT group to emulate.
"We are just trying to get at the ground truth on these tools," Duff says
=================================================================
It seems that Wave was a first mover with the Wave Endpoint Monitor and they could get better results than its competitors in MITRE testing!
=================================================================
Wave Integrating MITRE’s Attestation Technique into its Endpoint Monitor for Remediating Advanced Malware
https://www.wavesys.com/buzz/pr/wave-integrating-mitre%E2%80%99s-attestation-technique-its-endpoint-monitor-remediating-advanced-mal
MITRE Details Technique at Black Hat 2013
Lee, MA -
July 31, 2013 -
Wave Systems Corp. (NASDAQ:WAVX), the Trusted Computing Company, announced plans to integrate The MITRE Corporation’s new timing-based attestation technique into Wave Endpoint Monitor (WEM), the industry’s first solution to leverage industry standard hardware to detect and remediate malware that can surreptitiously mount attacks before the operating system loads. MITRE is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government.
With this enhancement, Wave will integrate MITRE’s technique that doubly verifies that the core BIOS hasn’t been corrupted. The BIOS is the first software run by the PC when powered-on and is responsible for initializing hardware and getting the operating system running. It also contains the “core root of trust measurement” (CRTM) software, the first software in the boot trust chain that ends in the assurance that the computer booted safely.
“MITRE has made a significant contribution to the body of research by identifying a scenario in which malicious code could be introduced to the BIOS that would cause it to provide a false reading and allow the malicious BIOS to indicate the system had not been corrupted,” said Dr. Robert Thibadeau, Wave’s Chief Scientist. “MITRE’s technique offers a second control for determining the CRTM does not lie about itself and any of the rest of the trust chain.”
Dr. Thibadeau added, “While BIOS attacks are still fairly rare today—less than one percent by many accounts—they represent a new and dangerous attack vector, and we’re bound to see more in future years as the more popular preboot targets are secured by our existing WEM technology.”
The management of CRTM detection will be incorporated in a module for WEM, which Wave expects will be production-ready in early 2014 to meet the expected increase of these attacks. Wave Endpoint Monitor captures verifiable PC health and security by utilizing information stored within the TPM. If anomalies are detected, the attack is controlled, and IT is alerted immediately with real-time analytics.
MITRE research presented at Black Hat 2013
MITRE researchers John Butterworth, Corey Kallenberg, and Xeno Kovah presented their research on this vulnerability and technique, “BIOS Chronomancy: Fixing the Core Root of Trust for Measurement,” at Black Hat 2013.
The team’s research highlights a vulnerability in which a firmware rootkit tricks an endpoint’s Trusted Platform Module (TPM) chip into reporting a clean BIOS firmware, when in fact it has been compromised. MITRE’s research shows the importance of using timing-based attestation systems, which can defend against attackers who obtain the same privilege levels as the defender. John Butterworth, a Senior Infosec Engineer at MITRE, adds, “additional complexities are imposed on an attacker who tries to conceal a rootkit in the presence of timing-based attestation; even concealing the modification of a single byte will trigger a measurable change.”
The team’s findings come as vendors work to implement BIOS protection specifications as outlined by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
White House Identifies Financial Industry as Key Cybersecurity Focus Area
https://biztechmagazine.com/article/2018/11/white-house-identifies-financial-industry-key-cybersecurity-focus-area
On the heels of fresh scrutiny for banks, the Trump administration affirmed financial services companies as a top target for cyberattacks.
The Trump administration recently published a revised National Cyber Strategy, which identifies banking and finance as one of seven key areas where the White House will strive to reduce cybersecurity risks. The administration’s work with the financial industry will build upon months of recommendations from private and public organizations on how to protect America’s most attractive sector for cyberattacks.
“The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas,” including banking and finance, the strategy states.
Earlier this year, the Council of Economic Advisers estimated that malicious cyberactivity cost the U.S. economy between $57 billion and $109 billion in 2016. The financial services industry proved an particularly attractive target for hackers that year. “It was attacked 65 percent more than the average organization across all industries, and according to IBM, 200 million financial services records were breached in 2016, a 900 percent increase from 2015,” reports Security magazine.
For financial services firms, public and private entities have instituted requirements to mitigate the damage from cyberattacks. The federal government also requires cyber disclosures from the banking industry. Banks and certain financial institutions must undergo reviews of “their safeguards for protecting the security, confidentiality, and integrity of consumer information, which include disclosure requirements in the event of a breach,” states the Council of Economic Advisors.
Meanwhile, a financial services consortium — composed of Bank of America, JPMorgan Chase, Wells Fargo and American Express — set up TruSight, a company that provides risk assessments of third-party suppliers and partners, including cybersecurity vendors.
Cyberattacks Pose Extra Dangers for Financial Institutions
Cyberdefenses for financial services firms have been top of mind for the industry since the Equifax breach in 2017. In that breach, “more than 147 million people in the U.S. had personal and financial data stolen ranging from Social Security and driver’s license numbers to credit card information and birth dates,” notes SecurityInfoWatch.com.
Experts warn that banks not only suffer direct financial losses due to successful cyberattacks, but also suffer indirect losses. In an interview with The Wall Street Journal at the end of last year, CrowdStrike CEO George Kurtz warned of the danger to banks of shutting down during a cyberattack.
“When you can’t trade, when you are under attack, there is a loss of confidence in that particular institution. Some of these institutions, if they’re out of business or they’re not operational, it’s a massive ripple,” Kurtz said.
In the same interview, Barclays Group Security Division CIO Elena Kvochko prescribed a holistic approach to cybersecurity for banks.
“No matter how you structure your technology teams, what’s important is to be able to have a holistic perspective across your business lines and product lines, to be able to see there is an anomaly or an incident happening in one part of the organization, you’re able to connect it to potentially other related events that are happening,” Kvochko said.
Implementing a new process could require three months to a year before it becomes a habit — and thus part of the security culture — within an institution, Kvochko added.
-rest is at the link.
=================================================================
If someone in Trump's office was aware of the two factor authentication that exists in the financial services industry, they'd be happy to see the 2FA displaced with Wave VSC 2.0. imo.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wins competitive evaluation against market leader in two-factor authentication tokens
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
US Senate computers will use disk encryption
https://www.zdnet.com/article/us-senate-computers-will-use-disk-encryption/
New security measure is meant to protect sensitive Senate data on stolen Senate laptops and computers
The US Senate will enable disk encryption on all Senate computers as a basic security measure that will make it harder for spies or criminals to extract sensitive data from stolen Senate staff PCs or hard drives.
The decision was taken last month by the Senate Committee on Rules and Administration, which instructed the Senate Sergeant at Arms (SAA) to begin the data encryption process.
"I applaud these efforts as this new common-sense cybersecurity policy will better protect sensitive Senate data from those who might wish to compromise it," said Oregon Democrat Senator Ron Wyden, the one who initially pushed the Committee to implement this measure over the summer.
"This new policy will make it much harder for any would-be spy or criminal who steals a Senate computer to access Senate data," Sen. Wyden added. "This is particularly important for laptops, which are more vulnerable to foreign government surveillance when Senate staff take them home or on work-related travel."
Details about the exact timeline or progress of the disk encryption process have not been made available, but Senators and their staff should hope this doesn't go as bad as the adoption of multi-factor authentication. A government report published in September revealed that only 11 percent of the Department of State's devices used multi-factor authentication.
It is also no surprise that Sen. Wyden was behind the push to have the Senate deploy disk encryption. Previously, the same Senator had also asked the government to stop using Adobe Flash on its computers and sites, urged the DOD to move all of its sites to HTTPS by the end of the year, asked the White House Cybersecurity Coordinator to deploy a solution that blocks ads on US government networks and computers to ward off malvertising, and has pressed the DHS to deploy an emerging technology called Encrypted Server Name Identification (ESNI).
He also called out the FBI director's 'ill-informed' views on encryption backdoors, pushed Verizon, Sprint, AT&T, and T-Mobile to stop sharing real-time cell phone location data with third-party companies, revealed that US border officials haven't properly verified visitor passports for more than a decade, and inquired the FCC to find out if police stingrays disrupt 911 calls.
=================================================================
Wave's MFA (multi factor authentication) should be benefiting those employees in the U.S. government as it has been tested and used there (see PR below). And Wave's other main product SED management should also be used in the U.S. government. imo. (see link below) Two amazing products under one company that could protect the government in a big way! At least with this announcement, the Senate is leading what could be a fresh movement in the market for Wave's encryption management!
================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Excerpt:
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
2014 Marriott Data Breach Exposed, 500M Guests Impacted
https://threatpost.com/2014-marriott-data-breach-exposed-500m-guests-impacted/139507/
The hackers had access to the impacted database since 2014.
Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data exposed and available for the taking. Worse, the attackers may have had access to the systems for at least four years before being discovered.
The hotel company said in a statement on its website that hackers gained access to the Starwood reservation database. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.
The hackers gained unauthorized access to Starwoods’ network back in 2014. Marriott said it discovered the breach on Sept. 8.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the company said in its statement.
Marriott did not respond to a request for comment about how the database was accessed.
Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of these guests.
For others, information stolen also includes payment card numbers and payment card expiration dates. The payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), stressed the company.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the company said. “For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Security experts, such as Daniel Cuthbert, global head of cyber security research at Banco Santander, were astounded that the hack has been ongoing for four years without discovery.
Marriott has also had minor security issues in the past. Kevin Beaumont pointed back to past security incidents with Marriott wherein a remote access trojan located inside the company’s network had access to their Cyber Incident Response Team mailbox in 2017.
Backlash
The incident has left infosec community members and hotel guests scratching their heads about how the hackers could have stayed undetected for four years.
“Four years of unauthorized access is an eternity for hackers, so members of the Starwood rewards program need to keep a close eye on their balances, as attackers will often try to steal and monetize rewards points,” said Ben Johnson, co-founder and CTO of Obsidian Security. “While the recognition of the breach and an apology are important steps forward, Marriott must upgrade its ability to detect compromises like this much faster, and should move swiftly to protect the rewards accounts and personal information of its loyal members.”
Brian Vecci, technical evangelist at Varonis, pointed to the breach as a “textbook” example of how hackers are becoming smarter about building persistence when they breach critical systems.
“Threat actors are smart and getting smarter so it’s hard to catch them in the act, but not only did Marriott fail to protect customer records, they failed to detect the leakage of this data since 2014,” he said. “This breach is a textbook example of attacker dwell time, and how once an attacker compromises an organization their goal is not typically to smash and grab, but to build persistence mechanisms and backdoors to stay in a network and continue to steal critical information year after year.”
Meanwhile, the New York Attorney General’s office declared it was opening an investigation into the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” NY Attorney General Barbara Underwood said in a Tweet.
Marriott said it will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
misc. twitter posts in article are at the link-
=================================================================
Remote Access Trojan (or RAT) above could have been prevented by Wave Endpoint Monitor. Also, Wave VSC 2.0 and Wave ERAS could have kept the bad guys (unknown devices) from ever entering the network in the first place. The Wave VSC 2.0 White Paper introduction makes reference to some of the old mega breaches, and Wave VSC 2.0 if used was meant to prevent or stop those mega breaches like those from ever happening. Organizations (Marriott) continue to have mega breaches in part because they haven't found a two factor authentication (2FA) solution like Wave VSC 2.0 and Wave Endpoint Monitor as well. imo.
=================================================================
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Cyber-threats are everywhere, but with Wave Virtual Smart Card 2.0 (Wave VSC 2.0) enterprises have a hardware-based, tokenless, two-factor authentication security solution with the security of a hardware token solution and the convenience and cost savings of a software token solution.
Wave VSC 2.0 delivers strong two-factor authentication using the Trusted Platform Module (TPM), the embedded security chip built into enterprise PCs. Wave empowers IT with management of the TPM and VSC 2.0. Companies successfully use Wave VSC 2.0 to secure VPN access, web applications and other certificate-based applications, like Wi-Fi with 802.1x, remote desktop, or Windows-user login. Use the security that’s already been deployed and save money with Wave VSC 2.0.
Every month we see headlines highlighting mammoth breaches (i.e. EBay, JP Morgan Chase, Sony, Target, etc…). In each case, millions of records were stolen, corporate images were tarnished, and enormous costs were incurred as a result. And equally disturbing, more often than not the attacks go undetected and as a result important information is stolen.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Dell announces security breach
https://www.zdnet.com/article/dell-announces-security-breach/
Company says it detected an intrusion at the start of the month, but financial data was not exposed.
US-based hardware giant Dell announced today a security breach that took place earlier this month, on November 9.
Dell says it detected an unauthorized intruder (or intruders) "attempting to extract Dell.com customer information" from its systems, such as customer names, email addresses, and hashed passwords. The company didn't go into details about the complexity of the password hashing algorithm, but some of these --such as MD5-- can be broken within seconds to reveal the plaintext password.
"Though it is possible some of this information was removed from Dell's network, our investigations found no conclusive evidence that any was extracted," Dell said today in a press release.
In a statement sent to ZDNet, Dell said it's still investigating the incident, but said the breach wasn't extensive, with the company's engineers detecting the intrusion on the same day it happened. A Dell spokesperson declined to give out a number of affected accounts, saying "it would be imprudent to publish potential numbers when there may be none."
The company also said hackers didn't target payment card or any other sensitive customer information, and that the incident didn't cause a disruption of its normal services at the time of the breach or after.
Dell initiated a password reset for all Dell.com customer accounts after it detected the intrusion earlier this month.
The company said it notified law enforcement, and also hired a digital forensics firm to perform an independent investigation.
Based on currently revealed details, Dell appears to have exposed very little information associated with its official website, where most users come to shop official products or have discussions on its official support forums.
While Dell has downplayed the incident's impact, it is worth mentioning that many breached companies amend these initial revelations as their investigations advance.
Besides resetting passwords, Dell.com users should manually review what information they've stored in their respective accounts. In case they've saved financial information, they should keep an eye on card statements, to be on the safe side.
=================================================================
Wave VSC 2.0 and Wave ERAS could have prevented the intruder (unknown device) from accessing the Dell network. Dell owns RSA Securid and was probably using that two factor authentication to try to limit exposure to their network. RSA Securid doesn't have the feature of keeping unknown devices off the network (as revealed in the article) in a more effective way than Wave does. imo. see below.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Microsoft's multi-factor authentication service goes down for second week in a row
https://www.zdnet.com/article/microsofts-multi-factor-authentication-service-goes-down-for-second-week-in-a-row/
Another Microsoft's Azure Active Directory multi-factor authentication service outage is causing problems for a number of Office 365 users.
Just over a week after a global problem with its multi-factor authentication (MFA) service plagued a number of users, another Microsoft MFA outage is impacting a number of customers. Many, but not all, of the customers reporting problems today seem to be U.S.-based.
Starting around 9:15 a.m. ET, a number of Office 365 customers began reporting on Twitter that they were unable to sign into that service because of an MFA issue. Office 365 is one of a number of Microsoft services that uses Azure Active Directory MFA to authenticate.
Around 10:15 a.m. ET, Microsoft's Azure status dashboard was updated to reflect the possibility of a cross-region potential outage impacting MFA.
"Impacted customers may experience failures when attempting to authenticate into Azure resources where MFA is required by policy. Engineers are investigating the issue and the next update will be provided in 60 minutes or as events warrant," the dashboard status said.
The Microsoft 365 Status account on Twitter noted around 10:38 a.m. ET:
"We're investigating an issue where users may be unable to sign in using Multi-Factor Authorization (MFA). All details can be found under Service Incident (SI) #MO165847."
For 14 hours on November 19, Microsoft's MFA services went down for many Microsoft customers.
Microsoft's Azure team recently went public with the root cause it discovered when investigating the outage. Microsoft unearthed three independent root causes, along with monitoring gaps that resulted in Azure, Office 365, Dynamics and other Microsoft users not being able to authenticate for much of that day. Microsoft officials described a multi-pronged plan to try to keep this kind of outage from happening, but said some of the required steps might not be completed until January 2019.
Update (11:40 a.m. ET): The mitigation has begun. From the Azure status page:
"CURRENT MITIGATION: Engineers are currently in the process of cycling backend services responsible for processing MFA requests. This mitigation step is being rolled out region by region with a number of regions already completed. Engineers are reassessing impact after each region completes."
Update (12:25 pm ET): As the mitigation continues, Microsoft engineers say they've identified the cause of today's issue. From the Azure status page:
"Engineers have also determined a Domain Name System (DNS) issue caused sign-in requests to fail, but this issue is mitigated and engineers are restarting the authentication infrastructure."
On the Azure status page, Microsoft officials say a full root-cause analysis of today's outage will be posted within 72 hours.
==================================================================
Given Microsoft's experience with 2FA and what has been going on with Windows 10, 1809 upgrades, it seems that Wave VSC 2.0 could be the better way to go for a lot of organizations' 2FA.
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
Multifactor Authentication Market to be worth US$20444.9 Million by 2025; Strict Rules by Government to Guard and Preserve National Secrets Bolsters Market Growth - TMR
https://globenewswire.com/news-release/2018/11/26/1656656/0/en/Multifactor-Authentication-Market-to-be-worth-US-20444-9-Million-by-2025-Strict-Rules-by-Government-to-Guard-and-Preserve-National-Secrets-Bolsters-Market-Growth-TMR.html
Global Multifactor Authentication Market: Governments to Boost Uptake as Need for Better Security Measures Grows, observes TMR
Albany, New York, Nov. 26, 2018 (GLOBE NEWSWIRE) -- According to the recent study by Transparency Market Research, the global multifactor authentication market is likely to expand at a robust CAGR of 17.7% during the tenure period. The market which was valued at US$4829.2 mn by the end of 2016 is foreseen to rise and reach a valuation of US$20444.9 Mn by the end of assessed period. On the basis of models, the market is segmented into three-factor authentication, four-factor authentication, and two-factor authentication. Of these two-factor authentication market is predicted to witness a stellar demand as consumers have started preferring two-step verification process. On the basis of region, the multifactor authentication market is likely to be dominated by North America, as the region experiences surge in adoption of multifactor authentication models due to increasing security concerns.
The global multifactor authentication market is predicted to witness a strong growth during the forecast period 2017 – 2025, owing to rise in demand for a better security solutions. Transparency Market Research notices that the market is highly fragmented in nature owing to the presence of several players. Senior analysts expects that the strategic partnerships such as mergers and acquisitions taken up by key players are likely to help them give them a strong foothold in untapped market. Players are spending hefty amount in research and development activities to innovate and introduce more efficient and enhanced products for consumers. This is likely to drive the multifactor authentication market in forward direction. It is anticipated that as the number of player increases, the competition will become more intense. Some of the major players in the multifactor authentication market are Vasco, EMC, Entrust, and Gemalto.
rest is at the link -
=================================================================
'Better security at less than half the cost' should make Wave a major player in the multifactor authentication market with Wave VSC 2.0!! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
=================================================================
White paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Attackers Are Landing Email Inboxes Without the Need to Phish
https://www.securityweek.com/attackers-are-landing-email-inboxes-without-need-phish
We’ve all heard the proverb: Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime. Well now, threat actors don’t even have to exert the effort to phish to land business email accounts.
According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows:
1. Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a colleague or supplier.
2. Account takeover: Here, attackers use information-stealing malware and key loggers to gain access to and hijack a corporate email account, which they then use to make fraudulent requests to colleagues, accounting departments and suppliers. They can also alter mailbox rules so that the victim’s email messages are forwarded to the attacker, or emails sent by the attacker are deleted from the list of sent emails.
These techniques have served threat actors well for quite some time. But now we are seeing new, more expeditious methods emerge to gain access to business email accounts. Compromised credentials being offered on criminal forums, exposed through third-party compromises, or vulnerable through misconfigured backups and file sharing services, make the opportunity to profit from BEC easier than ever. Email inboxes are also being used not just to request wire transfers, but to steal financially-sensitive information stored within these accounts or to request information from other employees. With declining barriers to entry for BEC, and more ways to monetize this type of fraud, we can expect the losses to continue to rise and perhaps even accelerate in the near term.
Here’s how these alternative methods work:
1. Paying for access. It’s common for accounts to be shared and sold across criminal forums, and the emails of finance departments and CEO/CFOs are no exception. It’s even possible to outsource this work to online actors who will acquire company credentials for a percentage of earnings or a set fee beginning as low as $150.
2. Getting lucky with previously compromised credentials. As I’ve discussed before, individuals will often reuse passwords across multiple accounts. In our research we’ve detected more than 33,000 finance department email addresses exposed within our own third-party data breach repository 83 percent of which had passwords associated. With many email and password combinations of finance department email accounts already compromised, cybercriminals can get lucky.
3. Searching across misconfigured archives and file stores. Inboxes, particularly those of finance departments and CEO/CFOs, are replete with financially-sensitive information such as contract scans, purchase orders, and payroll and tax documents. This information can be used for fraud or re-sold on forums and marketplaces. The sad reality is that there’s no need to go to a dark web market when sensitive data is available for free on the open web. Employees and contractors sometimes turn to easy, rather than secure, ways of archiving their emails. We identified that more than 12.5 million email archive files and 50,000 emails that contained “invoice”, “payment” or “purchase order” have been exposed due to unauthenticated or misconfigured file stores.
Regardless of the method attackers use to perform a BEC scam, these seven security measures can help to mitigate the risks.
1. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario now.
2. Build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
3. Work with your wire transfer application vendors to build in manual controls as well as multiple person authorizations to approve significant wire transfers.
4. Monitor for exposed credentials. This is crucial for your finance department email, but it’s important for all user accounts. Multifactor authentication will also increase the difficulty for attackers to perform account takeovers.
5. Conduct ongoing assessments of your executives’ digital footprints. You can start with using Google Alerts to track new web content related to them.
6. Prevent email archives from being publicly exposed. For services like Server Message Block (SMB), rsync and the File Transfer Protocol (FTP), use a strong, unique password and disable guest or anonymous access and firewall the port off from the Internet. If it needs to be on the Internet or without a password, then make sure you whitelist the IPs which are expressly permitted to access the resource.
7. Be aware of the risks of contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. Ideally, organizations should provide training on the risks of using home NAS drives, as well as offer backup solutions so that contractors and employees don’t feel the need to backup their devices at home.
BEC is becoming increasingly profitable for threat actors as organizations are making it easy for adversaries to gain access to the valuable information that sits within these inboxes. However, with the right combination of people, processes and technology, organizations can mitigate the risk.
=================================================================
A great feature to Wave VSC 2.0 imo is that it isn't susceptible to keyloggers since the user is automatically logged into the site without entering a password. Wave VSC 2.0 could be a big help here!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Manufacturers Remain Slow to Recognize Cybersecurity Risk
https://www.nytimes.com/2018/11/21/business/manufacturers-remain-slow-to-recognize-cybersecurity-risk.html
Excerpt near the end of article -
Another approach is to adopt something called whitelisting. For years, Mr. Patel said, most companies had software that excluded known viruses, essentially blacklisting potential problems. But that was too reactive and sometimes exposed systems to unknown attackers. Now, he said, the better approach is to whitelist — that is specify approved software applications that are permitted to be active on a computer system. “It’s increasingly become one of the most important types of defenses.”
=================================================================
Wave Endpoint Monitor uses whitelisting to protect computer systems and is one of the advantages over traditional antivirus.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpt:
By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately
PI System Software Maker, OSIsoft, Announced Breach
https://www.infosecurity-magazine.com/news/pi-system-software-maker-osisoft?utm_source=twitterfeed&utm_medium=twitter
A self-proclaimed leader in enabling operational intelligence, OSIsoft, maker of PI system software, announced an ongoing investigation into a data breach that likely compromised all domain accounts.
On 16 November, the company reported that it was experiencing a security incident that potentially affected everyone from employees and interns to consultants and contractors. Attackers reportedly stole credentials and used them to access the OSIsoft computers, which resulted in alerts of unauthorized activity from the intrusion detection systems.
“Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected,” the data breach notification warned.
Additionally, the company advised, “You should assume your OSI domain logon account name, as well as email address and password have been compromised.”
The incident remains under investigation with the company’s security service providers, and OSIsoft reported that it “has developed a comprehensive remediation strategy that includes a contingency plan, in case there is an escalation of unauthorized activity as the investigation continues.”
The company also advised that users reset external accounts to use different passwords.
“While most organizations factor vendors, suppliers and contractors into their third-party risk management programs, the reality is that our digital ecosystems are a lot bigger than that. Any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data,” said Fred Kneip, CEO, CyberGRX.
“In this case, OSIsoft’s security controls weren’t able to stop a case of credential theft, affecting a confirmed 135 accounts and possibly more. With over 65% of Fortune 500 industrial companies using their product, OSIsoft is a major gateway to valuable data and they should be seen as such. Large companies like these often interact with tens of thousands of third parties, and it’s critical for them to gain a better understanding of which of those third parties pose the biggest risk to their data.”
=================================================================
In this case and in many cases 'security controls' and/or intrusion detection systems would be less effective than ERAS, Wave VSC 2.0. When using ERAS, VSC 2.0 the unauthorized party or activity would not have been allowed on the network. (see ERAS below) This use case shows how beneficial ERAS, Wave VSC 2.0 could be for a lot of companies. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs
In a post-EMV world, fraud is shifting from in-person to ecommerce channels
https://www.helpnetsecurity.com/2018/11/19/fraud-concern-merchants/
Three years after the switch to new chip-based credit and debit cards, a study by the National Retail Federation and Forrester says payment card fraud is still a top concern for large U.S. retailers as criminals move their activities online.
“The implementation of EMV chip cards and chip card readers was supposed to dramatically reduce credit and debit card fraud,” the State of Retail Payments report said. “So why is fraud still the top concern for merchants?”
The report found that fraud was the top payment-related challenge faced by retailers, cited by 55 percent of those surveyed. The reason is largely that Europay-MasterCard-Visa chip cards have moved payment card fraud away from stores and toward online transactions, the report said, citing a Forter study showing a 13 percent increase in online fraud last year. A Federal Reserve study said online fraud rose from $3.4 billion in 2015 – the first year retailers were required to accept chip cards or face an increase in fraud liability – to $4.6 billion in 2016 and was an “increasing concern.”
“In a post-EMV world, fraud is shifting from in-person to ecommerce channels, so retailers have been busy bolstering their defenses to mitigate the increasing costs and risks of ecommerce fraud,” the report said.
To help fight fraud, the report found that retailers want better authentication of purchases no matter where they take place and that 33 percent have implemented 3-D Secure, a system marketed as Verified by Visa or MasterCard SecureCode that is intended to help authenticate online purchases.
For in-person purchases, 51 percent of merchants said biometrics would be the best way to verify transactions, and 53 percent expressed interest in implementing forms such as the fingerprint and facial recognition available on smartphones. But with that technology limited to phones rather than cards, 46 percent said personal identification numbers would be the best currently available way to approve card transactions.
For purchases made with cards, 95 percent of retailers said requiring PINs would improve security and 92 percent would implement it if it were available. While EMV cards in other countries are chip-and-PIN, virtually all EMV credit cards issued by U.S. banks have been chip-and-signature with PIN available only on debit cards. And the major credit card companies stopped requiring a signature last year.
“The chip in an EMV card makes it very difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is the legitimate cardholder,” NRF Senior Vice President and General Counsel Stephanie Martz said. “If we want to stop card fraud, we need a better way of authenticating users and it should be one that’s affordable, easy and safe. Someday the answer might be biometrics or technology that has yet to be invented but, in the meantime, we know PIN can stop criminals dead in their tracks. With no signatures, no PIN and no biometrics, what we have right now is no authentication at all.”
NRF has long argued that PIN is important because the chip in EMV cards only prevents the use of counterfeit cards while not stopping lost or stolen cards, and a PIN can also provide a backup for cases where the chip malfunctions or is tampered with.
In addition to the focus on cards, retailers have also been installing technology to fight data breaches and thereby keep criminals from stealing card data that can then be used to commit fraud. The report found 89 percent expect to have tokenization in place by the end of next year, and that 80 percent plan to do the same with point-to-point encryption.
The second-biggest concern was the cost of accepting payment cards, including the swipe fees banks charge to process transactions, cited by 45 percent. While the survey found 49 percent of retailers have taken advantage of routing options required as part of a cap on debit card swipe fees passed by Congress in 2010, rising swipe fees for credit cards remain the subject of litigation between retailers and the card industry. Chargebacks of disputed purchases, which increased after implementation of EMV for some retailers, were the third-biggest concern, cited by 35 percent.
“Eliminating fraud and improving authentication are clearly top priorities for retailers,” Brendan Miller, principal analyst at Forrester, said. “As the answers to these challenges are found, the key will be finding ways to implement the solutions in a way that provides a frictionless experience for consumers.”
=================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud
card-present transactions enabled for E-Commerce by integrating TPM technology
https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud
Lee, MA -
July 31, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) announced it is partnering with chip lifecycle management solutions company, Bell ID, to offer a joint solution aimed at reducing online payment fraud. The solution will be marketed primarily to card issuing banks, as well as online merchants, governments, and enterprises worldwide.
Using Bell ID’s Trusted Service Manager and Secure Element in The Cloud (SEiTC) server, alongside Wave’s ERAS for TPM management and Wave’s endpoint identity and monitoring expertise, the combined offering provides robust protection for transactions and stored payments. The companies have executed a letter of intent and anticipate the signing of a definitive agreement in August.
The incident rate of card-not-present (CNP) fraud has been growing steadily over the past several years. According to a recent FICO Banking Analytics Blog, CNP fraud now accounts for close to half of all credit card fraud. Countries that have already adopted the EMV® card specification have seen CNP fraud rates increase. In the United States, CNP fraud is expected to rise significantly over the next eighteen months, as the EMV standard is put into effect. The EMV directive, which implements a global standard for a secure chip-based payment application, will make merchants liable for any fraud resulting from transactions on systems that are not EMV-capable.
“Wave’s robust product portfolio is very complementary to Bell ID’s strongly positioned solution set in the financial services market,” said Bill Solms, CEO, Wave Systems. “We see the EMV transition creating high demand for more secure transaction capabilities, and are confident that together we can provide financial institutions with a comprehensive solution for payment authorization and storage.”
“Bell ID has been a pioneer in developing and delivering cloud-based payment platforms,” adds Pat Curran, Executive Chairman at Bell ID. “We also have extensive experience in delivering EMV solutions globally and have witnessed fraud transition online as point-of-sale terminals in face-to-face transactions become more secure. We are therefore delighted to extend our offering with Wave to provide a secure online transaction and storage payment solution, which will mitigate against an expected rise in online fraud and provide a trusted link between device identity and internet services.”
Phishers Up Their Game to Combat User Awareness
https://www.infosecurity-magazine.com/news/phishers-up-game-to-combat-user?utm_source=twitterfeed&utm_medium=twitter
In an attempt to undermine the security industry’s effort to educate end users about phishing campaigns, malicious actors are evolving in their tactics, according to Zscaler.
In a recent blog published by Zscaler Threat LabZ, Deepen Desai and Rohit Hegde detailed findings of new research into phishing activities. According to the findings, Microsoft, Facebook and PayPal are the top brands that are being targeted by phishing campaigns.
The top five sector categories that are most commonly targeted are communications (41.4%), social media (18.3%), finance (16.7%), travel (12.4%) and dating (3.4%).
“In addition to the known brands, it was interesting to see phishing campaigns targeting Travel Visa portals (Canadian Visa and Australian Visa, for example) included in our top five most targeted brands. The attackers in this case were most likely interested in phishing for sensitive immigration information, such as passport details, date of birth and national identification numbers,” Desai and Hedge wrote.
Notably one of the best tools in a hacker’s toolbox, phishing is a successful tactic long used by attackers who are looking to steal personally identifiable information, such as Social Security numbers, credit card details, date of birth, and other sensitive data.
Wrote the authors, “About 65% of all phishing content we’ve seen in the past three months was over HTTP and the remaining 35% was over HTTPS. This represents a 300% increase in phishing content being delivered over HTTPS since 2016.”
Because the security industry has been diligent in its efforts to raise awareness, putting great effort into educating users how to identify phishing sites, cybercriminals have reportedly had to up their game. The attackers have had to get creative in order to trick better-informed users, and they are reportedly now carefully designing sites to look identical to the popular brands they are imitating.
"As the end users become more vigilant against clicking suspicious links, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period," they wrote.
=================================================================
Given this new information, educating users on phishing could be even less effective than using Wave VSC 2.0 (2FA). The phished password would not have an effect on the login since the login is a PIN and even if the PIN was somehow phished the hacker would need the user's computer (TPM). The newer phishing site designs and the less effectiveness of user education creates another great selling point for Wave VSC 2.0!!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Cybersecurity Is a Top Concern for Healthcare Executives
https://futurism.com/the-byte/cybersecurity-healthcare-executives
Priority Numero Uno
Cybersecurity isn’t just a top technology concern of today’s healthcare executives — it’s the top concern.
That’s according to “Top of Mind for Top Health Systems 2019,” a new report co-authored by the Center for Connected Medicine (CCM), a think tank focused on the use of technology in healthcare, and the Health Management Academy, a network of healthcare executives.
Weak Link
To produce this report, the CCM and the Academy surveyed and interviewed 44 executives from 38 health systems representing 459 hospitals across the U.S.
According to those executives, the most common types of cyberattacks their institutions had faced in the previous 12 months were phishing and spear-phishing. Both of those involve gaining access to a network by essentially tricking a person into handing over valuable information, such as passwords and usernames, and they can enable a hacker to access sensitive information about patients.
It’s not entirely surprising, then, that 62 percent of those who contributed their insights to the report believe staff members are the primary point of weakness in their institutions’ cybersecurity. “Employee education” was also cited as the most common cybersecurity challenge, implying it’s a weak spot that hasn’t been easy to address.
Shoring Up
Thankfully, hospitals appear prepared to meet the challenge of cybersecurity head on. Not one of the respondents claimed their health system planned to decrease spending on cybersecurity efforts in 2019. In fact, 87 percent said they planned to spend more than they did in 2018.
“The people that are up to no good have far better tools than we do on our platforms,” one CEO told the report’s creators. “If they really target you, they will likely find a way in…We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”
=================================================================
Rather than focusing on phishing education to prevent cyber attacks, the focus should be on using 2FA like Wave VSC 2.0 as a more foolproof way to protect Healthcare (and other companies as well) companies from cyber attacks. imo. Taking the human factor (education of employees) out of the the cybersecurity equation is a great selling point for Wave VSC 2.0!!
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console
Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)
LastPass? More like lost pass. Or where the fsck has it gone pass. Five-hour outage drives netizens bonkers
https://www.theregister.co.uk/2018/11/20/fivehour_outage_frustrates_lastpass_punters/
LastPass's cloud service suffered a five-hour outage today that left some people unable to use the password manager to log into their internet accounts.
Its makers said offline mode wasn't affected – and that only its cloud-based password storage fell offline – although some Twitter folks disagreed. One claimed to be unable to log into any accounts whether in “local or remote” mode of the password manager, while another couldn't access their local vault.
The solution, apparently, was to disconnect from the network. That forced LastPass to use account passwords cached on the local machine, rather than pull down credentials from its cloud-hosted password vaults. Folks store login details remotely using LastPass so they can be used and synchronized across multiple devices, backed up in the cloud, shared securely with colleagues, and so on.
The problems first emerged at 1408 UTC on November 20, with netizens reporting an “intermittent connectivity issue” when trying to use LastPass to fill in their passwords to log into their internet accounts. Unlucky punters were, therefore, unable to get into their accounts because LastPass couldn't cough up the necessary passwords from its cloud.
The software's net admins worked fast, according to the organisation's status page. Within seven minutes of trouble, the outfit posted: “The Network Operations Center have identified the issue and are working to resolve the issue.”
The biz also reassured users that there was no security vulnerability, exploit, nor hack attack involved:
Connectivity is a recurrent theme in LastPass outages: in May, LogMeIn, the developers behind LastPass, suffered a DNS error in the UK that locked Blighty out of the service.
The service returned at nearly 2000 UTC today, when the status team posted: “We have confirmed that internal tests are working fine and LastPass is operational. We are continuing to monitor the situation to ensure there are no further issues.”
=================================================================
The use of Wave VSC 2.0 imo could prevent situations like the one faced by LastPass customers in the article above. Wave VSC 2.0 is similar in certain ways (in its aim) to LastPass but with better security. Wave VSC 2.0 not being susceptible to a situation like this is a great selling point for Wave. imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpts:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Decrease expenses with virtual smart cards
You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.
If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.
Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1.
Microsoft confirms: We fixed Azure by turning it off and on again. PS: Office 362 is still borked
https://www.theregister.co.uk/2018/11/19/microsoft_azure_office_outage_latest/
Redmond battles TITSUP multi-factor auth logins (yes, that's Total Inability To Support Users' Passcodes)
Microsoft is recovering somewhat from a bad case of the Mondays that left some of its subscribers unable to use multi-factor authentication to log into their cloud services.
The Redmond giant said that around 2130 UTC today it had managed to get its Azure Cloud back up and running as per normal. Meanwhile, Office 364 is still being knocked into shape by the Windows giant's techies.
Azure and the cloud-based Office suite started playing up at 0439 UTC, meaning multi-factor authentication has been knackered for about 17 hours, preventing unlucky users from logging in.
Cycle-pathic
In the case of Azure, the fix seemed relatively straightforward, if not cliche. Microsoft turned their computers off and on again, according to the cloud platform's status page at time of writing:
Engineers cycling of impacted servers is complete and initial telemetry and customer reports indicates issue is majority mitigated. telemetry will continue until mitigation confirmed. Engineers will continue to monitor any updates or changes made from the work-streams currently being explored.
Just as we were publishing this story, we noticed Microsoft had quietly revised its explanation of the Azure cock-up: it now blames an overloaded Redis database in Europe that ultimately took out other systems when it tried to fail over to equipment in North America. A hotfix was applied, and machines were rebooted, to revive the platform's multi-factor authentication systems, as the status page now explains:
Preliminary root cause: Requests from MFA servers to Redis Cache in Europe reached operational threshold causing latency and timeouts. After attempting to fail over traffic to North America this caused a secondary issue where servers became unhealthy and traffic was throttled to handle increased demand.
Mitigation: Engineers deployed a hotfix which eliminated the connection between Azure Identity Multi-Factor Authentication Service and a backend service. Secondly engineers cycled impacted servers which allowed authentication requests to succeed.
In a way, Microsoft is saying its cloud couldn't handle the weight of multi-factor login requests. Given the multi-factor tokens are only valid for a short time – there's typically a 60-second window to enter the correct code – high latency becomes a real problem.
As for Office 363-and-a-half, the fix does not appear to be so straightforward. Redmond said that it is still working on the problem, and as of right now engineers aren't even sure just what went wrong.
"Due to the complex nature of this problem, our investigation into the root cause of this issue may take an extended period of time," Microsoft told customers. "This incident is and will remain our highest priority until the underlying source of the problem has been identified."
This is after many, but not all, punters have spent most of the day unable to log-in to their Microsoft-hosted services via multi-factor authentication. The outages were felt worldwide, beginning in the afternoon of Monday in Asia, and carrying on into Europe's start-of-the-week, and into the Americas as unlucky users found themselves unable to use their two-factor gizmos to log in.
For security reasons, multi-factor authentication is highly recommended in order to prevent password-stealing hackers from hijacking accounts.
Now, with Asia nearly ready to get up and start its Tuesday workday, Microsoft has yet to fully resolve its Office 359 login headaches. Passwords also cannot be reset by users.
If there is one saving grace for Redmond, it is that thanks to the impending Thanksgiving holiday combined with severe weather on the US East Coast and wildfire-induced pollution in California, a good number of Americans are working from home on Monday, potentially limiting frustrations stemming from the outages: it's quite easy to go back to bed if you can't even log in.
=================================================================
Since Wave VSC 2.0 doesn't use SMS for multi-factor authentication, it is highly conceivable that this problem in the article wouldn't have happened if the user had Wave VSC 2.0!- A great selling point for Wave VSC 2.0! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
2FA Login Failure in Office 365 and Azure
https://www.infosecurity-magazine.com/news/2fa-login-failure-in-office-365?utm_source=twitterfeed&utm_medium=twitter
According to tweets from Microsoft, the company is investigating reports that Azure and Office 365 are again suffering issues that are leaving users unable to login using multifactor authentication (MFA). When users enter their login credentials and are sent an SMS with a two-factor authentication (2FA) code, the screen does not advance for the user to enter the code, according to a Reddit discussion.
Azure Support also tweeted, “Engineers are actively investigating an ongoing issue affecting Azure Active Directory, when Multi-Factor Authentication is required by policy.”
News of the issue comes less than a month after a reported login problem that left many admins and users unable to access their accounts for several hours. This latest issue is affecting global users, including people from Norway, Australia and the United States expressing frustrations via social media sites.
The most recent status update from Azure as of publication time stated: “Starting at 04:39 UTC on 19 Nov 2018 customers in Europe and Asia-Pacific regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.
“Engineers have deployed the hotfix which eliminated a connection between Azure Identity Multi-Factor Authentication Service and a backend service. The deployment of this Hotfix took some time to take effect across the impacted regions. We are seeing a reduction in errors, and customers may be seeing signs of recovery and authentications are succeeding.”
Since the hotfix has been deployed, engineers are continuing to monitor the ongoing performance and will provide updates as necessary.
“Another day, another Office 365 disruption, and another nuisance for admins and employees alike. With less than a month between disruptions, incidents like today’s Azure multifactor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture,” said Pete Banham, cyber resilience expert at Mimecast.
“With huge operational dependency on the Microsoft environment, no organisation should trust a single cloud supplier without an independent cyber resilience-and-continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds. Without the ability to securely log in, knowledge worker employees are unable to do their jobs. The question is if your work email and productivity are dependent on Office 365, how much have these hours of disruption cost you so far?”
=================================================================
Office 365, Azure Users are Locked Out After A Global Multi-Factor Authentication Outage
https://techcrunch.com/2018/11/19/office-365-azure-users-are-locked-out-after-a-global-multi-factor-authentication-outage/
=================================================================
These articles are more selling points for Wave VSC 2.0 imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Biometrics and AI firm team up for first U.S. biometric database amidst criticism
https://www.scmagazine.com/home/security-news/biometrics-and-ai-firm-team-up-for-first-u-s-biometric-database-admist-criticism/
Biometrics firm SureID and AI-startup firm Robbie.AI are teaming up to launch the first U.S. biometric database.
SureID has a nationwide network of fingerprint enrollment kiosks while Robbie.AI uses technology to authenticate using AI-based facial recognition and behavioral prediction that could be combined to create a nationwide biometric databased for consumer focused initiatives, according to a press release.
The technology could be used in retail authentication, employment verification, IDs for keyless automated vehicles and other multiple biometric authentication levels and the companies say they are using the highest security measures to protect their data.
“SureID plans to continue to lead with advanced security threat responses and military-grade security mechanisms designed to thwart bad actors and protect personal and corporate security,” SureID General Manager Ned Hayes told SC Media. “SureID R&D is currently researching technology that could allow individuals to have full control over their biometric data information without concerning themselves with the required backup strategies.”
Furthermore, Hayes said his firm is one of a handful of selected FBI fingerprint channeling partners and that its system provides end-to-end encryption, physical and electronic security measures in a secure cloud infrastructure validated and approved by the FBI and other government agencies.
Karen Marquez, CEO of Robbie.AI, told SC Media that her firm never stores frames from video or photo and only saves biometric cues through coordinates and other custom indicators from the original face in the form of numbers that are stored as a ciphered binary.
“There is no way to link this binary data to personal data or a person identity from our backend because we do not keep the original person link,” Marquez said. “Moreover, even in the event of any attempt of compromising the database, deciphering the binaries into raw descriptors provides hundreds of thousands of floating point numbers.”
Marquez added that there is no way to reverse engineer the numbers into pixels, know who the numbers belong to, or even understand them as they are separated and stored into a different provider and data center.
In addition, Hayes said SureID today only collects data that has been submitted to their system via full consumer knowledge and full consumer participation, for authorized purposes only, and that it collects data and deletes data in full compliance with all government regulations regarding data preservation and deletion.
Despite the assurance, the technology has privacy and cybersecurity experts concerned about the companies’ abilities to protect the data, how the data will be used, and the potential for misuse.
“On one hand, I appreciate the need for rapid identification of people who intend to cause harm and the ability to detect these people quickly in public places,” Chris Morales, head of security analytics at automated threat management solutions firm Vectra, told SC Media. “On the other, it sounds like a huge privacy nightmare as I am very concerned about the misuse or manipulation of a database of biometric authentication at this scale.”
Morales said a national biometric database is almost inevitable since society and governments have been heading towards some form of rapid real time person identification for decades. This started with video security monitoring cameras in most public places around the world, and the addition of machine learning has even made it possible to recognize the way a person walks as a unique identifier.
“I think as a security industry, our best course of action is to work with the national governments to ensure any biometric system is highly secure and has auditing and oversight to ensure the proper use of the biometric data,” Morales added. “This type of data would mean anyone could be found instantly at any time. It could be very scary.”
The technology also causes worry to some considering the backdrop of recent elections where many states’ voter identification procedures are woefully lacking.
“It is a little concerning that some loose affiliation of private companies will have the ability to identify me in public and track me without my consent,” Rick Moy, chief marketing officer at Acalvio, said. “And do who knows what with the data to sustain their business models.”
Other researchers emphasized that despite the protections in place, the data could still potentially be misused even by law enforcement.
“AI and ML algorithms often mirror and amplify the biases of the data collected,” Abhishek Iyer, technical marketing manager at Demisto, said. “If criminal investigations will be based on biometric recognition whose accuracy is already compromised by bias, it can lead to wrongful arrests, distress for US travelers, and lost government resources.”
Not everyone was against the technology and some even supported it, Frances Zelazny, BioCatch chief strategy officer, said there is a dire need for a better system in the U.S. to more accurately identify, and verify that people are who they say they are.
“Because there is no central ID system and personal information is widely available on the Internet thanks to the data breaches, the classic KYC process no longer works in the U.S. and in essence,” Zelazny said. “The Internet of Things will only continue to make our world more interconnected, and where we present our identity on one application may mean that several other modes are affected.”
Zelazny added that action is needed from government, private sector and consumer advocate stakeholders who must collaborate on an identity framework that can support trusted online interactions.
=================================================================
These AI-generated fake fingerprints can fool smartphone security
https://www.zdnet.com/article/these-ai-generated-fake-fingerprints-can-fool-smartphone-security/
Attackers no longer need your actual fingerprint to unlock your phone
Researchers have refined a technique to generate fake fingerprints that match multiple people, potentially undermining fingerprint-based access-control systems.
The technique opens up the possibility of fingerprint-based 'dictionary attacks', or the biometric equivalent of throwing a large set of possible passwords at a login page on the chance that one of them is correct.
The researchers from New York University detail in a new paper how they used a neural network to create 'DeepMasterPrints', or realistic synthetic fingerprints that have the same ridges visible when rolling an ink-covered fingertip on paper.
The attack is designed to exploit systems that match only a portion of the fingerprint, like the readers used to control access to many smartphones.
The aim is to generate fingerprint-like images that match multiple identities to spoof one identity in a single attempt.
DeepMasterPrints are an improvement on the MasterPrints the researchers developed last year, which relied on modifying details from already captured fingerprint images used by a fingerprint scanner for matching purposes.
The previous method was able to mimic the images stored in the file, but couldn't create a realistic fingerprint image from scratch.
The researchers tested DeepMasterPrints against the NIST's ink-captured fingerprint dataset and another dataset captured from sensors.
"This work directly shows how to execute this exploit and is able to spoof 23 percent of the subjects in the dataset at a 0.1 percent false match rate. At a one percent false match rate, the generated DeepMasterPrints can spoof 77 percent of the subjects in the dataset," the researchers write.
=================================================================
A-Ha, the better security of a PIN number and the TPM of Wave VSC 2.0 at less than half the cost!! These articles show the potential limitations of biometrics and why imo Wave VSC 2.0 should be at the top of many companies' shopping lists.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
OPM is Still Far Behind on Data Protection Three Years After Devastating Breach
https://www.nextgov.com/cybersecurity/2018/11/opm-still-far-behind-data-protection-three-years-after-devastating-breach/152804/
The agency hasn’t implemented one-third of an auditor’s cybersecurity recommendations.
More than three years after suffering the most devastating cyber breach to date against civilian government networks, the Office of Personnel Management still hasn’t implemented about one-third of the recommendations from the government’s in-house auditor, a Tuesday report found.
Un-implemented recommendations include regularly updating software to the latest version, encrypting passwords and ensuring administrators aren’t sharing account logins, according to the Government Accountability Office report.
In some cases, OPM still hasn’t reset passwords that were used before the breach, the report found.
The OPM breach compromised sensitive security clearance information about more than 20 million current and former federal employees and their families plus a smaller amount of fingerprint data.
Overall, OPM has implemented 51 of the Accountability Office’s 80 recommendations, or about 64 percent. Some of those implemented recommendations include strengthening firewalls, enforcing password policies and updating contingency plans for the especially vital system, the report states.
Of the 29 remaining recommendations, OPM plans to implement 25 before the end of 2018 plus three more before October 2019, the agency’s chief information officer told the Accountability Office.
OPM does not plan to implement a final recommendation focused on putting security controls on contractors’ workstations, the report states. The office believes it has other security controls that compensate for that one, GAO said.
The GAO report comes just days after OPM’s own inspector general found “material weakness” in the agency’s information security program, citing a lack of information technology resources and “the agency’s culture of minimizing the role of the chief information officer.”
The inspector general also noted a “significant deficiency” in OPM’s IT security controls, noting that all the agency’s IT systems had valid security assessments and authorizations but some of those assessments and authorizations included low-quality work and questionable supporting documentation.
A federal appeals court is currently considering whether to reinstate a lawsuit brought by two federal employee unions over OPM’s data breach. That suit was scrapped at the federal district court level when a judge ruled the plaintiffs didn’t have standing to sue because they hadn’t suffered any clear harm.
Chinese government-linked hackers are widely believed responsible for the 2015 OPM breach but U.S. officials have never formally accused the Chinese government of being responsible for the breach. There’s no clear evidence that data stolen in the breach has ever been released on the dark web or used to conduct identity theft.
=================================================================
OPM could be a very happy customer for using Wave VSC 2.0. The product is better security at less than half the cost!! Other agencies within the government could be very happy customers too!
Someone like Bill Solms would need to present the product once again to the government because it seems to be sorely missing from a protection standpoint. imo. The reason I mention Bill Solms or someone like him is due to his government expertise and the article at the end of this post.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
==================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
=================================================================
26M Texts Exposed in Poorly Secured Vovox Database
https://www.darkreading.com/cloud/26m-texts-exposed-in-poorly-secured-vovox-database/d/d-id/1333292?_mc=KJH-Twitter-2018-11
The server, which lacked password protection, contained tens of millions of SMS messages, two-factor codes, shipping alerts, and other user data.
A poorly secured database exposed at least 26 million text messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
The leaky database, owned by communications firm Vovox, was found on Shodan by Sébastien Kaul, a security researcher based in Berlin. Kaul discovered the database lacked password protection and left names, phone numbers, and text messages easily searchable. Vovox took down the database after it was contacted with an inquiry from TechCrunch.
However, while the server was still running, anyone could have obtained two-factor codes sent by people attempting account logins. This level of accessibility could have let someone easily take over an account protected with two-factor authentication and an SMS verification code.
While the codes and links exposed are only useful for a finite period of time, there is a risk that attackers were able to compromise users. Security experts have long been wary of SMS verification, saying it's insufficient to properly protect users' data – a lesson learned in the August Reddit breach, which engineers said was rooted in SMS-based two-factor authentication.
=================================================================
Better security by using Wave VSC 2.0 rather than SMS-based 2FA.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
White paper has section on SMS:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
How the U.S. might respond if China launched a full-scale cyberattack
https://www.cyberscoop.com/u-s-respond-china-launched-full-scale-cyber-attack/
The U.S. financial and energy sectors are no strangers to foreign government hackers, from Iranian denial-of-service attacks on American banks to Russian reconnaissance of industrial control systems. Less-familiar territory, however, is how companies would work with the U.S. government to respond to a cross-sector cyberattack during a geopolitical crisis.
About 20 private-sector executives and former government officials gathered last month in Washington, D.C., to take a stab at that question.
A tabletop exercise hosted by the Foundation for Defense of Democracies (FDD), a think tank, hashed out what companies and federal agencies might ask of each other in the 72 hours after a disruptive series of computer intrusions.
The fictional scenario involved a confrontation between the United States and China in the Taiwan Strait, which was followed by a cascading cyberattack on multiple U.S. critical infrastructure sectors. The former defense and law enforcement officials in the room discussed with their private-sector counterparts — executives from the banking, electricity, and retail sectors — how a U.S. government and industry response to the cyberattack might play out.
Participants debated everything from the government’s use of private data to attribute cyberattacks to the potential blowback of offensive U.S. operations.
“The private sector is on the front lines of this new battle space,” the FDD’s Samantha Ravich said, describing the impetus for the exercise. “It’s not [private companies’] business to do national security. Unfortunately, national security is being done to them now with cyber-enabled economic warfare.”
U.S. officials have acknowledged that cyberspace is intrinsic to geopolitical conflict. The FDD drill was a recognition that, in order to succeed in such a conflict, the government and private sector need to be in lockstep.
Companies need to be “a lot more involved [and] informed to protect their interests, and know what the government can do for them and what it can’t,” Ravich, a former national security adviser to Vice President Dick Cheney, told CyberScoop.
Participants in the exercise considered how U.S. government attribution of cyberattacks can help companies defend their networks. There was “a good, robust discussion” on the value of spending limited company resources on helping the government trace the origin of an attack, Ravich said. Knowing which foreign government is behind an intrusion can help a company prepare for future activity, she added.
“There were certain categories of authorities that the folks [formerly] in U.S. government brought up that the private sector really wasn’t aware of,” Ravich added. “Why should they? They’re running businesses; they can’t cite chapter and verse of some authority.”
Dire Straits
The FDD drill explored what might happen if China’s actions in cyberspace escalated, said retired Gen. Michael Hayden, who attended the exercise. Over the course of the exercise, executives feared the private sector would bear the brunt of escalation and cautioned against retaliatory U.S. government measures against China, Hayden told CyberScoop.
“I’m the one who did the intervention and [said], ‘Look, you got the Chinese kicking ass in the digital domain … and you are telling me you want us not to respond?” recalled Hayden, a former director of the National Security Agency. “I said, ‘There is nobody in the NSC [National Security Council] meeting who is not going to vote to respond to the Chinese.’”
For Hayden, a principal at The Chertoff Group consultancy, the drill showed that “there really is daylight” between the government and private-sector perspective on retaliating in cyberspace.
For others in the room, too, real-world events echoed what they saw in the tabletop exercise.
The same month as the exercise, cybersecurity company ESET published research showing how hackers have targeted energy companies in Poland and Ukraine, a campaign that aligns with Russian geopolitical interests.
News of that hacking campaign resonated with Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center, who also attended the FDD exercise.
“That tells me that we are doing the right thing exercising and actually going through the motions to [rehearse] this because it could happen and it is happening,” Nelson told CyberScoop.
The FDD exercise comes as U.S. officials continue to blame the Chinese government for using cyber and traditional espionage to steal U.S. trade secrets. Earlier this month, Department of Justice officials announced a strategy to combat “rapidly increasing” Chinese economic espionage.
=================================================================
China and the U.S. are currently 2 countries missing from the Paris Call in the previous post. After reading this article it sounds like more defensive preparation is needed and/or a new way of looking at it is needed. Wave's ERAS and Wave VSC 2.0 could offer the U.S. government and companies a way of being able to effectively defend against a full-scale cyberattack from China. Wave Endpoint Monitor could also help in the defense as well. imo.
==================================================================
https://www.wavesys.com/
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
U.S. tech giants back French call for global cooperation in cyberspace
https://www.cyberscoop.com/paris-call-for-trust-cybersecurity-framework/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=79751257&utm_medium=social&utm_source=twitter
Excerpt:
The Paris Call also focuses on private-sector responsibilities in cyberdefense, highlighting the power vested in tech companies and their responsibility to build strong security into their products.
================================================================
French president Macron insists new regulations needed to protect us from Facebook
https://www.theregister.co.uk/2018/11/12/macron_internet_regulation/
Excerpt:
He also pushed a new set of principles that the French government has led termed the "Paris Call for Trust and Security in Cyberspace" which describes itself as a "high-level declaration on developing common principles for securing cyberspace."
================================================================
More than 50 nations, but not U.S., sign onto cybersecurity pact
https://www.axios.com/cybersecurity-paris-call-for-trust-france-21e434df-8a59-48bc-8cde-cd1c1f43dfd0.html
But the signatories include two notable tech sector security agreements: the Microsoft-led Cybersecurity Tech Accord and the Siemens-led Charter of Trust.
•Major tech firms like Microsoft, Facebook, Google, IBM and HP are all signed on — either through those private sector pacts or to the agreement outright.
================================================================
-highlighted TCG members
At USAA, cybersecurity is a ‘24/7 problem’
https://www.expressnews.com/business/technology/article/At-USAA-cybersecurity-is-a-24-7-problem-13376369.php
Amid a raging cyber war, USAA’s cybersecurity experts must be on the defense at all times.
At the Cyber Threat Operations Center, located inside the bank’s headquarters in San Antonio, they are always monitoring attempts by cybercriminals to gain access. Teams focus on detecting threats, analyzing them, looking for vulnerabilities and reverse engineering malicious software. There’s someone on shift around the clock.
An electronic map on a wall in the center lights up with yellow arcs showing the millions of attacks against the firm on a daily basis. They come in from all over the world.
On a recent weekday, there were more than 12 million in a 24-hour period. Gary McAlum, chief security officer at USAA, said he’s seen that figure get up to 20 million.
“We look at security as a 24/7 problem,” he said. “The problem of cybersecurity never gets solved. It just changes and morphs continuously.”
Financial institutions have always been appealing targets for thieves, but the frequency and sophistication of cyberattacks has contributed to a sense of urgency. Hackers have unlimited times and resources, McAlum said. At USAA, “we live in a state of what I call healthy paranoia,” he added.
Along with financial implications, breaches can tarnish a company’s brand.
The average cost of cybercrime in the financial services sector was $18.28 million last year, according to a study by Accenture and Ponemon Institute. It was the highest figure among the 15 industries the groups looked at.
In a 2017 report, the U.S. Department of the Treasury listed cyberattacks as one of the main threats to the industry. “Financial firms are connected through complex, interconnected networks,” the authors wrote. “Disruptions to the operations of a key institution in the financial system could be transmitted through these networks and lead to a systemic crisis.”
Financial firms are getting better at preventing attacks, another report by Accenture found. They surveyed more than 800 security professionals from the financial services sector and found that companies stopped 81 percent of breaches between Feb. 1, 2017, and Jan. 31, 2018, compared with 66 percent for the 12 months prior to that time period.
However, more than 40 percent of breaches on average went unnoticed for over a week, they found.
“Financial services firms are converging to a level of mastery when it comes to the security status quo, including their cyber resilience and response readiness,” Chris Thompson, global security and resilience lead for financial services at Accenture Security, said in a news release. “But as business technology evolves, so too must cybersecurity. The new technologies that banks and insurers are embracing — including cloud, microservices, application programing interfaces, edge computing and blockchain — will create new security risks, especially as cyberattacks evolve in sophistication.”
USAA had a net worth of $30.6 billion and more than 12 million members last year, according to its annual Report to Members. The firm has the dual responsibility of protecting its enterprise, which includes employees, servers, mobile devices, computers, data and the supply chain, as well as its members and their digital interactions, McAlum said.
“You have to respect the threat because they have unlimited resources and every advantage,” he said. “If you ever think you're better than the threat, you get complacent and careless.”
The organization and other financial institutions see an assortment of attacks, from large-scale bot attacks to phishing sites to different kinds of malware, said Joe Arthur, USAA’s executive director of information security engineering and cyber operations. The firm does penetration testing, both standard tests and unannounced ones to see how employees respond to simulated attacks, and provides training for employees.
One of the six teams he leads focuses on threats that didn’t manage to get in, looking at who might be targeting the organization and how they can detect them.
“How do we understand the latest tactics and techniques that are out there that are used by attackers, and then how well-positioned are we to defend against that sort of attack?” Arthur said.
The biggest challenge on the consumer end is authentication, McAlum said.
The main way to verify someone’s identity currently is through knowledge-based authentication: People have to enter a user ID and a password and possibly answer a few security questions.
==================================================================
When I see articles like this and the immensely positive impact Wave could have on USAA and others, and USAA is only an hour and half away, one conversation with the right person could have Win-Win benefits to USAA and Wave! And USAA isn't the only financial services company running its cybersecurity this way.
==================================================================
Some important links for those interested in Wave:
https://www.wavesys.com/products/wave-virtual-smart-card
The white paper:
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Enterprises Sinking Under 100+ Critical Flaws Per Day
https://www.infosecurity-magazine.com/news/enterprise-sinking-100-critical
Enterprises are forced to deal with an estimated 100+ critical vulnerabilities each day, with Flash and Microsoft Office accounting for the majority of top app flaws, according to new research from Tenable.
The security vendor analyzed anonymized data from 900,000 vulnerability assessments across 2100 enterprises to compile its latest Vulnerability Intelligence Report.
It predicted that the industry is set to disclose 19,000 new vulnerabilities this year, up 27% from last year — although other estimates put the 2017 figure at nearly 20,000.
Other stats from the Tenable report highlighted the increasing challenge facing system administrators tasked with prioritizing patches.
It claimed that, on average, an enterprise finds 870 vulnerabilities per day across 960 assets, with 61% listed as high severity. Yet just 7% have public exploits available, making it difficult to know which of the remaining 93% to fix first, the firm argued.
That’s especially true when one considers that many hackers deliberately target older vulnerabilities that may have been forgotten about.
Out of the 20 application vulnerabilities affecting the largest number of enterprises, several came from 2015.
Half of that top 20 related to Adobe Flash bugs, followed by Microsoft Office at 20%, with the eight top web browser CVEs from Google and Microsoft impacting 20-30% of enterprises on a single day.
“When everything is urgent, triage fails. As an industry, we need to realize that effective reduction in cyber risk starts with effective prioritization of issues,” said Tom Parsons, senior director of product management, Tenable.
“To keep up with the current volume and velocity of new vulnerabilities, organizations need actionable insight into where their greatest exposures lie; otherwise, remediation is no more than a guessing game. This means organizations need to focus on vulnerabilities that are being actively exploited by threat actors rather than those that could only theoretically be used.”
=================================================================
It seems that Wave Endpoint Monitor could play an important role in protecting the device while these vulnerabilities are being fixed. It should be a great product for organizations to have in their cybersecurity arsenal. imo.
=================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpts:
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Guess who's back, back again? China's back, hacking your friends: Beijing targets American biz amid tech tariff tiff
https://www.theregister.co.uk/2018/11/09/china_hacking_usa/
Everything little thing Xi does is magic, everything Xi do just turns me intrusion alarms on
Three years after the governments of America and China agreed not to hack corporations in each other's countries, experts say Beijing is now back to its old ways.
And if that's the case, we can well imagine Uncle Sam having a pop back.
Speaking at the Aspen Cyber Summit in San Francisco on Thursday, a panel including top NSA adviser Rob Joyce and Symantec CEO Greg Clark said the 2015 truce the Obama administration struck with Beijing has been all but wiped out over the past year. The Middle Kingdom has now returned to spying on American businesses, stealing secrets and gathering intelligence with a new zeal.
"It had a marked impact on the way that the Chinese were behaving," former White House security czar Joyce said of the Obama-Xi agreement. "We have certainly seen the behavior erode in the last year, and we are very concerned with those troubling trends."
The rise in activity comes amid the escalating trade war between the US and China, with each side raising tariffs on imports.
Post hoc ergo propter hoc
However, correlation does not necessarily mean causation. Dmitri Alperovitch, cofounder and CTO of CrowdStrike, noted that events within China, most notably a series of government reforms and anti-corruption campaigns, played a significant part in limiting activity against the US in past years as Beijing-backed hackers focused their activities within the country, spying on undesirables, rather than against foreign targets.
"We were tracking those Chinese threat actors," Alperovitch said. "They didn't cease to exist, but they were just hacking Chinese companies."
Regardless of the cause, the panelists agreed that China is now back with a vengeance.
Clark said that things have got so bad that one of his clients has given up entirely on its latest generation of products, believing the blueprints to have been completely and comprehensively snatched by Chinese hackers.
"I had a very large corporate manufacturer come into our office and say 'we have stopped trying to protect it, it has all been stolen, we want to innovate faster'," the Symantec boss said.
Where the panelists differ is on what to do about the renewed hacking efforts from the world's most populous nation. For Joyce, the US government and the information security community at large can help by making life more difficult for President Xi's hackers themselves.
"Overall, it is about making it harder for them to succeed, and some of that will be taking away the infrastructure they're using, some of that will be exposing their tools," Joyce said. "There are a number of strategies you can come up with that make it less effective, less efficient, and less likely to be successful."
The solution: more war
Alperovitch argued that further economic sanctions will go a long way toward sending a message to Beijing.
"It is not a cyber problem, it is an economic warfare problem," he said. "Responding with economic actions of our own and putting pressure on China is the right strategy,"
There is also hope that China's own internal development will alleviate the problem. Panelist Elsa Kania, adjunct fellow at the Center for a New American Security, believes that as Chinese companies further move into the international market, coming up with their own innovative ideas and concepts will take precedence over stealing intellectual property from rivals.
"There is clearly an ambition to graduate beyond IP theft and become more of a leader," Kania said. "There may be a broader transformation going forward." ®
=================================================================
Companies could start anew by using cybersecurity products that work effectively!! These products could be a game changer for companies in stopping the Chinese. Wave's products are mostly different from a lot of cybersecurity companies' products, and different because they work effectively! The links for these important products are provided below:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
The link for Wave's site is: https://www.wavesys.com/
Apple Modernizes Its Hardware Security with T2
https://threatpost.com/apple-modernizes-its-hardware-security-with-t2/138904/
Apple has widened the range of Macs running its T2 security chip. Is macOS finally catching up with other platforms when it comes to secure computing?
When Apple launched its latest MacBook Air last month, one of its more unusual features is that the built-in microphone automatically turns off when the lid is closed.
Apple introduced the feature to eliminate any possibility of malware – or other unwanted applications – using the laptop’s microphone to eavesdrop on users.
The mic shut-off function is written into Mac systems via the security-focused T2 chip, and it’s just the latest use for the T2, which is a powerful piece of security technology that acts as the hardware root of trust for the Mac ecosystem.
The feature made headlines, even though the risk of anyone using a MacBook Air to bug conversations might seem low. But the bigger story is that with the expansion to the Air and other devices in its portfolio, Apple seems to be taking hardware security seriously. And researchers say Macs may finally be catching up to other computing platforms on that score.
Inside the T2
Apple first introduced the T2 with the iMac Pro in late 2017, then added it to MacBook Pro computers earlier this year – and most recently, it’s been implemented into the new MacBook Air and Mac Mini.
Apple’s first-generation security chip, the 32-bit T1, was introduced with the 2016 MacBook Pro line, again to drive the Touch ID system. Apple upgraded the T2 to a 64-bit chip, based on a single-core version of its A10 iPhone processor, to handle a much wider range of tasks.
The T2’s functions are indeed wide-ranging: It acts an audio and mic controller, and controls the computers’ FaceTime cameras and even cooling systems. Vitally, it also governs storage security, and on top of that, it acts as a system-management chip. For instance, on the MacBook Pro, T2 controls the Touch ID on the TouchBar, and stores the biometric data in an on-board Secure Enclave co-processor.
With this more powerful chip, Apple appears to be setting out to add some heavyweight security features to the Mac. For instance, on T2-equipped Macs, the chip controls the boot process, and checks that the operating system is correctly signed. If it is, the machine moves on to the next part of the boot cycle. The T2 will validate current versions of MacOS and also Windows 10 – although at present, the chip will not allow a Mac to boot Linux.
The T2’s secure-boot facility is built to ensure that Mac owners don’t fall victim to modified system software or malicious updates. And, because T2 controls the Mac’s identity, it will work with mobile device management (MDM) technology to make it easier to administer secure boot for large numbers of MacBooks. This is a potential big benefit to enterprises – and to education in particular, where issuing laptops to students is increasingly common.
Unlike on the iPhone and iPad, Mac users do have a degree of control over their machine’s security settings. To that end, Apple provides an application called the Startup Security Utility, to control some of the T2’s behavior. Users can, for example, opt for “medium” security in order to use older versions of MacOS, or they turn the OS verification off altogether. This lets newer Macs boot in the same way as older models, without the T2’s intervention, although this is apparently not enough to fix the Linux issue.
Apple’s Storage Security
Aside from secure boot, the T2 has another core security function, one which could be even more important to data protection-minded computer users.
“The new T2 chip also provides a built-in hardware encryption engine that encrypts all of the data stored on the solid-state drive (SSD) with a unique security key on each Mac,” explained James Plouffe, strategic technologist at MobileIron, a mobile security specialist. “This means that all of the data on a Mac can only be read by that Mac, even if the SSD is removed. This adds another layer of security for enterprise data.”
Data encryption is not new to the Mac platform, it should be said: Apple has offered various flavors of its FileVault technology for several years. The advantage of the T2 chip comes from its dual function as a storage controller as well as an identity and encryption manager.
The T2 chip encrypts and decrypts data on the fly with, Apple says, no loss in performance. The encryption uses the AES-256 standard, which is the same used on iOS devices. The T2 sits between Apple’s NVMe storage chips and the Intel processor, and makes use of the native encryption functions in the Apple File System (APFS). This combination makes permanent, entire disk encryption realistic, according to Derrick Donnelly, chief scientist at BlackBag Technologies, an IT forensics firm.
“Encryption is on by default even if the user has not turned on FileVault; Apple is using encryption at rest,” said Donnelly. “Apple is using a new raw memory drive, with a new interface and no PCIe controller, and it talks directly to the T2 chip.”
The T2 also has a one more trick to play. Apple’s technology combines a unique identifier from the T2 chip with the Mac owner’s password, and uses this as the basis for the storage encryption keys.
In simple terms, this prevents anyone from accessing the content of the NVMe storage chips, unless they have the user’s credentials and access to the Mac’s original T2 chip.
As long as users turn FileVault on, this makes it extremely unlikely that anyone could access the data in storage files by attempting to hack into the physical storage components according to researchers at Duo, a security vendor now owned by Cisco.
Apple Security in the Wider World
Apple of course is not alone in bringing hardware security to its devices, and in some ways, it’s playing catch up both with the Windows PC market, and with its own iOS devices. Trusted Platform Modules (TPMs), support for two-factor authentication and Intel’s vPro chipset – offered widely in business-oriented laptops – already do much of what Apple is setting out to do with T2.
So is Apple up to snuff now? While the T2 may also introduce potential downsides (BlackBag Technologies’ Donnelly cautions that upgrade options, data recovery and even law enforcement access to data could become more difficult as Apple moves its systems to T2), Apple’s hardware-based encryption is scoring high marks with researchers.
“By taking their proven success and leadership on the iOS platform with respect to security and privacy, Apple has been able to fast-track catching up with competing platforms that already implement modern hardware security features,” says Pepijn Bruienne at Duo.
In all, T2 technology could be significant step forward for anyone who needs a secure computing platform. Just remember to keep that lid closed.
=================================================================
Apple's T2 seems like a real endorsement for the TPM! There are already 150+ companies supporting the standard already (TCG). With at least a billion TPMs in computers, not using the technology would be almost ludicrous when there is daily news of hacks and breaches!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Microsoft President: Governments Must Cooperate on Cybersecurity
https://www.darkreading.com/vulnerabilities---threats/microsoft-president-governments-must-cooperate-on-cybersecurity/d/d-id/1333231?_mc=sm_iwfs_editor_kellysheridan
Microsoft's Brad Smith calls on nations and businesses to work toward "digital peace" and acknowledge the effects of cybercrime.
It's an exciting time to be in technology, according to Microsoft president Brad Smith. It's also a dangerous time.
Smith took the stage at this year's Web Summit, a tech conference held in Lisbon, Portugal, to emphasize the need for global cooperation on cybersecurity as technology continues to evolve. The benefits that technology has created are as dangerous as they are awe-inspiring, he said.
"It's an exciting time to be at a place like this," he said. "But that's not the only thing that's happening. We also live in a time when new threats are emerging … new threats that involve technology itself" and culminate in attacks on electrical grids and elections alike.
Addressing an audience of tech professionals, Smith explained: "The tools that we've created — the tools, oftentimes, that you've created — have been turned by others into weapons." It's something Microsoft sees in 6.5 trillion signals and data points it receives daily, he added.
Smith said often when he speaks to people in government about these attacks, they sometimes say "we don't really need to worry" because cyberattacks involve machines targeting machines, not machines targeting people. He disagrees.
"That is a problem. Because people are being victimized by these attacks," he explained. He called 2017 "a wake-up call" in terms of the way people in nation-states and governments are using technological tools as weapons. WannaCry and NotPetya were the prime examples.
We can't expect people to recognize the problems of cybercrime if we don't recognize how people are suffering. Hospitals were paralyzed when WannaCry hit the UK. At England's National Health Service, 19,000 appointments were canceled. Surgeries didn't happen. Shortly after WannaCry hit 300,000 machines in 150 countries, he added, NotPetya struck.
"What NotPetya represents is not just the evolution of the attack in terms of methodologies involved, but also the evolution of intent," said Smith. Last year, almost 1 billion people were victims of a cyberattack. "These issues and these threats are going to continue to grow … because everything is connected," he warned. It's time to have a conversation around security.
"In a world where everything is connected, everything can be disrupted," he continued.
Governments around the world must play a role in protecting civilians and civilian infrastructure, he said, and protect people while they're using devices on which their lives exist. However, governments can't do this alone, and so he also called on businesses to step up.
"Businesses need to do better as well, and there is no part of the business community, across Europe or in the US or around the world, that has a higher responsibility than one part of the business community — and that is the tech sector," Smith noted. IT has the greatest responsibility to be "first responders" in keeping people safe when there are cyberattacks.
The same week he gave this talk at Web Summit, Smith explained in an interview with CNBC how Microsoft wants to connect with Congress and work together to create cybersecurity guidelines for civilians. Key issues range from threats on democracy to artificial intelligence in the workplace.
We have reached a point at which people are enthusiastic about the evolution of technology; however, their eagerness is matched with growing worry about what this technology can do.
"The big shift has been [that] the era where everyone was just excited about technology has become an era where people are excited and concerned at the same time — and that's not unreasonable," he explained in a conversation with CNBC.
Smith says Microsoft wants to work with President Trump, as it worked with President Obama, to address the risk of technology. The concern isn't only for America, but for all countries.
==================================================================
How has cybersecurity really improved under the Obama and Trump administrations? Maybe Microsoft's message will include the missing ingredient to better cybersecurity - an activated TPM and services with it. The tech industry has spent billions to develop this state of the art technology for cybersecurity. It seems like it would be wise to use it on a global scale before there are more serious cyber attacks. imo.
==================================================================
https://www.wavesys.com/
US Cyber Command starts uploading foreign APT malware to VirusTotal
https://www.zdnet.com/article/us-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal/
USCYBERCOM said it plans to regularly upload "unclassified malware samples" to VirusTotal
On Monday, the Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM), set in motion a new initiative through which the DOD would share malware samples it discovered on its networks with the broader cybersecurity community.
The CNMF kicked off this new project by creating an account on VirusTotal, an online file scanning service that also doubles as an online malware repository, and by uploading two malware samples.
In addition, USCYBERCOM also created a new Twitter account where it would tweet a link to all new VirusTotal malware uploads.
USCYBERCOM's decision was met with universal praise by leading voices from the cybersecurity private sector.
"This is a great initiative and we believe that if more governments would do the same, the world would be safer. We salute their initiative and are of course paying close attention to what they upload," said Costin Raiu, Director of Global Research & Analysis Team at Kaspersky Lab.
"We believe that having more files in VirusTotal increases the value to the entire community," said Mike Wiacek, CSO, and co-founder of Chronicle, Alphabet's cyber-security division and the company behind VirusTotal.
"In fact, the first submission, for LoJack malware, included files that weren't previously in VirusTotal," Wiacek told ZDNet today via email.
That new file was rpcnetp.dll, a file that together with the second --rpcnetp.exe-- have been utilized to infect victims with the Computrace/LoJack/LoJax malware.
Craiu told ZDNet that Kaspersky has been tracking this malware for years; malware which came back to life this year in new campaigns, as detected by Netscout and ESET.
LoJax is currently the first documented case of a UEFI rootkit used in the wild, and the malware has been tied to APT28, a codename used to identify a nation-state cyber-espionage group that has been associated by several Western countries to Russia's military intelligence agency GRU.
USCYBERCOM's decision to make these two particular malware samples its first two uploads didn't go unnoticed by the infosec community. Some sharped-eye pundits immediately categorized it as a new name-and-shame effort on the part of Western governments, which have been very active this year in exposing and indicting Chinese, Russian, Iranian, and North Korean hackers.
"It remains to be seen exactly how this new initiative will unfold," John Hultquist, director of intelligence analysis at FireEye told ZDNet in an email today.
"But what is striking about this initiative is it lacks many of the contextual elements of the name and shame strategy. Whereas that strategy involves a tremendous amount of context which has to be scrutinized throughout the government, this initiative could be less encumbered by those considerations," Hultquist said.
"There will undoubtedly still be a strategy behind these disclosures, since disclosures always have consequences for intelligence operations, but their simplicity may allow for simpler, faster action, something the government has historically struggled with."
On the other hand, there are those security researchers who purposely stay away from politically-charged attributions when dealing with APT malware.
For example, in an interview with ZDNet, Alexis Dorais-Joncas, Security Intelligence Team Lead at ESET, was far more interested in how USCYBERCOM's VirusTotal uploads might influence an APT group's upcoming operations, rather than the political downfall that follows.
"As far as exposing hacking toolsets, it does not necessarily automatically render the tools totally useless, but it is likely to at least cause the attacker to adapt," Dorais-Joncas told us. "For example, ESET has been exposing [APT28]'s toolset evolution for years, and yet the group is still using a lot of the same tools, albeit with additional improvements added over time."
"I would say exposing full [tactics, techniques, and procedures] on top of actual samples would be more harmful to attackers, as they would need to change their entire attack workflow (think spreading and infection mechanisms, persistence, communication protocols, etc)," Dorais-Joncas said. "It does not look like USCYBERCOM is providing such context together with the samples they are sharing, so that might limit the upside of their initiative."
"Only time will tell if samples shared by USCYBERCOM will turn up to be interesting for researchers or not - it really depends on what they choose to share," the ESET researcher added. "I'm inclined to give them the benefit of the doubt for now."
But the infosec community also had another gripe with USCYBERCOM's new sharing practice, and that's with what the DOD considers "unclassified malware samples."
Both ESET's Dorais-Joncas and FireEye's Hultquist shared the same opinion on this topic --that even if the agency used the term "unclassified malware samples," this doesn't necessarily mean we'll get your run-of-the-mill malware such as adware and basic downloaders.
"This effort may very well expose us to new threats, which require serious analysis," Hultquist said.
"I would also not presume that unclassified malware will automatically already be known to researchers," Dorais-Joncas also added.
"In general, I would say more sample sharing can only lead to equal or better protection because any new sample security vendors can obtain helps them improve their detection databases and thus better protect their respective customers."
As for Wiacek, the Chronicle CSO would more than love to see other intelligence and law enforcement agencies to follow in the DOD's footsteps.
"We invite other U.S. and international agencies to participate in a similar manner," Wiacek said. "We are happy to see new members in the VirusTotal community."
=================================================================
The government, if it were privy to all the anti-malware solutions in the marketplace, would see that a white listing product like Wave Endpoint Monitor is so much more effective than loading foreign APT malware in Virus Total. imo.
==================================================================
https://www.wavesys.com/malware-protection
Excerpt:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.