Operatively-sourced threat intelligence: Using human awareness

In this podcast recorded at RSA Conference 2017, Mike Kirschner, Senior Vice President of Sales and Marketing, Advanced Threat Intelligence at InfoArmor, talks about the platforms that they’ve developed and the data sets that they have – everything from risk to network, to advanced intelligence type services. InfoArmor can offer advanced service features and service sets in order to enable clients to take advantage of true access to both the dark web, as well as extending the reach of their security teams.

Here’s a transcript of the podcast for your convenience.

My name is Mike Kirschner. I’m the Senior Vice President of Sales & Marketing for InfoArmor, for our Advanced Threat Intelligence division.

We’re talking a little bit today about our Accomplice and VigilanteATI portals in the platforms that we have developed for delivering threat intelligence to the market in general.

Fundamentally, the platforms themselves have really been designed to be able to ingest both a wide array of data services or data products, as well as threat intelligence services. So the context associated with that data then becomes a very rich component, rich feature of the product itself.

InfoArmor has been around for the last ten years or so. We started as a threat intelligence provider of identity protection services, and have rapidly moved into an enterprise-based cyber intelligence posture, and have really been able then to aggregate lots of data that would be enabled to the enterprise, which we deliver through these platforms.

With the breath of breaches that we’ve seen over the last year to two years, and the escalation of breached information that we’ve seen out in the dark web, in the wild, there are a variety of use cases that make it meaningful for organizations to be able to have access to that type of data.

The information that we can deliver really spans from identification of network exposure, vulnerability exposure, through individual credentials that have been exposed, email addresses and passwords that could then unlock the kingdom for anybody to gain access to that corporation’s potential intellectual property, directories, whatever the case may be.

The passwords then, that we are providing, can come in a variety of forms, whether they’re plain text or hashed. The services that InfoArmor enables really allow a client to view that data in its raw form, as well as in a cracked form or in a form that would enable them to understand whether or not there is potential risk to the organization. As a result, then those organizations can take appropriate measures to preempt potential breaches, potential issues that may come up.

What we tend to offer, though, as really a differentiating component to the threat intelligence landscape or platforms that we’re enabling is, really, that context. So, the core differentiator for InfoArmor really is our Advanced Threat Intelligence team. We’ve got an organization of researchers and analysts that are providing operatively sourced intelligence, they are engaging in that threat actor community delivering information that is meaningful for clients from the perspective of really dark web level type sources and engagement. The content that we are enabling in this sort of environment stands both data, as well as human involvement, human intelligence, and that’s the contextual piece that we are providing, which we then wrap into this idea of threat intelligence.

The threat intelligence landscape, though, over the last several years certainly has changed dramatically. What we are really seeing is a divergence in the shape of information that’s being delivered to clients in wide volume, which we will call ‘threat information’ or ‘threat data’ versus true threat intelligence. Threat intelligence, really, is going to be consumable, actionable, information that can be leveraged by the organization in a preemptive way or in a way that’s going to be meaningful for them based on the specific threats that they are facing today.

There are so many providers as you walk the floor today that are providing data feeds ad nauseam, which many organizations simply can’t consume or take advantage of. So the idea behind what InfoArmor is delivering today, and the way that we’re making that truly threat intelligence is by wrapping this contextual human awareness around what those threats are in ways that organizations can then take advantage of that information, and deliver that in a way, again, that’s consumable and actionable by the organization.

The primary advantage that we see in this is that based on the platform that we have, it’s scalable from a very small organization to a very large organization. So we’ve got clients that are in that SMB/SME space that have tens or hundreds of employees all the way up to Fortune 500 clients that have tens of thousands of employees, and large scale operations, and enormous security teams that actually have the ability to take this data in and consume it.

InfoArmor’s primary deliverable not only is data that we will harvest both automated and through our operative team, but then enabling ourselves to really act as an extension of that security team. In the case of a small business, we can actually take on the process or the role of the security team for them, almost operating as an MSP. With a larger organization, we get very much into the spoke investigations on their behalf, assessments of data sets, evaluating different components that would be meaningful for that organizations. And in many cases, their teams just don’t either have the bandwidth to be able to do that or the skillset to be able to do that. In those types of cases or instances, that’s really where InfoArmor’s team shines in terms of its ability to deliver true intelligence in a meaningful way rather than just data.

from Help Net Security http://ift.tt/2lV96P9

With 1.2 million phishing attacks, 2016 was a success for cybercriminals

The Anti-Phishing Working Group (APWG) observed that 2016 ended as the worst year for phishing in history. The total number of phishing attacks in 2016 was 1,220,523. This number represents the highest ever recorded, and fully a 65 percent increase over 2015.

The end of 2016 was also an opportunity to reflect how phishing has grown over the years. In the fourth quarter of 2004, the APWG saw 1,609 phishing attacks per month. In the fourth quarter of 2016, the APWG saw an average of 92,564 phishing attacks per month — an increase of 5,753 percent over 12 years. The growth in phishing attacks over the past ten years has generally increased each year, indicating a consistent trend.

“Phishing is an attack that relies primarily on fooling people, rather than highly sophisticated technical implementations,” said APWG Senior Research Fellow and iThreat VP Greg Aaron. “For that reason, phishing remains both popular and effective. Also, the APWG’s numbers for 2106 just measure broad-based attacks against consumer brands. The numbers don’t attempt to catalog spear-phishing, which is highly targeted phishing that targets only a few specific people within a company. Truly, phishing is more pervasive and harmful than at any point in the past.”

“Criminals are re-inventing themselves all the time,” said Fabio Ramos, CEO of Axur. “We’ve seen a decrease in the numbers of regular phishing attacks – and an increase in other methods of fraud, such as malware fake services advertised through social media platforms.”

RiskIQ examined how phishing victims are fooled by phishers – not by the address in the browser bar, but by hyperlinks (which must be hovered over to even see the destination domain), URL shorteners, which mask the destination domain, or brand names inserted elsewhere in the URL.

“A relatively low percentage of phishing websites targeting a brand attempt to spoof that brand in the domain name—whether at the second-level or in the fully-qualified domain name,” says Jonathan Matkowsky, VP for intellectual property & brand security at RiskIQ. This is evidence that phishers do not need to use deceptive domains names to fool Internet users into visiting their sites.

from Help Net Security http://ift.tt/2mc6KhD

Global cloud security market to reach $13.93 billion by 2024

The cloud infrastructure has witnessed a significant growth in recent years and its popularity can be attributed to the on-demand services, scalability and flexibility, and the cost effective solutions it offers to organizations. The global cloud security market is expected to reach $13.93 billion by 2024, according to Grand View Research.

Global cloud security market, by application, 2014-2024 (million)

In addition to the tussle between public and private cloud the emergence of hybrid cloud has given cloud users numerous different platforms and frameworks to choose from. As the adoption of cloud reaches new levels, the security issues concerning cloud users and vendors have come to the forefront.

“The expected growth in cloud security is a reflection of demand for solutions that protect data as it moves beyond the network perimeter. Regulatory compliance has come to the forefront as a critical component for organizations that want to deploy cloud apps,” said Anurag Kahol, CTO at Bitglass.

Key findings from the report suggest:

• As an increasing number of organizations adopt cloud cyber-attacks and data breaches have increased dramatically with highly sophisticated attacks targeted at confidential data. Last two years have seen many high level data breaches such as the attack on Ashley Madison, Home Depot, Anthem and even some security providers such as Kaspersky Labs.
• Cloud computing has been erasing traditional geographic boundaries with its world wide spread but the changing cloud regulations and government roles may complicate the market. While some countries such as Germany are opting for greater data privacy, other countries are striving for greater visibility in the internet traffic (such as U.S. and France).
• The cloud security is also affected by industry specific regulations such as Health Insurance Portability and Accountability Act of 1996 (HIPPA) for healthcare, Payment Card Industry Data Security Standard (PCI DSS) for financial sector as well as international laws like Safe Harbor Act and European Union Data Protection Directive.
• CA Technologies Inc., Cisco Systems, Fortinet Inc., IBM Corp., Intel Corp., TrendMicro, VMware and Symantec Corp. some of the major industry players in this domain. Other key vendors include BMC Software, Bitium Inc., CloudPassage, Netskope, SkyHigh Networks Inc., Snoopwall Inc., Sophos, and Whitehat Virtual Technologies.
• Key industry players such as CA Technologies, TrendMicro, Symantec Corp., Intel Corp. and IBM Corp. use technological alliances, partnerships and collaborations with other industry players to maintain market competencies.

Reduce cloud complexity

We’ve asked Hari Srinivasan, Director of Product Management for Cloud Platforms, Qualys, to take a look at the report, and below is his opinion.

The new report by GrandView Research emphasizes the growing emergence of enterprises with assets in a ‘hybrid-cloud’ state as they migrate workloads between various different public and private cloud platform options. We find that many of the companies we talk to think that security completely changes in the cloud, but securing those assets isn’t fundamentally much different. You still need the same set of security solutions used to secure on-premises IT, but there are three main cloud-specific concerns for these companies to address in order to reduce the complexity of cloud security.

First, some companies can underestimate the added complexity of maintaining their end of a shared security responsibility model for workloads deployed across different clouds. Infosec teams tasked with assessing priorities to secure data and infrastructure across AWS, Azure, Google and private cloud workloads can get bogged down by comparing scans from different security solutions for each platform.

Second, as companies move to the cloud, they need to be able to provide security visibility to a broader range of stakeholders than ever before. This means deploying security in a way that provides multiple forms of visibility spanning multiple platforms for a range of constituents, from a single-pane executive dashboards for the CISO to automated API-based data for DevOps.

Finally, as companies leverage the cloud to embark on further digital transformation, the sheer scale of elastic workloads powering all those services can become cumbersome without scalable tools that can help manage asset discovery and tracking, internal asset scanning and application protection as well as external perimeter scanning across multiple platforms.

We find companies that can reduce these elements of security complexity by choosing cloud-centric security solutions will thrive on their journey to the cloud.

from Help Net Security http://ift.tt/2lo85wZ

Businesses still confused about GDPR

European businesses are still unsure about GDPR – almost 78% of IT decision makers at more than 700 European companies either lacked understanding about the impact of the regulation on their organizations or were completely unaware of it. However, encryption, which is addressed by the GDPR, is desired by more than every third company in a new IDC survey.

“63% of confirmed data breaches are attributed to stolen or cracked passwords, indicating the critical need for an additional or alternative authentication factor… Anonymization of data is one option, encryption is another; both have pros and cons. Anonymization is good, but can be defeated by correlation from more sources. Encryption resolves that but – at least until recently – was seen as too complex and expensive for most small and medium-sized enterprises,” says IDC Research Manager Mark Child.

“Protecting customers and partners is of course paramount to the continued success and survival of any entity, however companies also increasingly recognize the business value of their data and are aware of the expanding legislative frameworks they must comply with and the penalties levied for failing to do so,” adds Child.

Still, the ground-breaking EU regulation is not completely understood by business. Of those that are aware of the GDPR, 20% say they are already compliant, 59% say they are working on it, and 21% say they are not prepared at all. IDC carried out its survey among IT professionals in more than 700 businesses in the Czech Republic, Germany, Italy, the Netherlands, Slovakia, Spain and the United Kingdom during Q4 of 2016.

Another interesting finding is the approach of European small and medium-sized enterprises towards encryption. “Many organizations recognize that their existing antimalware software is insufficient in the current threat environment, and half of respondents cited this as their top area to add to or upgrade,” says IDC’s Child. Encryption, which is mentioned in the GDPR regulation, is desired by 36% of the respondents.

from Help Net Security http://ift.tt/2lo3rz3

How to Stream President Trump's Speech to Congress

Google Opens Up Keep to G Suite Users and Adds Docs Integration

Use Bubble Wrap to Insulate Your Sous Vide Tub

The Best Electric Toothbrush Will Make You a Better Brusher, If You Let It

Five Tips for Dealing With Mice In Your Home

Mice are simultaneously cute and some of the most horrendous pests of all time. If you’re dealing with a minor infestation, these tips will help you reclaim your castle from the enemy invaders.

In this video from This Old House’s YouTube channel, contractor Roger Cook shares his top tips for getting a mouse out of the house. Here’s what you need to know:

1. When using those classic, super-cheap snap traps, go with peanut butter instead of cheese. But don’t put too much on or they’ll lick some of it off without setting off the trap.
   
2. Place traps along walls and in corners since those are the paths mice are most likely to take.
   
3. Look for how the mice are getting in your home, then block it. You can fill a hole with a little insulation foam, then push in a wire cloth (with mesh smaller than 1/4"), and add more foam to cover the wire cloth. Even if they dig into the foam, they won’t be able to climb through.
   
4. Steel wool is also useful for blocking entry points. Find the the hole then fill it with the cloth and push it in with a stick. Mice don’t like it and won’t chew on it to try and get in.
   
5. If you do use catch and release traps, make sure you have a plan for the release part. It’s illegal in some states to transport and release animals on other people’s property.
   

You can also make use of repellents to keep them away once you have them out of your house. Poisons, while effective, aren’t ideal because the mice will die somewhere you can’t reach, and that can leave you with a pretty nasty smell. When all else fails, it’s time to call your local exterminator.

How to Choose a Mouse Trap | YouTube

from Lifehacker http://ift.tt/2mqshDD

Remains of the Day: YouTube Launching TV Streaming Service

Why Bacon Sometimes Looks Green

Tell Us About Your Worst First Day on the Job

Why You Should Order "Double Cut" Pizza for Your Next Party

Light Up Every Nook and Cranny With OxyLED's Stick-Anywhere Motion Lights

Data and kids’ voice messages exposed in CloudPets breach

‘Filecode’ ransomware attacks your Mac – how to recover for free

News in brief: moon tourists to launch ‘next year’; health provider fined after breach; drone pilot jailed

Your daily round-up of some of the other stories in the news

Fly me to the moon

Space tourism has always been a staple of science fiction, but if all goes according to plan, two unnamed private citizens will be boarding a Dragon 2 spacecraft above a SpaceX rocket by the end of next year to do a loop around the moon, blasting off from the iconic Cape Canaverel in Florida

The two, who have paid “a significant deposit” for the privilege, won’t be the first space tourists by any means – seven well-off folk who have paid estimated fees of $20m each have blasted off in a Russian Soyuz to join the ISS. However, they will, if all goes well, be the first to go to and fly around the moon – which humans haven’t visited since December 1972.

SpaceX CEO Elon Musk told reporters that the trip will last about a week – though it’s worth noting that neither the rocket nor the spacecraft have flown yet, although the rocket will get a test flight this summer, with an unmanned trip for the spacecraft scheduled for later this year.

Healthcare provider fined after data exposed online

Back on earth, a healthcare provider based at a London hospital has been fined £200,000 after a patient discovered that details of private consultations between patients and a doctor about fertility treatment could be freely accessed online.

The UK’s Information Commissioner’s Office said that HCA International had been routinely sending unencrypted audio files of consultations at the Lister Hospital in London to a company in India for transcription since 2009, where they were stored on an insecure server.

This isn’t the first time an Indian company has exposed sensitive patient data online: in December, we reported that the records of 43,000 people, including HIV patients, were available on the servers of Health Solutions in Mumbai.

Steve Eckersley, the ICO’s head of enforcement, said that HCA International had “not only broken the law, it has betrayed the trust of its patients”.

Drone pilot jailed for 30 days

A 38-year-old man from Washington State was sentenced to 30 days in jail on Friday after knocking out a woman at a Gay Pride event in Seattle. Paul Skinner, of Oak Harbor, was the first person to be charged with mishandling a drone in a public space, said Seattle prosecutors at the time of his conviction in his December.

As we reported in January, Skinner had turned himself in after the incident in 2015, and plans to appeal the sentence.

The prosecutor, Seattle City attorney Pete Holmes, had sought a sentence of 90 days, saying at the time of the trial that drones are “a serious public safety issue that will only get worse”. Skinner could have faced a maximum sentence of 364 days in prison and a $5,000 fine.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

from Naked Security http://ift.tt/2lvKRGc

Seven Methods to Help You Stay Focused

This Video Explains Why "I Don't Have Time" Is a Poor Excuse

You can read all sorts of tips and articles on how to “save time,” but as Laura Vanderkam points out in her TED talk, “we don’t build the lives we want by saving time. We build the lives we want, and then time saves itself.” In other words, “time is a choice.”

Whether the goal is to clean out the garage, read a book, get to the gym and work out every day, or do those taxes, we’ve all found ourselves using the excuse “we don’t have time” and pushing it aside for later, when we think we’ll magically have more time. This TED talk is a useful reminder that it’s not necessarily because you don’t have enough time; it’s that the thing you want to do is just not important enough for you to want to do.

If you find yourself letting time and things slip away from you daily, you need to know the difference between urgent and important work and ruthlessly prioritize. Watch the full video to feel inspired to take back control of your time.

How to gain control of your free time | TED

from Lifehacker http://ift.tt/2lvjM6c

MWC: Completely superfluous ‘AI’ added to consumer items

Today's Best Deals: Calvin Klein Underwear, Google Home, Game of Thrones Risk, and More

What to Do With All That Loose Change You've Been Hoarding

Judge denies blanket right to compel fingerprint iPhone unlocking

Simple Launches Shared Accounts to Make Merging Finances Incredibly Easy

Ease the Transition to USB-C With a Pair of Great Deals

Gizmodo This WSJ iPhone 8 Rumor Is Absolutely Insane | Jezebel Did You At Least Remove Your Shoes, K

Gizmodo This WSJ iPhone 8 Rumor Is Absolutely Insane | Jezebel Did You At Least Remove Your Shoes, Kellyanne? | Deadspin Italy Exploited An Insane Rugby Loophole, Enraging England | The Root Ga. Couple Get Prison for Confederate Racist Terror at Black Child’s Birthday Party |

from Lifehacker http://ift.tt/2m8PmtW

The Most Visually Stunning National Parks According to a Former National Geographic Photographer

Two Tips for Better Cheese Crisps

Microsoft Unveils $10 Monthly Gaming Subscription Service For Xbox One

Eight Questions to Determine If Your Busyness Is Actually Accomplishing Anything

I Save Money In #MyCalvins, With Amazon's One-Day Sale

Energy Bar Turns Your Android’s Status Bar Into a Battery Level Indicator

Fears over net neutrality as FCC rules on disclosure eased

EU Still Concerned about Windows 10 Privacy Settings

We all should be concerned about the privacy settings in Windows 10. And we should be glad that the EU has the regulatory authority to do something about it.

from Schneier on Security http://ift.tt/2mGmW7a

ESET antivirus opens Macs to remote code execution

Like any other software, security software is sure to have some vulnerabilities that can be exploited by attackers.

The latest in a long list of examples that prove this fact is the recently revealed remote code execution flaw affecting all but the latest version of ESET Endpoint Antivirus 6 for macOS.

Discovered and reported by Jason Geffner and Jan Bee of the Google Security Team, the vulnerability (CVE-2016-9892) is present because the esets_daemon service is statically linked with an outdated version of the POCO XML parser library.

“This version of POCO is based on Expat (http://ift.tt/zzcbYb) version 2.0.1 from 2007-06-05, which has a publicly known XML parsing vulnerability (CVE-2016-0718) that allows for arbitrary code execution via malformed XML content,” the researchers explained.

“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to http://ift.tt/2lPavqi. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”

ESET has already fixed the flaw by upgrading the POCO parsing library to the latest build and by making the software verify the ESET licensing web server’s SSL certificate on all supported OS X/macOS.

So, if you’re a user of the software, make sure you upgrade to the latest version (6.4.168.0), as the researchers have also released proof-of-concept code (luckily, just to show how the software can be crashed).

Google researchers have been analyzing security software for vulnerabilities for a few years now. The company’s Project Zero team, which aims to improve the security of any software that has a large user-base, has unearthed serious vulnerabilities in Kaspersky and FireEye products, Trend Micro and Comodo security software, the consumer version of Malwarebytes Anti-Malware, Symantec’s anti-virus engine, and others.

from Help Net Security http://ift.tt/2moSS3Q

MWC: BlackBerry misses a chance to tell a compelling security story

The Raspberry Pi Zero Wireless Adds Wi-Fi and Bluetooth to the Zero, Costs $10

Friction matters: Data security lessons from Snapchat and Google

In this podcast recorded at RSA Conference 2017, Grant Shirk and Veliz Perez, Head of Product Marketing and Product Marketing Manager at Vera respectively, talk about how the need to protect confidential data extends past the borders of your business.

Here’s a transcript of the podcast for your convenience.

Grant Shirk: Hey, everyone! This is Grant, over here, at Vera Security. And I’m joined by Veliz Perez, part of my Product Marketing team. And we’re really excited to be on this podcast, and talking to you from the RSA Conference in San Francisco.

Veliz Perez: Yeah, that’s right. We are live at the RSA Conference. And, you know, Grant, there are a lot of things that we could talk today about in the world of cybersecurity. Obviously, we’re going to talk about Snapchat. And specifically, Snapchat’s Spectacles.

For years now, at Vera, we’ve said that security companies can really learn a lot from how consumer products are marketed, adopted and used in the enterprise. And there are hundreds of examples that come to mind, and hundreds of examples that we could draw on, but really, the difference between how Snapchat built Spectacles compared to Google Glass makes a great parable for our industry.

Grant Shirk: I love parables, because essentially, this is a story about a friction in an experience, whether it’s the user experience or the acquisition experience can really alter the path of a product.

Veliz Perez: That’s right. And those of you that remember Google Glass, the one word that summed up the entire Google Glass project was ‘glassholes’. And everything about its implementation, from its launch to its adoption was defined by how clunky, and intrusive, and just kind of plain out weird it was. And it’s not a surprise that the product failed and Google shut down the project.

Grant Shirk: Yeah, essentially. Does that sound like any other security products that you know? I mean, that’s the contrast that we’re talking about. On the surface… Now, if you make the comparison, Snap built essentially a duplicate product coming into this market. It’s pair of glasses, you wear it to capture images and video of what’s going on around you. But from concept, to launch, to execution, their focus outside of what they were building was really eliminating friction at absolutely every step of the way. The product itself, instead of trying to capture a huge universe of use cases, is defined by its upmost simplicity.

Veliz Perez: In hindsight, it sounds like, ‘Well, of course you’d want to build the most simple product.’ But it’s really hard to replicate that, it’s really hard to build a product that’s super simple. And it’s something that most security companies forget. And I’ve seen that time and time again at RSAC.

So, at Vera, it’s really our mission to remove the friction associated with data and email security, and make it as intuitive and simple as possible. And that really takes us to our most recent product launch, which is Vera for Mail.

Grant Shirk: I think there’s an obvious parallel to the world of security. We start with this big idea that this… At RSA so often the conversation that you have when you go to the booths and you go to these sessions, it’s about features or capabilities, it’s the strength of the security, it’s the machine learning, it’s the encryption, it’s how people are using big data in interesting ways. But in every single conversation I’ve had this week, this challenge of friction is completely ignored, but it’s this thing that’s right in front of us; and particularly when you look at email security. This is a 30-year problem. And not only is it an old problem, it’s a big problem.

Diving into it a little bit more, Cisco just released their 2017 cybersecurity survey. And there were a couple of things that really jumped out in this area, and they really hit close to home. And the headline of this is that email security is one of the least trusted, least effective tools in the organization. But at the same time, for most organizations of any size, somewhere between 75% and 80% of their sensitive content, IP, and even thoughts, hopes and prayers for the organization are transmitted through email. And there’s this weird disconnect in that where in this survey, nine out of ten security pros have zero faith in the effectiveness of their email solution. That’s kind of a problem, especially when data exfiltration is one of the challenges that call out as the biggest issue. And I think a big part of it is friction. So much of it is built on these older technologies, PGP, S/MIME. I mean, we collaborate a lot, but we don’t live in a world anymore where we can actually go to a PGP party, check IDs and pass around keys. It just doesn’t work.

Veliz Perez: I have never been to a PGP party, but I think that’s a good thing. I think when you look at all these stats, it kind of boils down to one thing. We’ve destroyed trust in email security. And so, if I send an email, I don’t have any tools to protect it and the enterprise, I don’t know if it’s going to be forwarded. And at Vera, we’re going to change that.

And so, last week we announced our new product, Vera for Mail, which is essentially enterprise grade security for email that your team will love. And so, Vera for Mail seamlessly secures the body of email messages and ensures that your confidential data is viewed only by trusted parties. Vera is going to be a single way to secure your files, emails and any other communication without adding any friction to your organization.

So what does that mean in practice? If I assign Grant and email, then only Grant can access it. And this is beyond encryption or access control. So if he downloads an attachment, I can track and control that document through its entire lifecycle. No PGP party, no proprietary plug-ins, no complicated key exchange, frictionless. And if I no longer work with Grant as a trusted partner, I have a kill switch for my email messages that actually works.

Grant Shirk: You wouldn’t actually do that to me, would you?

Veliz Perez: Maybe.

Grant Shirk: Okay. So, to wrap up, we talked to our customers a lot. We came from this world of file security, thinking about unstructured data and how can we protect it in a world where we can’t control where it’s placed or how it’s stored. And our customers, having kind of tackled that, they’re still frustrated with the complexity of securing communication. It always feels like it’s another system, something else to bolt on, something else to integrate, another place to manage the data. ‘And it’s even still another tool I have to teach people how to use.’ And particularly when it comes to email, any additional friction is a deal-breaker. And so, that is a critical point of entry.

And so, as it turns out, I think we actually paid this off. There is a connection between the story of Chat and Google Glass. If you have a solution that is appealing to people, that accomplishes simple tasks in simple ways, in a way that doesn’t force them to think too hard about what they’re doing, doesn’t introduce weird uncomfortable barriers to adoption, either technological or social, people actually line up to try it. But if you don’t, you kind of wind up the only glasshole in the room.

So we’re really excited to get Vera for Mail into our customers’ hands and also with the broader world. We’ve launched it in private beta. If you’re interested, we would love to share it with you, and have your organization sign up for it. And you can get a sneak peek at that at vera.com. Thanks, Help Net! This has been a really good conversation.

from Help Net Security http://ift.tt/2ltEkvL

Germans, Czechs served with banking malware through SMS

German and Czech Android users are getting served with a banking Trojan directly through text messages, warns malware researcher Bart Blaze.

The message claims that the user has missed the delivery of a package by the DHL delivery service (or by the Czech Post, or by Czech-based online shop Alza), and should download a mobile app to arrange a new delivery attempt:

A direct link to the app is helpfully provided, but the “DHL Express Mobile”, “Posta Online”, or “Alza” apps that get downloaded are actually the Marcher banking trojan.

The malware asks for device administrator rights, checks for the presence of antivirus and security applications, and targets a variety of mobile apps of German and Czech banks and other financial organizations: ČSOB, Star Finanz, Deutsche Kreditbank (DKB), Commerzbank, Raiffeisenbank, and more:

The Marcher malware has been around since 2013, and its main goal is to steal mobile banking app credentials by overlaying fake forms over the screens of legitimate apps. As the malware is available as a kit for sale on dark web markets, different buyers masquerade it as different types of apps, and chose different targets and distribution methods.

Cleaning an infected device

Users who have fallen for the trick and have installed one of these fake apps will have to work to uninstall it.

“Marcher installs itself as Device Administrator, effectively making the user unable to force the process to stop or uninstall the application normally,” Blaze notes.

If you attempt to force uninstall the application, it will repeatedly pop up the device administrator prompt.

Blaze says that the best way to clean up the device is to back up your files, restore your device to factory settings or wipe it and reinstall the OS.

Afterwards, be sure to change your mobile banking passwords and to notify your bank of the incident.

from Help Net Security http://ift.tt/2mopLO7

Millions of smart devices in Spain are vulnerable to attack

Avast revealed the findings of its research experiment into smart devices, including public and private webcam vulnerabilities in Spain, and, specifically, in Barcelona.

Avast identified more than 22,000 webcams and baby monitors in the city that are vulnerable to attack, which means that cybercriminals could livestream the videos directly to the Internet. The findings identified more than 493,000 smart devices in Barcelona and 5.3 million in Spain overall – including smart kettles, coffee machines, garage doors, fridges, thermostats and other IP-connected devices – that are connected to the internet and vulnerable to attacks.

In the experiment, Avast found:

• More than 5.3 million vulnerable smart devices in Spain, and more than 493,000 in Barcelona
• More than 150,000 hackable webcams in Spain and more than 22,000 in Barcelona
• More than 79,000 vulnerable smart kettles and coffee machines in Spain
• More than 444,000 devices in Spain using the Telnet network protocol, which is a type of protocol that has been abused to create the Mirai botnet which attacked Dyn in 2016, leading to the crash of Internet sites like Twitter, Amazon, Reddit, etc.

Conducted in partnership with IoT search engine Shodan.io, the experiment proves just how easy it is for anyone – including cybercriminals – to scan IP addresses and ports over the Internet and classify what device is on each IP address. And, with a little extra effort and know-how, hackers can also find out the type of device (webcam, printer, smart kettle, fridge and so on), brand, model and the version of software it is running.

“With databases of commonly known device vulnerabilities publicly available, it doesn’t take a vast amount of effort and knowledge for cybercriminals to connect the dots and find out which devices are vulnerable,” comments Vince Steckler, CEO at Avast. “And even if the devices are password protected, hackers often gain access by trying out the most common user names and passwords until they crack it.”

Invasion of privacy

As webcams and other devices are vulnerable, there are a range of security, legal and privacy concerns to be addressed. Snoopers could easily access and watch Mobile World Congress visitors and Barcelona residents in private and public spaces, and stream the video directly to the internet, or turn the device into a bot.

Smart device manufacturers also collect and store private user data, including behavioral data, contact information, and credit card details, which poses an additional risk if intercepted by cybercriminals. And while the problem is in no way confined to Barcelona, Spain, or indeed to webcams, it is particularly challenging for the city as it is hosting thousands of mobile and technology industry executives at Mobile World Congress 2017 this week.

From infection to attack

With hundreds or thousands of vulnerable devices, cybercriminals can create a botnet to attack and take down servers and websites. When a device is infected, it can also be used to infect other devices, to add them to a botnet, or to take control over them and do harm to their owner. This includes kitchen and other household devices, to which cybercriminals can give remote orders, for example, to heat up water in a kettle.

from Help Net Security http://ift.tt/2l76zo5

Rewriting the rules on how to protect against evolving adversaries

Hackers are getting better at exploiting your organization’s increasingly complex IT environment. Adversaries are using highly customized attack campaigns to infiltrate their targets and evade detection for long periods of time. In this podcast recorded at RSA Conference 2017, Yonatan Striem-Amit, CTO and co-founder of Cybereason, talks about how his company defends complex IT ecosystems.

Here’s a transcript of the podcast for your convenience.

My name is Yonatan Striem-Amit. I’m the CTO and co-founder of Cybereason. I started the company five years ago with two of my dearest friends. Our mission was simple – we want to take and reverse the hacker advantage.

At the time – and it still is true today – hackers were getting the upper hand all the time. And we figured, knowing how hackers operate is key to understanding how to beat them, and the industry was thinking about it wrong. They were trying to just prevent the entry without thinking what the hackers were doing afterwards. So we came and built a technology which started by looking at them, then analyzing data in massive scale to find out what the hackers were doing. And repeatedly, what we’ve done is we’ve reversed the hacker advantage.

The industry theory a few years ago was that the attackers have to win once and the defenders have to win all the time. With Cybereason, when we settled out for our mission, we reversed it. Every single loss for a hacker is a humongous strategy loss for him. As you may know, when you try to hack into a network, you don’t just do one thing, you don’t come in and leave immediately with everything done, there’s a huge amount of actions and steps that go with it. That has been the company’s mission at the get-go.

We recently announced an extension of the way we deliver that reversal of the mission. This is our total endpoint protection platform which combines the ability of the engine to do very massive large-scale analysis of what hackers are doing in the environment, and finally rooting them out. With a protection engine that also delivers next generation protection to your endpoint.

With Cybereason, you can have situations where if somebody is trying to get in using malware, we’ll stop him at the malware level, the protection of the endpoint level. If he’s using non-malware-based technology, every action it does can be served to find them, and then drive protection to the environment. Essentially, taking care of the entire protection stack; not for the individual endpoint, but for the enterprise as a whole.

from Help Net Security http://ift.tt/2mFtVgQ

500,000+ devices have dangerous apps installed

At Mobile World Congress (MWC) 2017, connected cars, the future of smart homes and, of course, the newest handsets are top of the agenda. Intel Security’s latest findings show consumers are being tempted by the efficiency and entertainment of such connected devices, revealing the average British person now spends 35% of their time at home online.

Despite leading increasingly connected lifestyles, half of Brits (50%) have no idea how to check if their connected devices have ever been compromised, and a further 32% said they were unsure how to check if devices had been breached.

People not only need to understand the security risks associated with laptops and tablets, but also with connected devices such as smart TVs, speakers and connected cars, and manufacturers must take responsibility for ensuring security is built in to the foundations of new products.

“Our recent research showed that more than three quarters of parents (79%) are concerned about their children interacting with a social predator or cybercriminal online,” comments Raj Samani, EMEA CTO of Intel Security. “Yet two fifths (40%) of parents do not keep track of their children’s Internet usage, and a third (29%) say that they would monitor their children’s online activity if there was an easier way of doing it.”

Dead apps can be deadly

It’s not just apps live in app stores that represent a risk. Telemetry data collected by McAfee Labs shows that more than 500,000 devices still have dead apps installed and are actively used. With more than 2 million apps in each of the major app stores, malicious apps find ways through the store curators initial quality-control process.

In the past year, more than 4,000 apps were removed from Google Play, without notification to users. These users and the organisations they work for are still exposed to any vulnerabilities, privacy risks, or malware contained in these dead apps.

One recent example is a password stealer, distributed on Google Play as a variety of utilities and tools to acquire Instagram followers or analyse usage. The malware leads the user to a phishing website with a simple design that makes it difficult to distinguish between the legitimate and the fake, easily capturing users’ credentials.

“To avoid losing personal data to dead apps, consumers need to pay close attention to the apps they’ve downloaded and research the developer and reviews about any app before installing it,” comments Raj Samani. “They should also look for a security tool that can identify apps which are no longer on the store and, even better, can provide some information on why they were removed.”

Protecting your personal data

Intel Security’s top tips for protecting your personal data:

Lock down your devices. Our devices are like an extension of our bodies. It’s imperative that they are locked down with a strong PIN code, as well as complex and unique passwords to prevent unauthorized access. Use a multi-factor authentication (MFA) solution, like True Key by Intel Security that will combine your strong passwords with an extra layer of security – like your fingerprint or facial recognition.

Keep your devices updated. Be sure to update your devices when new versions of the operating system or applications become available. Updates often include critical security fixes designed to patch and protect from attacks.

Take control of your home network. Setting up a guest Wi-Fi network allows visitors to access the internet but keeps your home network private and isolated from their devices. You can also separate your IoT devices (smart home devices, wearables, etc.) from traditional connected devices (laptops, smartphones, tablets, etc.) where more secure information is stored, so if an IoT devices is compromised, the breach will be limited to devices connected to the guest network.

from Help Net Security http://ift.tt/2m5VLWL

The Shared Gadget Travel Bag

Deadspin Roger Federer Is Just Making Stuff Up Now | The Slot Sean Spicer Wrote This Angry Letter to

Deadspin Roger Federer Is Just Making Stuff Up Now | The Slot Sean Spicer Wrote This Angry Letter to His College Newspaper After They Called Him ‘Sean Sphincter’ | Gizmodo SpaceX Wants to Fly Two Bourgies Around the Moon Next Year | The Root Everybody Hates Trump (Except White People) |

from Lifehacker http://ift.tt/2m4Pn2d

Upgrade Your Audio and Your Desktop With Audioengine's HD3 Speakers

Audioengine products have finished in the top five of our reader votes for best desktop or bookshelf speakers three different times, and their newer HD3s are packing serious sound and style.

Let’s start with the outside. The HD3's housing is a beautiful mix of wood and aluminum, with detachable magnetic grills just to show off. We never complain about front-facing volume control and headphone out either. Inputs include USB, dual analog, and Bluetooth with aptX. You’ll want to use the USB input if these are on your desktop, but the higher-fidelity Bluetooth is definitely a welcome addition anywhere else.

The HD3s sound great, but as with most Audioengine products, they sound really great for their size. It’s no surprise that the low end on a pair of bookshelf speakers isn’t rattling the walls, and the overall sound is clean with great dynamics, especially in the vocal range.

Everything on the HD3s is premium, from the wood to the aptX receiver to the 24-bit DAC, and you already know whether you’ll get your money’s worth based on your own listening habits. If not, Audioengine’s own A2+ system is still a fantastic option, even more compact, and most importantly, also comes in red.

---

from Lifehacker http://ift.tt/2lov7pk

Remains of the Day: Google Assistant Comes to More Android Phones

Improve Your Reading Comprehension by Writing Three-Sentence Summaries

Learn to Make Sense of Extreme Numbers Using Different Perspectives

Which is Better, Mac or Windows?

Three Tips to Help You Avoid Hitchhiking Bed Bugs From a Hotel Room

Bed bugs are crafty little things. Not only will they make even a nice hotel room their home, but they’ll cling to your clothes and climb in your bag to go home with you. These tips can help you avoid such unwanted guests.

This video from the Consumer Reports YouTube channel shares some great advice on checking your hotel room for the nasty little critters (most of which we’ve talked about before.) But the video also offers some additional tips you may or may no know about:

1. Pack large trash bags in your luggage and keep your stuff in them during your stay.
   
2. Toss your clothes in the dryer for 30 minutes when you get home. The heat will help kill any clingy stragglers.
   
3. Store your empty luggage in the garage, basement, or a warm attic after your trip. That keeps any bugs from easily making their way to your bedding, furniture, and clothes.
   

If you take the time to do a proper check and follow this advice, you should be able to travel bed bug free.

How to Check for Bed Bugs in a Hotel Room | YouTube

from Lifehacker http://ift.tt/2mE91OU

Upcycle Ruined Tights Into Decorative Tassels

These Custom Label Printer Labels Help You Organize Your LEGOs

Add Beans to Your Smoothies for a Fiber and Protein Boost

Adm. Rogers Talks about Buying Cyberweapons

At a talk last week, the head of US Cybercommand and the NSA Mike Rogers talked about the US buying cyberweapons from arms manufacturers.

"In the application of kinetic functionality -- weapons -- we go to the private sector and say, 'Build this thing we call a [joint directed-attack munition], a [Tomahawk land-attack munition].' Fill in the blank," he said.

"On the offensive side, to date, we have done almost all of our weapons development internally. And part of me goes -- five to ten years from now is that a long-term sustainable model? Does that enable you to access fully the capabilities resident in the private sector? I'm still trying to work my way through that, intellectually."

Businesses already flog exploits, security vulnerability details, spyware, and similar stuff to US intelligence agencies, and Rogers is clearly considering stepping that trade up a notch.

Already, Third World countries are buying from cyberweapons arms manufacturers. My guess is that he's right and the US will be doing that in the future, too.

from Schneier on Security http://ift.tt/2mxpyF5

Ask an Expert: All About DIY Car Maintenance

Mozilla Buys Bookmarking Service Pocket

Freelancers, Make Sure to Pay Quarterly Estimated Taxes to Avoid an IRS Penalty

How Much Money You Can Save With a Roommate in 25 Different Cities

Save Up to $60 On GTX 1080s, Smartphones, and More With This Exclusive Jet.com Promo Code

News in brief: D-Link vulnerabilities; SHA-1 woe; MySQL hacks

The Best Calendar App for Mac

Steps Gives You Daily Tasks to Help Deal With Social Anxiety

What’s the Difference Between “Natural” and Regular Toothpastes?

Today's Best Deals: Anker Chargers, Desk Lamps, Dyson Vacuum, and More

Jezebel The Wildest Crowd Reaction Shots to Last Night’s Moonlight/La La Land Upset | The Concourse

Jezebel The Wildest Crowd Reaction Shots to Last Night’s Moonlight/La La Land Upset | The Concourse You Can Quantify How Differently Democrats And Republicans See The Future | Gizmodo Photoshop Contest: Oscars Fuck-up Edition | The Grapevine #EnvelopeGate: How the Oscars Screwed Up Moonlight’s Moment |

from Lifehacker http://ift.tt/2m2Ln1Q

Cloudbleed’s sliver lining: the response system worked

Cloudbleed is a serious vulnerability in Cloudflare’s Internet infrastructure that Google Project Zero researcher Tavis Ormandy discovered in mid-February. Much has been made of its severity, and rightly so. But there’s another part of the story.

Though not perfect, many industry experts believe the incident was handled well by all sides, and is an example other companies can follow if they someday find themselves in Cloudflare’s position.

There have been some points of contention along the way. Some believe Ormandy jumped the gun and announced the vulnerability before the date he had worked out with Cloudflare, throwing the company into an unnecessary scramble.

But industry experts also praise Ormandy for finding this proverbial needle in a haystack, and Cloudflare for patching the vulnerability with lightening speed. Cloudflare is also getting credit for its honest, detailed public response.

Cloudbleed defined

Ormandy contacted Cloudflare to report a vulnerability in its edge servers on Feb. 17. It turned out that a single character in Cloudflare’s code caused the problem. In its blog post, Cloudflare said the issue stemmed from its decision to use a new HTML parser called cf-html.

From the Cloudflare blog:

It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines. We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Ormandy also laid out the details in this advisory. He said:

This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn’t understand what they were seeing. Seconds mattered here, emails to support on a Friday evening were not going to cut it. I don’t have any Cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people. After I explained the situation, Cloudflare quickly reproduced the problem, told me they had convened an incident and had an initial mitigation in place within an hour.

Despite (or perhaps because) Tavis started his advisory “It took every ounce of strength not to call this issue ‘cloudbleed'” the flaw quickly received the same branding treatment given to such previous blockbuster vulnerabilities as Heartbleed and Shellshock. It got a catchy name and logo.

A rush to go public?

On the surface, this researcher-to-vendor collaboration went well. But in recent days, some in the security industry have suggested that Ormandy announced the bug too soon – specifically, sooner than the window he had originally worked out with Cloudflare.

When a researcher works with a vendor to mitigate a vulnerability, a window between discovery and public announcement is typically worked out so the affected organization has time to properly close the security hole and make sure customers are adequately protected.

Sources close to Cloudflare say that Ormandy went public earlier than promised, sending Cloudflare into a scramble to complete its investigation and communicate with customers.

Ormandy did not return requests for comment.

Misplaced rage

Wim Remes, CEO and principal consultant at NRJ Security, said criticism toward Ormandy is misplaced. In a conversation on Facebook Messenger Friday, he said the social media echo chamber was distorting matters.

“You’re either for or against Tavis Ormandy, you’re ok with Cloudflare’s approach or you aren’t, and so on,” he said. “It doesn’t really matter.”

In a blog post, he described this as misplaced rage. If companies using third-party service providers like Cloudflare took the time to understand what they were paying for and did more on their end to ensure security, the issues described above wouldn’t matter. He wrote:

I think I’ve been repeating the same mantra to companies for at least a decade: You outsource process and function, but never responsibility. If you include third-party services in your product, no matter what they are, you need to go beyond having the supplier fill in a 400-question SIG questionnaire. You have to actually freaking test that component as if it is a pacemaker that your mother will get implanted. Third-party components remain your responsibility!

Since it’s a responsibility companies don’t seem to take seriously, people should simply be thankful to Ormandy and Cloudflare for getting Cloudbleed sorted out, Remes said.

Defensive measures

Though Cloudflare dealt swiftly with Cloudbleed, there’s still concern about any potential damage done. Ryan Lackey, a well-known industry professional and former Cloudflare employee, mapped out the risks in his blog post:

While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory. Unfortunately, it is also difficult to conclusively disprove.

With that in mind, Lackey suggested site owners and administrators who use Cloudflare take the following steps:

• Change your passwords. “While this is on all probability not necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues,” he said.
• Use this incident to improve response plans. The situation presents a prime opportunity for users to put their incident handling process  to the test. Lackey suggests companies and individuals  discuss the specific impact to their application and what response makes the most sense.
• Invalidate authentication credentials for mobile applications and other machine-to-machine communications such as IoT devices. This forces users to re-enroll apps and devices if they used Cloudflare as an infrastructure provider. It may not be as effective as having everyone change their passwords, Lackey wrote, but it’s still a useful exercise.
• Review what this means from a compliance perspective. Lackey said that if an application or website is on Cloudflare and is subject to industry or national regulation, Cloudbleed may count as a reportable incident. “Your security and compliance teams should evaluate. Obviously, full compliance with applicable regulations is an essential part of security,” he said.

Follow @NakedSecurity
Follow @BillBrenner70

from Naked Security http://ift.tt/2lgGGx3

How I Tricked Myself Into Reading More Books

How’d You Do During February’s Money Challenge?

Save $20 On Your Favorite LED Desk Lamps

Attackers using cracked builder to duplicate and spread Betabot

Thanks to Tad Heppner of SophosLabs for his help with this article.

Some attackers love Betabot malware but not all of them like paying for it.

Betabot is a malware family used to hijack computers and force them to join botnets. It has been used to steal passwords and banking information, and has most recently been used in ransomware campaigns.

Though attackers have found it easy to use, buying the Betabot builder from its creators isn’t cheap. To get around that, some have been using cracked builders to copy the original design without paying for it.

In a new paper, SophosLabs researcher Tad Heppner focuses on Betabot samples produced from cracked builders to dissect the malware’s capabilities and associated botnet server components. His ultimate goal: explore how to extract and decrypt the configuration data.

Specifically, Heppner explains how to use the cryptographic keys encoded in the malware’s configuration data to decode communications between the bot and the command-and-control server.

Most of the methods described in the paper focus on Betabot 1.7 malware produced using a cracked Betabot builder. It also includes information on alternate methods researchers can use to decode older Betabot versions and a related variant called Neurevt.

Betabot summarized

As malware goes, Betabot is pretty old.  New variations have popped up over time as the authors continually revise and update it. The most prevalent revision found in the wild is Betabot 1.7.

The number of Betabot infections found in the wild in recent years has fluctuated. Along the way, larger campaigns have introduced new methods to pack and distribute the bot client in an attempt to circumvent antivirus.

SophosLabs has also discovered samples that attempt to connect to control servers without public domain or IP addresses, suggesting they may reside entirely within a private network.

Rumors of a 1.8 version have circulated on several hacking sites. But the majority of samples investigated have been 1.7 versions of the botnet or versions that have been slightly modified after the fact with no significant changes to the existing Betabot components.

The most significant change in 1.7 from its 1.6 predecessor was the inclusion of an additional layer of HC128 encryption on the individual command and control [CnC] server entries within the malware’s configuration data structure.

Cracked Betabot builders are all the rage

Betabot’s command-and-control (CnC) server interface is easy to use and is favored by cybercriminals who either lack the technical knowledge or desire to author a botnet framework themselves.

The Betabot malware package is advertised on black markets for around $120 USD and is typically purchased by contacting the author directly to arrange payment.

But the existence of cracked builders indicates cybercriminals are not only targeting members of the unsuspecting public, but also other malware authors with the goal of stealing their work.

The crack itself consists of a console-based builder application with the compiled Betabot template code stored as a bytes array within the data section of the builder application itself.

Though this isn’t unprecedented, the increased availability due to the use of a software crack often results in an increase in new parties using the malware family.

Betabot creators fight back

Betabot’s creators have taken steps to add some antipiracy measures to their toolkits to ensure they get paid when other cybercriminals use their malware.

Among other things, the authors have added complexity to the process for encoding the configuration data inside the bot payload. The configuration data includes the URLs of the CnC server(s) that the bot will connect to as well as encryption keys that will be used to encrypt and decrypt the information sent to the individual CnC server(s).

This configuration data is encrypted and stored within the bot itself when the payload is generated. The complexity of this packing method not only makes it difficult for antivirus and other security tools to unpack the information statically, but it also deters other criminals from attempting to encode their own configuration data containing altered information.

This way, the authors attempt to maintain control of the process to generate new bot payloads for a given CnC server.  Although the method is complex, it is still technically possible to decode this information because the decryption key must somehow be made available to the bot itself when it infects a new target.

Another interesting antipiracy feature called “proactive defense” has been added to Betabot to prevent other competing bots or similar tools such as remote access trojans from installing and potentially hijacking the botnet.

When run, it allows the user to specify custom configuration information that is then encrypted and inserted into the included template code at the appropriate position. The whole PE file is then repacked in an attempt to further obfuscate the generated bot in an attempt to avoid detection by antivirus software.

Decrypting the configuration data

After exploring how Betabot and its builders work, SophosLab’s Heppner reviewed several other custom layers of obfuscation and encoding that are applied to the bot’s configuration data in an attempt to mask and deter reverse engineering.

Some of these methods seem to vary slightly with each significant update of Betabot. The structure of the config data and the use of RC4 in the primary layer seem to have remained fairly constant from version to version. However, the XOR key values, initialization vectors, and other minor variations seem to be introduced or modified with each update.

From there, he outlines various steps to decrypt and decompile Betabot.

In the final analysis, Heppner expects the Betabot family to remain popular, used to spread other malware campaigns and harvest site login credentials.

Despite the best efforts of Betabot’s authors to cut down on piracy, it remains easy pickings for copycats.

The full report is available on Sophos’ technical paper page.

Follow @NakedSecurity
Follow @BillBrenner70

from Naked Security http://ift.tt/2lMr5sL

Follow These Four Tips to Become a Better Bar Regular

Wikipedia’s bot-on-bot battles that can last for years

Google releases details, PoC exploit code for IE, Edge flaw

As we’re impatiently waiting for Microsoft to patch vulnerabilities that were scheduled to be fixed in February, Google has released details about a serious vulnerability in the Internet Explorer and Edge browsers.

What’s more, the report also contains POC code that, if implemented in web pages, should crash vulnerable browsers. Savvy attackers could perhaps use it as a first step of an attack that could ultimately result in remote code execution.

But Google Project Zero security researcher Ivan Fratric, who reported the flaw, refused to comment more on its exploitability.

“The report has too much info on that as it is (I really didn’t expect this one to miss the deadline),” he noted.

The bug report became automatically visible to the public three days ago, when Google’s customary 90 day disclosure deadline was passed.

The flaw has been assigned the following identifier: CVE-2017-0037. Hopefully Microsoft will plug it in March, along with the other flaws that are awaiting fixes.

Microsoft has postponed the release of the patches scheduled for February 2017 Patch Tuesday because of a last minute issue that could not be resolved in time for the planned updates.

The March 2017 Patch Tuesday is scheduled for March 14. It is still unknown whether Microsoft plans to plug the two other zero-day vulnerabilities for which exploit code has already been published.

from Help Net Security http://ift.tt/2mCqiZ4

Will It Sous Vide? Let's Pick Another Topic

IT admin was authorized to trash employer’s network he says

Keep Your Drinks Hot or Cold All Day Long With Amazon's Thermos Sale

Cyber extortionists hold MySQL databases for ransom

Ransomware has become cyber crooks’ favorite attack methodology for hitting businesses, but not all cyber extortion attempts are effected with this particular type of malware.

Since the beginning of the year, we have witnessed attackers compromising databases, exfiltrating data from them, wiping them and then asking for money (0.2 BTC) in order to return the data. They ransacked MongoDB, CouchDB and Hadoop databases, and now they’ve set MySQL databases in their sights.

According to GuardiCore researchers, the first flurry of attacks dates back to February 12. Hundreds of them were detected, and all were tracked to an IP address hosted by Netherlands-based web hosting company WorldStream (109.236.88.20).

“The attack starts with ‘root’ password brute-forcing. Once logged-in, it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘WARNING’ that includes a contact email address, a bitcoin address and a payment demand,” they explained.

“In one variant of the attack the table is added to an existing database; in other cases the table is added to a newly created database called ‘PLEASE_READ’. The attacker will then delete the databases stored on the server and disconnect, sometimes without even dumping them first.”

Protection and remediation

It seems possible – likely even – that similar attacks will occur again. Luckily, protecting your servers against them is easy: use stronger passwords.

Minimizing internet facing services is also a good idea, and setting up a robust and automated backup system is a must, so you don’t have to worry if attackers actually do manage to get through.

For those whose databases have been plundered in these attacks, GuardiCore researchers have the following advice: before even considering paying the ransom, make sure that the attackers actually have your data.

“In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” they noted.

It’s interesting to note that the two Bitcoin addresses to which the victims are supposed to transfer money to have recently received several payments, some seemingly from victims.

But, the researchers warn, the payments could have just as easily come from the attackers themselves, and this could be a simple ploy to convince victims that others have already paid the ransom, and so they should, too.

from Help Net Security http://ift.tt/2lM6Uei

A Survey of Propaganda

This is an excellent survey article on modern propaganda techniques, how they work, and how we might defend ourselves against them.

Cory Doctorow summarizes the techniques on BoingBoing:

...in Russia, it's about flooding the channel with a mix of lies and truth, crowding out other stories; in China, it's about suffocating arguments with happy-talk distractions, and for trolls like Milo Yiannopoulos, it's weaponizing hate, outraging people so they spread your message to the small, diffused minority of broken people who welcome your message and would otherwise be uneconomical to reach.

As to defense: "Debunking doesn't work: provide an alternative narrative."

from Schneier on Security http://ift.tt/2lqyCuz

The Joy of Sweatpants

The failure of EU’s regulation on cyber-surveillance tech exports

When in April 2016 the Italian Ministry of Economical Progress revoked Hacking Team’s licence to export their Galileo remote control software outside of the EU, it seemed, at first glance, like a long overdue reaction to the many revelations that the company provides offensive intrusion and surveillance software to governments that don’t have a good track record at respecting human rights.

Alas, it was not so – the decision was mostly a political reaction to the diplomatic problems that arose between Italy and Egypt in the wake of the death of an Italian graduate student. The man, Giulio Regeni, was abducted, tortured and killed in Egypt while he was researching the country’s independent trade unions.

But the news did briefly raise interest in the problematics of how European companies that develop surveillance software – i.e. technologies that can be used both for peaceful and military aims – get permission to export it to other countries.

The problem with EU cyber-surveillance technology regulation

Almost a year later, and just as the European Parliament is set to debate a new proposal to strengthen the regulation that forms the basis of EU’s export control regime of dual-use technology, a report by a network of European media outlets shows how the initial regulation has failed to prevent authoritarian regimes from getting their hands on this type of technology.

The reporters have requested information from EU member states and Norway about the exports of surveillance technology, and have received a response from 18 of the 29 countries (by the by, Italy was not among the 18).

The provided information does not provide a full picture of the situation, but it definitely shows that export applications are very rarely denied.

“Almost 30 percent of the issued licenses were for exports to countries that are ranked as ‘not free’ by the think tank Freedom House. One example is The United Arab Emirates – a country known for using surveillance technology against peaceful critics of the regime,” the reporters noted.

“52 percent of the licenses revealed by the investigation were for exports to countries that Freedom House ranks as ‘partially free’. This includes a country like Turkey, where the Erdogan government has cracked down on political opposition following a failed coup last year. Only 17 percent of the licenses were for exports to countries that Freedom House ranks as ‘free’.”

It seems obvious that the regulation, in its current form and in practice, is not strong enough.

Professor Quentin Michel from Université de Liège, an expert on export control regulations, says that the problem with the current EU dual use regulation is that it was originally designed to avoid the proliferation of weapons of mass destruction, and does not focus on protection against human rights violations.

Unfortunately, while the new proposal for strengthening the regulation does expand the list of cyber-surveillance equipment whose export has to be controlled, it still does not require member states to deny export applications if there is risk of human rights violations.

from Help Net Security http://ift.tt/2mvqv0D

Monday review – the hot 30 stories of the week

From experts saying, 'I told you so', about SHA-1 and beer that risked computer security to Google and Bing giving pirated content the push, and much more...
from Naked Security http://ift.tt/2lqk7ag

Not all threat intelligence is created equal

In this podcast recorded at RSA Conference 2017, John Czupak, CEO at ThreatQuotient, and Jonathan Couch, Senior VP of Strategy at ThreatQuotient, talk about what’s important to know about the difference between threat intel versus threat intelligence platforms, how threat intelligence changed over the past few years, and much more.

Here’s a transcript of the podcast for your convenience.

Let’s get into this conversation. Couch, most people have heard of threat intelligence, but can you give us a quick overview of what’s important to know about the difference between threat intel versus threat intelligence platforms? Where does ThreatQuotient fall into this kind of market that we have here?

Jonathan Couch: Definitely. I think one of the key differences is really the fact that threat intelligence provides you a lot of information and intelligence about what the threats are to your network, and what you need to focus in on from a security perspective. But threat intelligence platforms are, really, that next step in the operational chain. It’s how you actually use, consume and utilize the threat intelligence that’s out there.

It’s not just the creation of threat intelligence, but it’s that consumption, it’s bringing it in, figuring out what the context is around all those threats that are out there, and figuring out the relevance. Does your business, does your organization care about it? And then, how do you utilize that within your network? How do you deploy it out to your sensor grid? How do you communicate with the executives in your company? How do you work with other business units in the company? So, threat intelligence platforms are there to really enable that consumption and use of threat intelligence within your environment.

John, I understand you celebrated one year with ThreatQuotient back in October. What has it been like working with this company since very early on, especially in this emerging market?

John Czupak: It’s been a real whirlwind, and it’s interesting. When I joined the company, we were in an incubator space, here on the East Coast, at America Online. And there’s a thesis that we could build a big relevant business in an emerging marketplace. It would take a lot of work, but it really starts with the people. So I embarked on bringing in a world-class executive team into the company. And yeah, I would stack our team up against anybody. We have folks with experience, deep product experience in the industry, from companies like Sourcefire and Cisco. We’ve augmented that with folks that have deep threat intelligence experience from companies like iSIGHT that was one of the early innovators in this particular space. And our founders, of course, came from deep domain experience, coming out of General Dynamics. So it’s an interesting mix of executives we’ve brought to the table.

And the plan was to build a company around this. ‘Let’s raise great money in this emerging market, let’s build this company out, let’s advance the product in the areas that we think that it is relevant and differentiated, and matters for the marketplace.’ And I couldn’t be more proud of the accomplishments that we’ve made over the past year. As I’ve stated before, we’ve built an executive team, we’ve filled the team out, we’ve created a go-to-market machine that includes folks in Europe and North America. And most significantly, we’ve done a complete recasting and a rebuild of the technology, the product. We architected it from the ground up. And we’re doing some amazing things with the technology today. So, we’re in a great place, and this is going to be a big year for the company.

Great. Couch, you’ve been involved with threat intelligence for longer than most. How has the industry changed over the past few years? And what is still missing in this market?

Jonathan Couch: I would say threat intelligence really started out… Even in the middle/late ‘90s there was, really, threat data. People starting moving beyond their networks. So a lot of organization, from a security standpoint, started just looking at what they could see on their networks, and blocking it – firewalls, IDS, IPS, all the technologies that are out there. And they slowly started to expand beyond the networks, to look over the horizon a little bit. And that’s where a lot of threat data came out. Here are different indicators, different technical information, IP addresses, domain names for command and control servers, and data exfiltration servers, and all these things that weren’t inside of corporate networks, but were the last mile coming in. But there was very little context to it.

And so, over the years, I think what developed was just a lot of noise. There was so much data, it was an overflow of data. And it’s been interesting, because I think the commercial world has started to feel a lot of what the government has seen for years and years and decades, to where you have so much data, but you need to make sense of the data. And so, over the past few years, really, the importance of context and the importance of relevance has really come into the market. The fact that you not just have a ton of data, I can hand you a hundred thousand IP addresses, and tell you they’re bad, and it doesn’t mean anything to you; but if I hand you a hundred thousand IP addresses and I say, ‘But these five are actually targeting your industry, and are going after something that your business cares about that increases shareholder value, that increases revenue generation for your company’, well, that’s something now that you can focus in on. And you can apply your resources against it.

Another key thing that’s popped up over the years has been the discussion at all levels of government, as well as in the commercial industry of sharing, to where I think a lot of threat intelligence groups are focusing in more on sharing than they are necessarily on consumption and use, on the operation side of threat intelligence. And while sharing, I think, is a core component of what needs to occur out there in the market, you need to go about it the right way, you need to make sure you’re sharing the right information in the right way so that it is consumable and usable.

But at the end of the day, it isn’t all just about sharing. I can share with everybody here all day long different tidbits and facts of little interesting things, but it doesn’t do anybody any good unless it’s something that actually applies to them, to their environment, that has the relevance, and that it’s information that they can do something with. So, I think, over the past few years, the market has started to focus in to figure out, ‘All right, we have this whole threat intelligence thing; it’s still being defined.’ I think every day presents new challenges for what people are looking at, but then they’re moving on from that definition of threat intelligence to really, ‘How do I utilize it in an effective and efficient manner?’ Especially within commercial organizations where ROI matters. So that you can’t just buy a ton of data and be overwhelmed by it, you got to do something with it, and then communicate that to your executives to get support.

Something I hear you saying is that not all threat intelligence is created equal. So do you want to talk about that a little more?

Jonathan Couch: Yeah, definitely. And I am somewhat bias. I come from a threat intelligence provider in my background, but we always used to say, ‘Context is king.’ And I think that really is a key point. It’s the fact that you don’t want to just have a ton of data that doesn’t necessarily mean anything to you, you have to have the context around it. And that’s where attribution, and adversaries, and a lot of these concepts around threat intelligence have come into play over the years. But for me to be able to talk to you, rather than just saying, ‘Knives are bad’, to be able to say, ‘Well, there’s this guy, Joe. And he lives in this state, in this city. And he’s utilizing knives to lock pick doors to get into your home. And he focuses in on stealing TVs.’ Having that context around the problem is a lot better. You can’t protect against all the knives in the world, but you can protect against how one specific individual is utilizing a knife. And especially is there’s tens of thousands of those people, all utilizing knives in the same way. You can figure out where along that path you can best stop them, where your countermeasures fit, and be able to work with that.

I truly do believe that not all threat intelligence is created equal, that you have to have the context around it. And for those feeds and providers that don’t provide that context, you have to have platforms that can add that context to the data that you’re bringing into your environment. A lot of times, through government feeds, through open source feeds, you’re not going to get a lot of that context. But by integration with other commercial tools that are out there, you can add that context into your knowledge base. And you have to have that library to be able to store it, and then leverage it.

And back to you, John, what else can you say about your team at ThreatQuotient? And where do you see the company going in 2017 and beyond related to the context that Couch just provided on?

John Czupak: Thank you. It’s a really exciting time for our company. I think for the industry, there’s a lot of change going on, but from viewpoint of my desk, the change is right in the fairway or in the wheelhouse of what we do and what our vision is for this marketplace.

As a company, we’re organized and we have capacity to advance this market this year. So we’re expecting big things out of our business. But from an industry standpoint, one of the things that I’ve noticed, which won’t be controversial, is there’s a tremendous amount of energy and activity in our space. There’s a recent survey that was published by BTIG, a gentleman by the name of Joel Fishbein, who identified that amongst the top three priorities for spending this year and in future years include things that are described as threat intelligence and analytics, and a secondary was this area or notion called security automation and orchestration. And if you think about those two areas, the provision of threat intelligence in a way that’s meaningful and useful to the users or operators is extremely valuable. So, we believe that we’re well positioned for a market that’s in an inflection point and a market that’s going to rapidly increase over the coming years. It’s an exciting time to be here.

Couch, to wrap things up, do you have any advice for companies that are looking to get started with threat intelligence or take better advantage of it?

Jonathan Couch: Definitely. I’ve worked with many organizations over the years, and I’m a firm believer in planning. Organizations, you can’t just jump into threat intelligence. I talked earlier about the overwhelming data that they can face sometimes. And organizations need to go into this knowingly, like they do with any other major program that they may start up at the company.

My advice to organizations is to set up that strategic plan. Know where you want to be in three years. Understand who your internal stakeholders are. If you’re going to have to communicate to your executives and your board of directors, you want to set up an intelligence program that has that goal in mind, and that your outputs and what your team is working on can communicate to them. Board directors don’t necessarily care that you blocked eight million things this month, what they care about is that you stop something that could have decreased shareholder value.

And so, it’s making sure that you set up a program with those definitive goals in mind – tactical, operational, and strategic goals – and that you’re able to communicate the successes that you’ve had in growing your programs, because at the end of the day, security is an overhead function, it’s not generating revenue for the companies for the most part. And so, you need to look at it with that in mind as far as being able to show value to the company through something that the business really cares about.

from Help Net Security http://ift.tt/2lWtlOp

Addressing pain points in governance, risk and compliance

In this day and age, it seems as though every business has some form of alphabet soup or acronym salad that shapes the decisions they make as it pertains to their information security programs. Between data privacy laws, regulations on the financial industry, calls for a healthcare focused cybersecurity framework, and regular updates to the PCI DSS, the ever-growing need for a well-established information security program is apparent.

As enterprises exercise their appetite for risk, their ability to assure the board of directors (and inherently the shareholders) that the appropriate controls are in place to protect their critical information and assets is crucial. The days of setting, forgetting, and burying our heads in the proverbial sand are long past. Accountable parties are under ever-increasing pressure to validate the effectiveness of the programs they have in place and provide actionable assurances that due care was taken.

Where is this heading?

We understand the motivations, the want, and the need, yet the reality of the situation doesn’t always align with what we would expect. Cybercrime is not just the elephant in the room; it’s the elephant in the room that’s been tagged with a Banksy-esque portrayal of modern gangsters kicking back and laughing. Criminal organizations are swelling like a tidal wave that is crashing down on the corporate landscape, yet many businesses are still operating under a reactive as opposed to proactive methodology when it comes to their Information Technology/Information Security (IT/IS) GRC needs. Perhaps this is because we have yet to see a nation-wide regulation mandate that controls across multiple business verticals instead of specific industry-related specifications.

Now we combine that reactive approach to traditional spreadsheet-based GRC with understaffed, over-used personnel. Too often these employees are slammed with audits out of nowhere—from business leaders who trickle down high-level policies such as “We’re gonna be ISO certified”—without truly understanding the workloads they just tossed down the org-chart. The elephant grows. How can one or two people in an enterprise tackle the elephant in the room and drag it outside where it belongs?

Give me some hope

It is likely that the challenges and pain derived from GRC activities will continue to grow, which will further motivate market trends that we are already seeing. In the IT/IS GRC market segment, my clients face a lack of time to dedicate towards keeping up with the rapidly changing onslaught of privacy and data security regulations.

As I hinted above, it is good that governments are impressing a need to protect the private information trusted unto businesses by its customers. However, those businesses will continue to be burdened, either through time sink or fines, by this trend.

In addition to the external changes shaping the internal governance policies that businesses put into place, the IT/IS systems within enterprise architectures are in a state of regular flux. It is rare that a system is in a static state for any significant period, and with every change, the same question must be asked: “Is the current machine state compliant?” Answering this question becomes its own burden, without the correct tools in place, and any manual tracking in a spreadsheet becomes impossible at a certain point.

Still waiting for that hope…

Thankfully, we are living in a time where the options available for GRC tools are growing. The market was traditionally dominated by large scale—and expensive—systems. We are now seeing disruptive companies entering and offering reasonable alternatives to the status quo. However, as with any tool selection, there is a fair amount of vendor fatigue that can come from evaluation.

It is best to have a short list of what you want to get out of this investment. When navigating the path of GRC vendor courtship, I advise to check off as many as the following boxes as possible:

Affordability – Ask yourself, “is this affordable?” Not everyone can afford a high-end global enterprise-class implementation, but most organizations will benefit from a tool.

Mitigation, Remediation, and Delegation – Does the tool support tracking of remediation efforts, risk analysis processes, and an ability to seamlessly delegate accountability to system owners for remediation and mitigation of identified risks?

Streamlined Vendor Risk Management – Can this tool help reduce the probability of a Target-like breach by giving you the ability to semi-automate the evaluation of a third-party vendor’s risk profile?

Policy Libraries – Does the tool support dynamic updates of policies within a library to ease the burden of manually tracking changes to governing regulations, standards, and other best practice publications?

Policy Mapping – Can internal policies be easily mapped or overlaid with regulating policies or standards such as HIPAA, COBIT, ISO, etc.?

Views – Can multiple views be established for critical visibility to information that is reasonably valuable for multiple business organizations within your enterprise?

The end goal with the implementation of any tool is to streamline the general day-to-day processes of GRC activities, support collaborative efforts between departments, and offer a central repository for documentation that validates compliance with both internal policies and external regulatory governance. The key part is the collaborative portion. An effective GRC disciple requires a company-wide buy-in. The easier you make it for your colleagues, the easier you make it for yourself. That way, when the time comes to jump into the next audit wave, you can prove once and for all that GRC isn’t just another four-letter word.

from Help Net Security http://ift.tt/2m0VT9Q