Security hygiene and posture management: A 2022 priority

Read Time:29 Second

While cybersecurity is complex and multifaceted, security certifications (i.e., CISSP common body of knowledge 8 domains), regulations (i.e., HIPAA, PCI DSS, etc.), and best practices (i.e., CIS critical security controls) all recommend starting cybersecurity programs at the same place: security hygiene and posture management.  Experts agree that strong cybersecurity starts with the basics, like knowing about all IT assets deployed, establishing secure configurations, monitoring “drift” from these secure configurations, prioritizing remediation actions based on risk scores, and validating that everything is working as it should.

To read this article in full, please click here

Read More

Merck Wins $1.4bn NotPetya Payout from Insurer

Read Time:1 Minute, 57 Second

Merck Wins $1.4bn NotPetya Payout from Insurer

Merck has won a long-running legal battle to force its insurer to cover the costs of damages caused by the NotPetya ‘ransomware’ attacks.

The pharma giant was one of many big-name multinationals hit by the destructive malware, disguised as ransomware by Russian attackers targeting Ukrainian organizations back in 2017, as they are again today.

However, the malware soon spread globally, causing potentially billions of dollars of damage.

Many companies, including Merck and confectionary giant Mondelez, found their insurer refusing to pay because of an exclusion in their policy for “acts of war.”

However, a New Jersey superior court judge has now ruled that the language therein implies armed conflict rather than the cyber kind.

Although Merck was claiming under an “all-risk” property insurance policy, both these and more specific cyber policies often contain such exclusions.

However, the ruling may not be beneficial to other policyholders in the long run, as insurers are in general becoming much more prescriptive about coverage for cyber-incidents.

Lloyds of London last November released a new set of clauses that broadened act of war exclusions to “cyber-operations between states which are not excluded by the definition of war, cyber-war or cyber-operations which have a major detrimental impact on a state.”

Peter Groucutt, co-founder of Databarracks, said the new clauses would favor insurers going forward.

“Attribution is another challenge because it is not always clear who was responsible for an attack. There is understandably a lot of deception in cyber-warfare, with attackers leaving misleading breadcrumbs pointing to different attackers or nations. These clauses allow the insurer to determine attribution if the government does not or ‘takes an unreasonable length of time to.’ That seems to be a dangerous case of checking one’s own homework,” he argued.

“There is another challenge of attribution in that cyber groups are often loosely affiliated with a government. It is not always clear if they are directly controlled by or sponsored by the government. Previously, that distinction would be more important. Again, these new clauses widen the net with ‘those acting on its behalf’ working as a catch-all for these kinds of relationships.”

Ultimately the “parameters for payout” are narrowing, shifting more emphasis onto organizations to improve baseline protections, Groucutt concluded.

Read More

Footprinting

Read Time:3 Minute, 40 Second

The first step in a cyberattack, or a penetration test, is footprinting. The attacker/analyst tries to get information about the targeted infrastructure. Thanks to footprinting techniques, attackers can obtain information such as:

  • personal data, skills, experience and interests of company’s employees;
  • company headquarters;
  • technologies in use (middleware, operating systems);
  • suppliers and consultants who collaborate periodically with the company;
  • blocks and network topology;
  • DNS records.

We can divide footprinting techniques into two macro areas:

  • active: it involves the collection of information with direct interaction with the target. It is a more risky practice than the passive one, as it could leave traces. The systems of the attacked organization could (should) detect the information gathering attempt. Some examples of active footprinting are the use of web spiders, email tracking, traceroute and social engineering techniques.
  • passive: involves the collection of information without direct interaction with the target. Some examples are the usage of search engines, social networks, job posting sites, analysis of data received from providers that monitor website’s traffic, commercial performance or deliver reports about future commercial operations of the target.

Identifying the technologies adopted by the target drastically simplifies attackers’ jobs. The awareness about the usage of certain technologies, the lack of good security practices, or of a bad security posture increases the attacker’s chances of success.

When we perform a penetration test in which the company aims to identify chances of an attacker completely unrelated to the organization, footprinting activities heavily influence the success of the test.

Footprinting with search engines and social networks

Search engines offer a myriad of information to the attacker. The advanced functions available in Google, Bing and other search engines offer information that companies are not even aware to expose to the public.

The technique, combined with the most used search engine, has taken the name of Google Hacking. For more information, you can consult our article about the Google Hacking Database.

Thanks to search engines, an attacker gets to know technologies in use (web servers, firewalls, IDS, WAF, third-party applications), IoT devices, applications for internal use only and many other information about the target.

Like search engines, social networks provide an enormous quantity of information to attackers.

An attacker can dig LinkedIn to understand who the key people of the organization are, their experience and knowledge. You can get to know their interests, their religious and political beliefs, their weaknesses. Afterwards, attacker can exploit gathered information to perform a social engineering attack.

Tools like theHarvester and sublist3r simplify attackers’ job, reducing the manual work.

Footprinting through job posting sites

The following image shows the information revealed on a job advertisement post. The job post is real. I found it on the platform indeed.com.

The company is looking for an IT System Administrator with knowledge of Linux and Solaris. They even mention the Linux distribution names and the Solaris release version. You can bet they have got some LAMP servers, that they probably monitor their infrastructure using Nagios and are using Oracle and DB2 as RDBMS. Their infrastructure may include J2EE Containers like Glassfish and JBoss and servlet containers like Tomcat. Even if they reached the EOL over 5 and 2 years ago, they are still asking for people with experience on Windows XP and 7.

You are getting information not only about the used technologies but you are also outlining the security posture of the company.

Job posts can tell you a lot more. Are they searching for IT security specialists? Besides tools and countermeasures adopted, they may even tell you how big is their security team. Are they even trying to cover important roles like CIO or CISO?

Tools and services:

We suggest looking at the following tools. We wrote a brief description of them: Sublist3r, theHarvester, Shodan, Sherlock, Burp Suite, Metagofofil, Exitftool, DNSRecon, traceroute.

Contermeasures

Your employees/colleagues’ awareness about attackers’ behaviour and techniques is fundamental for your company’s safety. Every company must adopt a security awareness policy to inform its employees about the security risks they are exposed inside and outside the office.

The adoption of security policies (hardening of the systems, analysis and reviews of IDS/IPS and other monitoring tools, etc.), the definition of roles and responsibilities will allow a company to quickly detect and react to attackers’ attempts to gather information or to exploit the knowledge they previously gained through passive footprinting techniques.

Cyberbullying: Words do Hurt When it Comes to Social Media

Read Time:5 Minute, 13 Second

Most parents may find it difficult to relate to today’s form of cyberbullying. That’s because, for many of us, bullying might have come in a series of isolated, fleeting moments such as an overheard rumor, a nasty note passed in class, or a few brief hallway confrontations. 

Fast forward a few dozen decades, and the picture is spectacularly different and a world few adults today would eagerly step into.  

Cyberbullying includes targeting that is non-stop. It’s delivered digitally in an environment that is often anonymous. It’s a far-reaching, esteem-shattering, emotional assault. And the most traumatic component? The perpetual nature of the internet adds the ever-present threat of unlimited accessibility—kids know bullying can happen to anyone, at any time, and spread like wildfire.   

The nature of cyberbullying can make a young victim feel hopeless and powerless. Skipping school doesn’t stop it. Summer vacation doesn’t diminish it. That’s because the internet is ever-present.   

According to a 2020 Ditch the Label Cyberbullying Study, youth today reveal that carrying the emotional weight of being “connected all the time” is anything but fun and games. Here’s a snapshot. 

Bullying has increased by 25% each year since the survey’s inception in 2006.   
46 % of the respondents reported being bullied more than once, and 20% reported bullying others on social networking sites. 
33% of young people surveyed said that they believe the behavior of politicians influences how people treat each other at school. 
25% of those surveyed say they feel “lonely all of the time.” (Executive commentary added that since the onset of the pandemic onset, those numbers have increased).  
50% of those bullied felt targeted because of attitudes towards their physical appearance.  
14% of respondents said they never like themselves; 24% said they do but rarely. 
42% of youth respondents revealed they have battled with anxiety. 
25% said they deal with depression; 21% with suicidal thoughts. 
Leading mental health stressors include school pressures, exams, body image, feelings of loneliness, and grief.  

Who Is Most Vulnerable? 

While all kids are at risk for cyberbullying, studies reveal that some are more vulnerable than others.  

According to the Pew Research Center, females experience more cyberbullying than their male counterparts; 38% of girls compared to 26% of boys. Those most likely to receive a threatening or aggressive text, IM, or email: Girls ages 15-17.  

More data from the CDC and American University reveals that more than 28.1 % of LGBTQ teens were cyberbullied in 2019, compared to 14.1% of their heterosexual peers. In addition, Black LGTBQ youth are more likely to face mental health issues linked to cyberbullying and other forms of bullying as compared to non-Black LGTBQ and heterosexual youth.  

Another community that can experience high cyberbullying is gamers. If your child spends a lot of time playing online games, consider paying close attention to the tone of conversations, the language used, your child’s demeanor during and after gaming, and, as always, stay aware of the risks. In a competitive gaming environment that often includes a variety of age groups, cyberbullying can quickly get out of control.  

Lastly, the reality no parent wants to confront—but one that is critical to the conversation—is that cyberbullying and suicide may be linked in some ways. According to JAMA Pediatrics, approximately 80% of young people who commit suicide have depressive thoughts, and in today’s online environment, cyberbullying often leads to more suicidal thoughts than traditional bullying.  

5 Things Parents Can Do 

Be a Plugged-In Parent. If you haven’t already, make 2022 the year you double up your attention to your kids’ online activities and how they might be impacting them emotionally. Kids connect with new people online all the time through gaming platforms, group chats, and apps. Engage them. Understand what they like to do online and why. Be aware of shifts in behavior, grades, and sleeping patterns. Know the signs that they may be experiencing online bullying.   
Layer Up Your Power. Kids need help with limits in a world of unlimited content and parents get busy. One remedy for that? Consider allowing technology to be your parenting partner—additional eyes and ears if your will—to help reduce the risk your kids face online. Parental controls on family devices can help you pay closer attention to your child’s social media use and assist you in filtering the content that’s rolling across their screens. Having the insight to connect your child’s mood to the time they spend on specific apps may provide a critical shortcut to improving their overall wellbeing.  
Prioritize Community. Feeling supported and part of a solid offline community can make a significant difference in a child’s life. One survey of teens aged 12-17 found that social connectedness played a substantial role in reducing the impact of cyberbullying. 
Don’t prohibit, limit. If you know your child is having a tough time online, it’s important not to overreact and restrict device use. They need peer connection. It’s their culture. Consider helping them balance their time and content online. Please talk about the pros and cons of specific apps, role play, teach them how to handle conflict, and encourage hobbies and meetups that are not technology dependent.  
Provide Mental Health Support. We are living in unique times. The digital, cultural, social, political, and health concerns encircling our kids remain unmatched. Not all signs of emotional distress will be outward; some will be subtle, and some, even non-existent. That’s why it’s essential to consistently take the time to assess how your child is doing. Talk with your kids daily, and when you notice they may need additional help, be prepared to find resources to help 

Conclusion 

Each new year represents 365 new days and 365 new chances to do things a little bit better than we’ve done them in the past. And while it’s impossible to stop our kids from wandering into the crossfire of hurtful words online, we can do everything possible to reduce their vulnerability and protect their self-esteem.  

The post Cyberbullying: Words do Hurt When it Comes to Social Media appeared first on McAfee Blogs.

Read More

Biden Signs Memo to Boost National Cybersecurity

Read Time:1 Minute, 52 Second

Biden Signs Memo to Boost National Cybersecurity

United States President Joe Biden has signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks.

The requirements for federal civilian networks were laid out in Biden’s Executive Order 14028 (EO 14028) issued May 12 2021. The new memo, signed Wednesday, specifies how the provisions of EO 14028 apply to national security systems. 

The NSM establishes timelines and guidance for how cybersecurity requirements, including multi-factor authentication, encryption, cloud technologies and endpoint detection services, will be implemented.

It also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA). 

Commenting on this particular requirement of the NSM, Mark Manglicmot, vice president of security services at Arctic Wolf, said: “To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.”  

The NSM further authorizes the NSA to create Binding Operational Directives that require agencies to take specific actions against known or suspected cyber-threats and vulnerabilities. In addition, it requires the NSA and the Department of Homeland Security to share BODs and “learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.” 

Under the new memo, agencies are required to secure tools known as cross-domain solutions that transfer data between classified and unclassified systems. 

In a statement released Wednesday, the White House said: Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems.”

James McQuiggan, security awareness advocate at KnowBe4, noted that the memo omitted any requirements around cybersecurity education or creating a security culture among users. 

He said: “When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyber-attack.”

Read More

11:11 Systems Acquires iland

Read Time:1 Minute, 49 Second

11:11 Systems Acquires iland

Managed infrastructure solutions company, 11:11 Systems, has acquired Texas-based cloud services provider, iland

The completion of the acquisition was announced on Thursday. The terms of the deal were not disclosed. 

Headquartered in Houston with regional offices in London and Sydney, iland delivers cloud services including Disaster-Recovery-as-a-Service (DRaaS), Infrastructure-as-a-Service (IaaS) and Backup-as-a-Service (BaaS) from its cloud regions throughout North America, Europe, Australia and Asia.

11:11 Systems said it intends to leverage iland’s award-winning Secure Cloud Console, which natively combines deep layered security, predictive analytics and compliance to deliver visibility and easy management for iland’s cloud services.

The deal follows 11:11 Systems’ recent acquisition of Green Cloud Defense, a channel-only, cloud Infrastructure-as-a-Service (IaaS) provider. 

“By adding iland’s steady 25% YOY momentum to 11:11 Systems’ expanding national network of MSPs, VARs and IT consultants, a hyper-growth pathway has been created,” said 11:11 Systems in a statement.

Brett Diamond, CEO of 11:11 Systems, said his company’s recent acquisitions were motivated by making cybersecurity more straightforward for its customers. 

“CIOs and IT leaders are being pushed to address increasing numbers of security threats, application vulnerabilities and network weaknesses that can leave organizations exposed to data breaches; at the same time, they are tasked with laying the right foundation within their infrastructure to embrace hybrid cloud, navigate sophisticated application requirements, artificial intelligence and more while data and devices continue to multiply exponentially,” said Diamond.

He added: “11:11 Systems is focused on significantly simplifying our customers’ approach to cloud, security and connectivity to drive greater security, innovation, and responsiveness and adding iland and Green Cloud as core ingredient platforms substantively advances this mission.”

For iland, the deal brings an opportunity for expansion and innovation, according to the company’s CTO, Justin Giardina. 

“Joining 11:11 Systems, which now includes Green Cloud, will open up the doors of innovation even wider with new opportunities to expand services across the iland platform, which will further enhance our customers’ ability to manage and monitor their hybrid environments,” said Giardina.

Read More

Third Firmware Bootkit Discovered

Read Time:1 Minute, 51 Second

Third Firmware Bootkit Discovered

Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild.

The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. Researchers are confident that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41.

MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor.

The malicious implant was found hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). 

Once MoonBounce’s components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve.

The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. 

Researchers said that Bootkits of this kind are extremely hard to detect because the code they target is located outside of the device’s hard drive in an area that most security solutions do not scan as standard. 

Firmware bootkits are also difficult to delete. They can’t be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

“The infection chain itself does not leave any traces on the hard drive, since its components operate in memory only, thus facilitating a fileless attack with a small footprint,” noted researchers. 

While investigating MoonBounce, researchers appeared to detect a link between the bootkit and Microcin malware used by the SixLittleMonkeys threat actor.

“While we can’t definitely connect the additional malware implants found during our research to MoonBounce specifically, it does appear as if some Chinese-speaking threat actors are sharing tools with one another to aid in their various campaigns; there especially seems to be a low confidence connection between MoonBounce and Microcin,” said Denis Legezo, senior security researcher with GReAT (Kaspersky’s Global Research and Analysis Team).

Read More

Jail for prolific romance fraudster who fleeced besotted lonely hearts

Read Time:19 Second

To his victims he was “Tony Eden”, a middle-aged white man looking for love online, while working overseas for a drilling company.

But in reality he was a school caretaker called Osagie Aigbonohan, originally from Lagos, Nigeria, and part of a criminal gang with links to the notorious Black Axe group.

Read more in my article on the Tripwire State of Security blog.

Read More

San Francisco Police Illegally Spying on Protesters

Read Time:2 Minute, 20 Second

Last summer, the San Francisco police illegally used surveillance cameras at the George Floyd protests. The EFF is suing the police:

This surveillance invaded the privacy of protesters, targeted people of color, and chills and deters participation and organizing for future protests. The SFPD also violated San Francisco’s new Surveillance Technology Ordinance. It prohibits city agencies like the SFPD from acquiring, borrowing, or using surveillance technology, without prior approval from the city’s Board of Supervisors, following an open process that includes public participation. Here, the SFPD went through no such process before spying on protesters with this network of surveillance cameras.

It’s feels like a pretty easy case. There’s a law, and the SF police didn’t follow it.

Tech billionaire Chris Larsen is on the side of the police. He thinks that the surveillance is a good thing, and wrote an op-ed defending it.

I wouldn’t be writing about this at all except that Chris is a board member of EPIC, and used his EPIC affiliation in the op-ed to bolster his own credentials. (Bizarrely, he linked to an EPIC page that directly contradicts his position.) In his op-ed, he mischaracterized the EFF’s actions and the facts of the lawsuit. It’s a mess.

The plaintiffs in the lawsuit wrote a good rebuttal to Larsen’s piece. And this week, EPIC published what is effectively its own rebuttal:

One of the fundamental principles that underlies EPIC’s work (and the work of many other groups) on surveillance oversight is that individuals should have the power to decide whether surveillance tools are used in their communities and to impose limits on their use. We have fought for years to shed light on the development, procurement, and deployment of such technologies and have worked to ensure that they are subject to independent oversight through hearings, legal challenges, petitions, and other public forums. The CCOPS model, which was developed by ACLU affiliates and other coalition partners in California and implemented through the San Francisco ordinance, is a powerful mechanism to enable public oversight of dangerous surveillance tools. The access, retention, and use policies put in place by the neighborhood business associations operating these networks provide necessary, but not sufficient, protections against abuse. Strict oversight is essential to promote both privacy and community safety, which includes freedom from arbitrary police action and the freedom to assemble.

So far, EPIC has not done anything about Larsen still being on its board. (Others have criticized them for keeping him on.) I don’t know if I have an opinion on this. Larsen has done good work on financial privacy regulations, which is a good thing. But he seems to be funding all these surveillance cameras in San Francisco, which is really bad.

Read More