Brian Krebs
Tue, 30 Apr 2024 13:34:32 +0000A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.
https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/
The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers -- including AT&T, Sprint, T-Mobile and Verizon -- for illegally sharing access to customers' location information without consent.
https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump's Dumps.
https://krebsonsecurity.com/2024/04/russian-fsb-counterintelligence-chief-gets-9-years-in-cybercrime-bribery-scheme/
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the state's revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
https://krebsonsecurity.com/2024/04/who-stole-3-6m-tax-records-from-south-carolina/
The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/
On April 9, Twitter/X began automatically modifying links that mention "twitter.com" to redirect to "x.com" instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links -- such as fedetwitter[.]com, which is currently rendered as fedex.com in tweets.
https://krebsonsecurity.com/2024/04/twitters-clumsy-pivot-to-x-com-is-a-gift-to-phishers/
If only Patch Tuesdays came around infrequently -- like total solar eclipse rare -- instead of just creeping up on us each month like The Man in the Moon. Although to be fair, it would be tough for Microsoft to eclipse the number of vulnerabilities fixed in this month's patch batch -- a record 147 flaws in Windows and related software.
https://krebsonsecurity.com/2024/04/aprils-patch-tuesday-brings-record-number-of-fixes/
A cybercrook who has been setting up websites that mimic the self-destructing message service Privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers.
https://krebsonsecurity.com/2024/04/fake-lawsuit-threat-exposes-privnote-phishing-sites/
Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.
https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec/
Troy Hunt
Fri, 03 May 2024 00:57:10 GMTPresently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.How many different angles can you have on one data breach? Facial recognition (which probably isn't actual biometrics), gambling, offshore developers, unpaid bills, extortion, sloppy password practices and now, an arrest. On pondering it more after today's livestream, it's the unfathomable stupidity of publishing
https://www.troyhunt.com/weekly-update-398/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Banks. They screw us on interest rates, they screw us on fees and they screw us on passwords. Remember the old "bank grade security" adage? I took this saying to task almost a decade ago now but it seems that at least as far as password advice goes,
https://www.troyhunt.com/weekly-update-397/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security."More Data Breaches Than You Can Shake a Stick At". That seems like a reasonable summary and I suggest there are two main reasons for this observation. Firstly, there are simply loads of breaches happening and you know this already because, well, you read my stuff! Secondly, There
https://www.troyhunt.com/weekly-update-396/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Data breach verification: that seems like a good place to start given the discussion in this week's video about Accor. Watch the vid for the whole thing but in summary, data allegedly taken from Accor was published to a popular hacking forum and the headlines inevitably followed. However,
https://www.troyhunt.com/weekly-update-395/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.I suggest, based on my experiences with data breaches over the years, that AT&T is about to have a very bad time of it. Class actions following data breaches have become all too common and I've written before about how much I despise them. The trouble
https://www.troyhunt.com/weekly-update-394/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.A serious but not sombre intro this week: I mentioned at the start of the vid that I had the classic visor hat on as I'd had a mole removed from my forehead during the week, along with another on the back of my hand. Here in Australia,
https://www.troyhunt.com/weekly-update-393/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Let's get straight to the controversial bit: email address validation. A penny-drop moment during this week's video was that the native browser address validator rejects many otherwise RFC compliant forms. As an example, I asked ChatGTP about the validity of the pipe symbol during the live
https://www.troyhunt.com/weekly-update-392/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.I hate having to use that word - "alleged" - because it's so inconclusive and I know it will leave people with many unanswered questions. (Edit: 12 days after publishing this blog post, it looks like the "alleged" caveat can be dropped, see the
https://www.troyhunt.com/inside-the-massive-alleged-att-data-breach/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.I'm in Japan! Without tripod, without mic and having almost completely forgotten to do this vid, simply because I'm enjoying being on holidays too much 😊 It was literally just last night at dinner the penny dropped - "don't I normally do something
https://www.troyhunt.com/weekly-update-391/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Over the last 6 years, we've been very happy to welcome dozens of national governments to have unhindered access to their domains in Have I Been Pwned, free from cost and manual verification barriers. Today, we're happy to welcome Liechtenstein's National Cyber Security Unit
https://www.troyhunt.com/welcoming-the-liechtenstein-government-to-have-i-been-pwned/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Let me begin by quoting Stefan during the livestream: "Turns out having tons of data integrity is expensive". Yeah, and working with tons of data in a fashion that's both fast and cost effective is bloody painful. I'm reminded of the old
https://www.troyhunt.com/weekly-update-390/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.Back in 2018, we started making Have I Been Pwned domain searches freely available to national government cybersecurity agencies responsible for protecting their nations' online infrastructure. Today, we're very happy to welcome Germany as the 35th country to use this service, courtesy of their CERTBund department. This
https://www.troyhunt.com/welcoming-the-german-government-to-have-i-been-pwned/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.How on earth are we still here? You know, that place where breached companies stand up and go all Iraqi information minister on the incident as if somehow, flatly denying the blatantly obvious will make it all go away. It's the ease of debunking the "no breach
https://www.troyhunt.com/weekly-update-389/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.It's just been a joy to watch the material produced by the NCA and friends following the LockBit takedown this week. So much good stuff from the agencies themselves, not just content but high quality trolling too. Then there's the whole ecosystem of memes that have
https://www.troyhunt.com/weekly-update-388/
Presently sponsored by: Kolide believes that maintaining endpoint security shouldn’t mean compromising employee privacy. Check out our manifesto: Honest Security.I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this:These get through all the
https://www.troyhunt.com/thanks-fedex-this-is-why-we-keep-getting-phished/
AT&T Blogs
2024-05-01Executive Summary The “Security Alert” scam is a prevalent tech-support fraud that threatens both Windows and Apple users. It exploits the trust of users by masquerading as an official support site, using fake pop-up warnings to lure users into dialing scam phone numbers by conveying a sense of urgency. The ultimate goal is gaining remote access to the user’s system and pilfering personal data to extort money. Combating a “Security Alert” scam is difficult on many fronts because most of the time attackers leverage newly registered domains, which means there is a lack of malicious OSINT (open-source intelligence), and they are able to bypass traditional detection methods. To gain remote access, attackers need the end user to call into a fraudulent support team to install a Remote Desktop Protocol (RDP) tool. An endpoint detection and response (EDR) tool might not catch the initial intrusion as such tools are also used for legitimate business reasons. The most successful way to combat phishing/scams is by end-user education and communication with the IT department. In a recent incident, a fake “Microsoft Security Alert” domain targeted one of our Managed Endpoint Security with SentinelOne customers, causing alarm for the end users and IT staff, but fortunately, the end user did not fall into the trap of calling the fraudulent number. The customer immediately contacted their assigned Threat Hunter for support and guidance, and the Threat Hunter was able to quickly utilize the security measures in place, locate multiple domains, and report them to the Alien Labs threat intelligence team. AT&T Cybersecurity was one of the first cybersecurity companies to alert on the domains and share the information via the Open Threat Exchange (OTX) threat intelligence sharing community, helping other organizations protect against it. Investigation Initial Alarm Review Indicators of Compromise (IOCs) The initial security layers failed to raise alarms for several reasons. First, the firewalls did not block the domain because it was newly registered and therefore not yet on any known block lists. Second, the platform did not create any alarms because the domain’s SSL certificates were properly configured. Finally, the EDR tool did not alert because no downloads were initiated from the website. The first indication of an issue came from an end user who feared a hack and reported it to the internal IT team. Utilizing the information provided by the end user, the Threat Hunter was able to locate the user's asset. Sniffing the URL data revealed a deceptive “Microsoft Security Alert” domain and a counterfeit McAfee website. These were detected largely because of improvements recommended during the customer's monthly meetings with the Threat Hunter, including a recommendation to activate the SentinelOne Deep Visibility browser extension, which is the tool that was instrumental in capturing URL information with greater accuracy after all the redirects. Figure I – Fake Microsoft Support page Figure 2 – Fake McAfee page Artifact (Indicator of Compromise) IOC Fake McAfee Page bavareafastrak[.]org Website Hosting Scam Pages Galaxytracke[.]com Zip file hash Tizer.zip - 43fb8fb69d5cbb8d8651af075059a8d96735a0d5 Figure 3 – Indicators of compromise Expanded Investigation Events Search With the understanding that the endpoint must have accessed a website featuring the fraudulent support page, the search for the event was streamlined to focus on URL requests within a specific time frame. To filter out unnecessary noise, it was necessary to temporarily exclude authentic domains that are associated with commonly used tools within the organization. Once the threat hunter fine-tuned their search parameters, it took a keen eye and leveraging a sandbox environment to find the domain related to the fraudulent support page that the end user had encountered. This threat hunt uncovered a second domain that was posing as a fake McAfee page within the same time frame. Event Deep-Dive While OSINT searches yielded limited information, the Threat Hunter could manually explore the website to gain a better understanding of its operations. However, before doing this, it was critical to understand how the user had arrived at the website. Using SentinelOne Storyline technology, the Threat Hunter could correlate the sequence of events leading up to the website visit. They deduced that the user likely visited the site through a link shared on the Microsoft Teams web app, which redirected the user to the fraudulent support page via a clickable ad. Figure 4 – SentinelOne Deep Visibility findings Fortunately, SentinelOne was able to capture the main domain before the user was redirected to the landing page. Utilizing virtual machines as a safety precaution, the Threat Hunter was able to visit the domain where they discovered it was hosting multiple directories, some of which contained HTML code that was used to construct the fraudulent support page. Interestingly, some directories contained .zip files that held HTML files for other types of fraudulent support pages, such as Apple, complete with all the images and sounds necessary to create the pages. Figure 5 – Website hosting fake “Security Alert” sites Reviewing for Additional Indicators If we review the Pyramid of Pain, which is a conceptual model that categorizes IOCs and attacker tactics, techniques, and procedures (TTPs) according to how difficult they are for attackers to change, we see that domain names are the third-lowest layer. But how does the attacker move up the Pyramid? By giving end users a fraudulent support page to call! Domains will change daily, but one TTP that attackers will always need is gaining access to the machine. In this case, it was by having the Threat Hunter download the UltraViewer RDP tool. Figure 6 – Pyramid of Pain Thanks to SentinelOne’s app inventory capabilities, by correlating a successful URL event match with the installation of this tool, we can gauge the extent to which the end user may have fallen prey to the scam. We also reviewed our fleet of managed customers and found no installations of the UltraViewer tool that would indicate a user had been successfully compromised. Figure 7 – Download of UltraViewer assisted by scammer Combating Adversaries Our Alien Labs threat intelligence team promptly added the two domains we identified to an OTX pulse, which enables us to alert on any assets that visit these websites. We recommend that our customers conduct ongoing training with end users to help prevent them from falling victim to the latest scams. Additionally, the malicious domains detected should be blocked at the firewall. Although the threat actors behind these websites have changed their display, the domains remain active. They will continue to be monitored on OTX because of their past activity and potential future use. Blocking IOCs is only one component of a cybersecurity strategy. And this is why, during monthly calls with our Managed Endpoint Security with SentinelOne customers, we not only discuss the results of our latest threat hunts but also review applications installed in their environments. We provide guidance on how to enhance visibility in their environments, and one way to do this is by activating the SentinelOne Deep Visibility extension, which can significantly improve the tracking of URL events, such as those that occurred in this incident. Artifact (Indicator of Compromise) IOC Fake McAfee Page bavareafastrak[.]org Website Hosting Scam Pages Galaxytracke[.]com Zip file hash Tizer.zip - 43fb8fb69d5cbb8d8651af075059a8d96735a0d5
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-combating-security-alert-scams
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In the domain of digital forensics, volatile data assumes a paramount role, characterized by its ephemeral nature. Analogous to fleeting whispers in a bustling city, volatile data in Linux systems resides transiently within the Random Access Memory (RAM), encapsulating critical system configurations, active network connections, running processes, and traces of user activities. Once a Linux machine powers down, this ephemeral reservoir of information dissipates swiftly, rendering it irretrievable. Recognizing the significance of timely incident response and the imperative of constructing a detailed timeline of events, this blog embarks on an exhaustive journey, delineating a systematic approach fortified with best practices and indispensable tools tailored for the acquisition of volatile data within the Linux ecosystem. Conceptually, volatile data serves as a mirror reflecting the real-time operational landscape of a system. It embodies a dynamic tapestry of insights, ranging from system settings and network connectivity to program execution and user interactions. However, the transient nature of this data necessitates proactive measures to capture and analyse it before it evaporates into the digital void. In pursuit of elucidating this intricate process, we delve into a meticulous exploration, elucidating each facet with precision and clarity. Through a curated synthesis of established methodologies and cutting-edge tools, we equip forensic practitioners with the requisite knowledge and skills to navigate the complexities of volatile data acquisition in live Linux environments. Join us as we unravel the intricacies of digital forensics, embark on a journey of discovery, and empower ourselves with the tools and techniques necessary to unlock the secrets concealed within live Linux systems. Before proceeding, it's vital to grasp what volatile data encompasses and why it's so important in investigations: System Essentials: Hostname: Identifies the system Date and Time: Contextualizes events Timezone: Helps correlate activities across regions Uptime: Reveals system state duration Network Footprint: Network Interfaces: Active connections and configurations Open Ports: Potential entry points and services exposed Active Connections: Shows live communication channels Process Ecosystem: Running Processes: Active programs and their dependencies Process Memory: May uncover hidden execution or sensitive data Open Files: Accessed Files: Sheds light on user actions Deleted Files: Potential evidence recovery point Kernel Insights Loaded Modules: Core extensions and potential rootkits Kernel Ring Buffers (dmesg): Reveals driver or hardware events User Traces Login History: User activity tracking Command History: Executed commands provide insights Before diving into the acquisition process, it's essential to equip yourself with the necessary tools and commands for gathering volatile data effectively, for purpose of demonstration I will be using Linux Mint: Hostname, Date, and Time: hostname: Retrieves the system's hostname. date: Displays the current date and time. cat /etc/timezone: Shows the system's timezone configuration. System Uptime: uptime: Provides information on system uptime since the last restart. Network Footprint: ip addr show: Lists active network interfaces and their configurations. netstat -rn: Displays routing tables, aiding in understanding network connections. Open Ports and Active Connections: netstat -tulpn: Lists open TCP and UDP ports along with associated processes. lsof -i -P -n | grep LISTEN: Identifies processes listening on open ports. Running Processes and Memory: ps aux: Lists all running processes, including their details. /proc//maps: Accesses memory mappings for a specific process, revealing potentially sensitive information. Open Files: lsof: Lists all open files and their associated processes. /proc//fd/: Provides information about file descriptors for a specific process. To utilise this, we can take pid’s from ps aux utility used above. In the below snapshot I used cd /proc/27/fd |ls -l Kernel Insights: lsmod: Lists loaded kernel modules, including potential rootkits. dmesg: Displays kernel ring buffer messages, uncovering hardware or driver events. User Activity: /var/log/auth.log: Contains user login history. ~/.bash_history: Stores command history for each user, offering insights into executed commands. It is advisable to try and test the given commands and corelate the findings to understand the Linux volatile memory in depth. Armed with this understanding and equipped with the necessary commands and tools, forensic investigators can proceed with the acquisition of volatile data from live Linux systems. In the next blog post, we will explore how to perform acquisition using the Volatility framework and other tools on Linux machines, further enhancing our forensic capabilities. Stay tuned for more insights into the fascinating world of digital forensics!
https://cybersecurity.att.com/blogs/security-essentials/volatile-data-acquisition-from-live-linux-systems-part-i
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The evolution of tech necessitates stronger cybersecurity. Financial information is appealing to hackers trying to steal identities and commit fraud. These bad actors are evolving with tech to figure out ways to bypass the increasingly robust cybersecurity measures. Organizations commonly use physical biometric applications, like fingerprinting and facial recognition, when they’re conducting transactions, when people are entering buildings, and when they’re logging into sites with sensitive information. However, you need a stronger layer of security to keep your information safe. This is where behavioral biometrics comes in. Possible Financial Security Issues Consumers lose millions of dollars due to fraud every year, according to the FTC. Online shopping is the number one avenue where this money is lost, with bad investments and illegitimate businesses falling close behind. There is an increasing amount of ways that scammers can have access to your information or social engineer you into spending money. Some examples include phishing emails, password attacks, and malware. Often, hackers will also target people whom they profile as gullible. Charity scams are unfortunately rampant, including scammers pretending to be charitable organizations like the Red Cross. These crop up when disaster strikes, and they masquerade as legitimate ways to donate. Other scammers will pretend to be individuals in need, family members, or even government organizations. Instead, the money goes to illegitimate scammers. To avoid this, you should always double-check links and, more importantly, log in to a reputable site when entering any credit card or banking information. Financial institutions are surprisingly not the most targeted, but they are still rife with sensitive info that can be vulnerable to hackers if not guarded correctly. Cybersecurity in online banking is extremely important. There can be data breaches, customer phishing scams, and even offshore banking transparency issues. Enhanced security must be in place to prevent these scams, including encryption, multi-factor authentication, threat detection, and biometrics. Why Stronger Biometrics Are Necessary Physical biometrics are the most common form of biometrics employed for financial security currently. However, bad actors have learned how to bypass these physical barriers. Printed-out photos can work for face identification, and fingerprints and palm prints can be stolen and imprinted onto soft surfaces and then used for sign-ins. Evolving threats demand cybersecurity measures that are as far advanced as possible. Behavioral biometrics takes things a step further by analyzing the behavior patterns of device users. Then, these patterns can be developed over time and set to be recognized by the device. These behaviors can be digital or in-person and include factors like: Gait; Posture; Signatures; Keystroke patterns; Cursor movement; Cognitive patterns; Vocal patterns. These patterns are unique to each person and can identify them more reliably than their external biological features. While physical biometrics are hard to replicate, it’s not impossible. Sophisticated hackers can use synthetic identity fraud in which they fraudulently use someone’s information. Fraudsters forge biometrics like fingerprints through sophisticated copying methods. It’s best to operate under the assumption that all traffic can be malicious. This means incorporating the highest level of cybersecurity possible, including behavioral biometrics. Integrating Behavioral Biometrics Into the Finance Industry The finance industry and any institution that deals with sensitive financial information needs to integrate behavioral biometrics into their cybersecurity tactics. The adoption of physical biometrics was gradual, with fingerprint scanners showing up sporadically on card readers in banks and retail establishments. For behavioral biometrics to be integrated into society, businesses and organizations need to understand the importance of their application. These institutions need to educate their teams about this new tech, explaining the need for the extra layer of identity verification and what can happen if it isn’t employed. They should be able to visualize the process of the customer journey in a simplified way, allowing them to identify areas for cybersecurity improvement. Unlike traditional methods, behavioral biometrics can deliver continuous verification. Instead of limiting verification to sign-in or entrance to banking institutions, sensors and algorithms must be integrated so fully that they continue to monitor a user’s entire interaction. This can mean tracking keystroke patterns the entire time a banking customer is on a website and performing online banking activities. It can also mean installing cameras with sensors to continuously monitor the posture and gait of people in in-person scenarios with sensitive information, like ATMs, retail transactions, and brick-and-mortar banking activities. The Future of Financial Security Prioritizing financial security means finding a way to integrate behavioral biometrics into everyday life. Banks, retail establishments, e-commerce sites, and any business that deals with sensitive information will have to change their verification process. The future requires a seamless integration, requiring behavioral biometrics without disrupting the user experience. For behavioral biometrics to reach their full potential in financial security, consumers must also remain vigilant. If they feel their privacy is being invaded or their experience is hindered, they may not choose to engage in these enhanced security measures. Instead, the future of financial security will depend on the industry’s ability to educate, monitor, and cater to citizens through their cybersecurity design. With behavioral biometrics in place, cybersecurity attacks are likely to decrease, and financial security will be more accessible for all.
https://cybersecurity.att.com/blogs/security-essentials/enhancing-financial-security-through-behavioral-biometrics
Understanding the factors influencing cybercriminal behavior is essential for developing effective cybercrime prevention strategies. Rationality plays a significant role in shaping criminal decisions, particularly through the lens of the rational actor model and deterrence theory. This blog explores how rationality influences cybercriminal behavior, focusing on the rational actor model, the concepts of deterrence theory, their implications for understanding and preventing cybercrime activities, and how Bayesian theory can help overcome indeterministic human criminal behavior to provide risk management. Brief History of Deterrence Theory: Deterrence theory has its roots in classical criminology and the works of philosophers such as Cesare Beccaria and Jeremy Bentham, who introduced the concept of deterrence as a means of preventing crime through the application of punishment. This idea became further developed during the mid-20th century when the theory of nuclear deterrence emerged as a prominent concept in international relations. The understanding of deterrence broadened to be applied not only in preventing nuclear conflict but also in the context of criminal justice. It was John Nash through his work in game theory that contributed significantly to the understanding of strategic decision-making and the potential for deterrence in various competitive situations. His insights were crucial in shaping the modern understanding of deterrence theory, particularly when applied to criminal decision-making and cybersecurity.[1] Explanation of Deterministic, Non-Deterministic, and Indeterministic: Deterministic: In the context of decision-making, determinism refers to the philosophical concept that all events, including human actions, are the inevitable result of preceding causes. This perspective suggests that given the same initial conditions and knowledge, an individual's choices can be predicted with certainty. In other words, under deterministic assumptions, human behavior can be seen as fully predictable.[2] Non-Deterministic: Non-deterministic views reject the idea that every event, including human actions, can be precisely determined or predicted based on preceding causes. Instead, non-deterministic perspectives acknowledge the role of uncertainty, chance, and randomness in decision-making. From this standpoint, human behavior is seen as influenced by a combination of factors, including personal choice, external circumstances, and unpredictable elements.[3] Indeterministic: Indeterminism represents a specific form of non-determinism. In the context of decision-making, indeterministic views emphasize the idea that certain events or actions, particularly human choices, are not entirely determined by preceding causes or predictable factors. Instead, they are seen as influenced by random or unpredictable elements, such as personal spontaneity, free will, or external factors that defy precise prediction.[4] The Indeterministic Nature of Cybercriminal Behavior: The indeterministic nature of cybercriminal behavior suggests that not all cybercrimes are the result of rational choices. Some individuals may engage in cybercriminal behavior due to impulsive actions, vulnerabilities in systems, or external pressures that override rational decision-making processes. These factors highlight the limitations of solely relying on rationality as an explanatory framework for cybercriminal behavior. Rationality and the Rational Actor Model in Cybercrime: The rational actor model suggests that cybercriminals are rational decision-makers who engage in a cost-benefit analysis before committing a cybercrime.[5] According to this model, cybercriminals weigh the potential benefits and costs of engaging in cybercriminal behavior and make a rational choice based on their assessment. The rational actor model assumes that cybercriminals have the capability to accurately assess the potential outcomes of their cyber actions and aim to maximize their self-interest.[6] It suggests that cybercriminal behavior is a result of rational decision-making processes where the benefits of the cyber act outweigh the costs. As discussed in the AT&T Cybersecurity Blog titled: Attacker Motivations, there are 7 basic motivations that drive cybercrime. These include: · Financial (extrinsic) – Theft of personally identifiable information (PII), that is then monetized is a classic example of financial motivation of cyberattacks. Primarily perpetrated by organized criminal groups, this motivation represents a large percentage of cyberattacks against retailers and health care providers. Social/Political “Hacktivism” (primarily intrinsic) - Social or Ideological issues create a motivation for some to attack organizations to make a statement. The hacking and defacement of a U.S. Government system in which the attackers post messages disparaging remarks about capitalism or democracy would be a solid example of hacktivism. Espionage (extrinsic) - Generally, we think of cyber espionage in terms of theft of intellectual property but it could also be focused upon the theft of confidential information related to acquisitions, marketing plans and other types of data. Nation State actors are considered the largest group of cyber espionage attackers but there have been examples of companies engaging in cyber espionage against competitors. Revenge (intrinsic) - Disgruntled employees or former employees are those that typically commit the lion’s share of revenge-based cyberattacks. The news is replete with stories of disgruntled former employees attacking their former employees. Nuisance/Destruction (intrinsic)- There are some that are intrinsically motivated to simply attack an organization or person for no other reason than to create chaos and destruction. It is unfortunate but true. A great example is that of the notorious bank robber “slick” Willy Sutton. There is an apocryphal story about why he robbed banks. When asked it was reported that he stated he robbed banks because “That is where the money is”. In reality he stated he “simply loved to rob banks”. Money was not a motivating factor. War/Defense (extrinsic)- In the 21st century it would be irresponsible to ignore the fact that nation states and even ‘patriot hackers’ play in either initiating or defending against adversaries. Disrupting supply chains, destroying centrifuges and other attacks can be classified as War/Defense driven. The Stuxnet Virus identified in 2010 that was used to destroy the Iranian centrifuges is but one relevant example of such a motivation. Facilitation (extrinsic)- Cyber attackers frequently use proxies and other systems to attack their final target. For this reason, it is important to note that some organizations and systems may simply be convenient targets which enable and facilitate attacker’s actions. Consider bot nets. Systems are compromised to enable them to then attack other systems. The compromise of a system that is within the bot net is simply used to facilitate another attack. Deterrence Theory in the Context of Cybercrime: Deterrence theory is a key framework for understanding the influence of rationality on cybercriminal decision-making. It posits that cybercriminals are deterred from engaging in cybercrimes when the perceived costs outweigh the benefits. The theory operates on the assumption that cybercriminals are rational actors who can assess the potential consequences of their cyber actions and make decisions based on the expected utility.[7] Deterrence theory emphasizes three key elements in the context of cybercrime: severity, certainty, and swiftness of punishment. Severity refers to the harshness of the punishment imposed for cybercrimes. Certainty refers to the likelihood of being caught and punished for the offense, while swiftness refers to the promptness with which the punishment is administered. According to deterrence theory, an increase in the severity, certainty, or swiftness of punishment should deter cybercriminals from engaging in cybercrimes. The Impact of Deterrence on Cybercriminal Decision-Making: The concepts of deterrence theory have significant implications for cybercriminal decision-making. Efforts to enhance cybersecurity and the presence of effective law enforcement in the cyber realm can serve as deterrents, influencing cybercriminals to refrain from engaging in cybercriminal activities. The perceived certainty of being identified and caught acts as a deterrent, as cybercriminals are more likely to consider the potential costs and consequences of their cyber actions when they believe they will be caught.[8] Similarly, the severity of punishment plays a crucial role in deterring cybercrimes. Harsh legal penalties, significant fines, or other severe consequences increase the perceived costs of engaging in cybercriminal behavior, making it less likely for cybercriminals to choose such actions. Additionally, the swiftness of punishment is important, as delayed consequences may weaken the deterrent effect. Swift action in identifying and punishing cybercriminals ensures that they experience the connection between their cyber behavior and its consequences, reinforcing the deterrent effect. However, it is essential to recognize the limitations of deterrence theory and the rational actor model when explaining cybercriminal behavior. Human behavior, including cybercriminal behavior, is often influenced by factors beyond rational calculation. Emotions, psychological factors, social influences, and situational contexts can all impact decision-making, leading individuals to engage in cybercriminal behavior despite the rational assessment of costs and benefits.[9] The Role of Bayesian Theory in Overcoming Indeterministic Behavior for Risk Management: Bayesian theory offers a powerful tool for managing risk in the face of indeterministic human criminal behavior. By providing a framework for updating beliefs and probabilities in light of new evidence, Bayesian theory allows for a nuanced and dynamic understanding of risk. In the context of cybercrime, Bayesian methods can be employed to continuously assess and update the probability and impact of potential threats, enhancing the capacity to anticipate and mitigate criminal activities that may not conform to simple deterministic or rational models.[10] AT&T’s blog titled: “Quantifying CyberRisks to Solve the Riddle” provides an overview of how conditional probability theory can be used to more accurately gauge cyber risks. Conclusion: Rationality significantly influences cybercriminal behavior, particularly through the rational actor model and deterrence theory. The rational actor model posits that cybercriminals engage in cyber activities after considering the potential benefits and costs. Deterrence theory emphasizes the importance of perceived costs in deterring cybercrime, highlighting the significance of severity, certainty, and swiftness of punishment. However, it is crucial to acknowledge the inherent indeterministic aspects of cybercriminal behavior. Emotions, psychological factors, and situational contexts can impact cybercriminal decision-making, leading individuals to engage in cybercrime despite the rational assessment of costs and benefits. Acknowledging these complexities and leveraging flexible risk management models such as Bayesian theory is essential for a comprehensive understanding of cybercriminal behavior and the development of effective cybercrime prevention strategies. In overcoming indeterministic human criminal behavior, Bayesian theory provides an invaluable asset for risk management by allowing for the formulation of more flexible and adaptive strategies to cybercrime prevention. It offers a means to continuously update and refine risk assessments, particularly in scenarios where traditional rational and deterministic models may fall short in providing effective countermeasures. AT&T’s Risk Advisory Services can help clients understand and quantify or qualify risks, as appropriate to enable for the prioritization and addressing of risks in an efficient and cost-effective manner. From enterprise risk management solutions to compliance-based consulting and management, AT&T provides comprehensive risk management for organizations of all sizes. References: [1] Nash, J. (1950). Equilibrium points in n-person games. Proceedings of the National Academy of Sciences, 36(1), 48-49. [2] Tsementzis, D. (2011). Deterministic and stochastic models of AIDS epidemiology. Springer Science & Business Media. [3] Cartwright, N. (2010). The Dappled World: A Study of the Boundaries of Science. Cambridge University Press. [4] Broad, C. D. (2011). Determinism, indeterminism and libertarianism. Routledge. [5] Cornish, D. B., & Clarke, R. V. (Eds.). (2014). The reasoning criminal: Rational choice perspectives on offending. Routledge. [6] Nagin, D. S., & Pogarsky, G. (2003). An experimental investigation of deterrence: Cheating, self-serving bias, and impulsivity. Criminology, 41(1), 167-194. [7] Cressey, D. R. (1960). Deterrence, rationality, and corruption. In J. Menell & P. Thompson (Eds.), White-Collar Crime: Theory and Research (pp. 25-36). Free Press. [8] Hollis, M. (2015). The philosophy of social science: An introduction. Cambridge University Press [9] Becker, G. S. (1968). Crime and punishment: An economic approach. Journal of Political Economy, 76(2), 169-217. [10] Lindley, D. V. (2006). Understanding uncertainty. John Wiley & Sons.
https://cybersecurity.att.com/blogs/security-essentials/understanding-how-rationality-deterrence-theory-and-indeterminism-influence-cybercrime
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In an era where technology and transportation converge, the fusion of vehicles with IoT technologies heralds a new dawn of mobility. This leap forward promises enhanced connectivity and autonomous capabilities, yet casts a shadow of cyber vulnerabilities that could jeopardize not just the integrity of the vehicles but the safety of their passengers. Recognizing the urgency of this issue, the UNECE stepped forward with the R155 regulation, a vanguard initiative to fortify the digital fortresses of our vehicles against potential cyber onslaughts. The Genesis of UNECE R155: Forging the Shields of Cybersecurity The essence of the UNECE R155 regulation unfolds as a carefully crafted framework designed to preemptively address the burgeoning threat landscape in the automotive sector. Rooted in the principle of proactive defense, R155 isn't just about compliance; it represents a paradigm shift in how vehicle cybersecurity is perceived and integrated. At its core, the regulation mandates the establishment of a Cybersecurity Management System (CSMS), compelling manufacturers to weave a tapestry of cyber resilience that spans the entire lifecycle of a vehicle. The ambition of R155 is pretty clear at this point: to transform the automotive industry's approach to cybersecurity from reactive patchwork to a strategic, foundational pillar. This involves not only the adoption of 'security by design' principles but also a commitment to continual vigilance and adaptation in the face of evolving cyber threats. The regulation, thus, sets the stage for a future where vehicles are not merely transport mechanisms but fortified nodes within an expansive network of connected mobility. The Journey to CSMS Certification The path to CSMS certification under R155 is a clear yet challenging journey that demands attention to detail and a commitment to security from vehicle manufacturers. This process starts with a considerable risk assessment, where manufacturers must identify any potential cybersecurity risks within their vehicles. This step is crucial for understanding where vulnerabilities might exist and how they can be addressed to ensure vehicles are secure. Following this, the principle of 'security by design' becomes central to the certification process. This means that from the very beginning of designing a vehicle, cybersecurity needs to be a key consideration. It's about making sure that security measures are built into the vehicle from the start, rather than being added on later. This approach challenges manufacturers to think about cybersecurity as an integral part of the vehicle, just like its engine or wheels. Achieving certification is a team effort that involves not only the manufacturers but also suppliers and regulatory bodies. It's about working together to make sure that every part of the vehicle, from its software to its hardware, meets the high security standards set out by R155. Addressing R155 Implementation Challenges As manufacturers and suppliers are gearing up to align with the R155 regulation, however, they encounter a set of practical challenges that test their adaptability and foresight. One of the most significant hurdles is the pressing need for new skills. The detailed cybersecurity requirements of R155 demand a workforce that is not only proficient in traditional automotive engineering but also versed in the nuances of cybersecurity. This dual expertise is not commonplace, prompting organizations to invest in extensive training or scout for new talent, adding layers of complexity to their operational dynamics. Another considerable challenge lies in the adjustments required in the design processes. The 'security by design' principle advocated by R155 necessitates a paradigm shift in how vehicles are conceived. Manufacturers are tasked with integrating cybersecurity measures right from the conceptual stages, ensuring these considerations are as fundamental as the vehicle's performance or aesthetics. This shift often means reevaluating established workflows and possibly extending development timelines to accommodate the additional focus on cybersecurity. The early integration of cybersecurity considerations presents its own set of complexities. It demands a proactive approach where potential risks are identified and mitigated well before they can manifest into vulnerabilities. This proactive stance requires a deep understanding of cyber threats and an ability to anticipate future challenges, pushing manufacturers to remain vigilant and responsive to the rapidly evolving cyber landscape. Together, these challenges underscore the demanding nature of R155 compliance. They reflect the regulation's comprehensive approach to enhancing automotive cybersecurity but also highlight the significant effort required from manufacturers and suppliers to meet these standards. R155's Transformative Impact on the Automotive Industry The introduction of the UNECE R155 regulation marks a pivotal moment for the automotive industry, heralding a new era of digital resilience and consumer trust. One of the most significant outcomes of this regulation is the bolstering of cybersecurity across the board, creating vehicles that are not just smarter but safer. This heightened security is a boon for consumer confidence, as buyers increasingly prioritize digital safety in their connected vehicles alongside traditional safety measures. However, the journey to compliance is not without its challenges. The implementation of R155 entails considerable investment from manufacturers and suppliers, not just financially but also in terms of time and resources. Developing and integrating advanced cybersecurity measures, training staff, and adapting to new design processes contribute to rising operational costs. Moreover, the dynamic nature of cyber threats necessitates an ongoing commitment to vigilance and adaptation, adding a layer of continuous effort in monitoring and updating cybersecurity measures. Despite these challenges, the regulation's comprehensive approach to cybersecurity is a testament to the industry's commitment to safeguarding the digital integrity of vehicles. It represents a significant step forward in protecting not only the vehicles and the networks they connect to but, most importantly, the people they serve. Steering Into a Secure Future As we reflect on the journey through the intricacies of the UNECE R155 regulation, it's clear that its impact extends far beyond the immediate challenges of implementation. R155 is not just a set of requirements; it's a catalyst for change, driving the automotive industry toward a future where digital safety is ingrained in every vehicle that rolls off the production line. The road ahead is undoubtedly challenging, with hurdles like the need for new skills, rising costs, and the demand for ongoing vigilance. Yet, the destination—a world where vehicles are as secure in the digital realm as they are on the road—is worth every effort. Embracing R155 is about more than compliance; it's about committing to a vision of automotive innovation that places security at its heart. As manufacturers, suppliers, and regulatory bodies come together to navigate these changes, they pave the way for an industry that prioritizes the safety and trust of its consumers above all. In this digital age, where connectivity and cybersecurity are intertwined, the automotive industry's journey toward enhanced digital resilience under R155 is a beacon of progress, illuminating the path toward a safer, more secure automotive future.
https://cybersecurity.att.com/blogs/security-essentials/the-impact-of-unece-r155-on-automotive-cybersecurity
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. With the rise of remote and flexible work arrangements, Bring Your Own Device (BYOD) programs that allow employees to use their personal devices for work are becoming increasingly mainstream. In addition to slashing hardware costs, BYOD improves employee satisfaction by 56% and productivity by 55%, a survey by Crowd Research Partners finds. Yet, cybersecurity remains a concern for businesses. 72% are worried about data leakage or loss, while 52% fear the potential for malware on personal devices. But by implementing a strong BYOD policy and educating your employees on cybersecurity best practices, you can reap the benefits of BYOD without putting your company assets and data at risk. Put a Formal BYOD Policy in Place Just as your business has acceptable use policies in place for corporate devices, similar policies for personal devices are just as important. Your company’s BYOD policy should provide your employees with clear rules and guidelines on how they can use their devices safely at work without compromising cybersecurity. This policy should cover: Devices, software, and operating systems that can be used to access digital business resources Devices, software, and operating systems that can’t be used to access digital business resources Policies that outline the acceptable use of personal devices for corporate activities Essential security measures employees must follow on personal devices (such as, complex passwords and regular security updates) Steps employees must follow if their device is stolen or lost (like immediately report it to their manager or IT department) A statement that your business will erase company-related data from lost or stolen devices remotely What happens if an employee violates your BYOD policy (are you going to revoke certain access privileges? If you give employees an allowance to cover BYOD costs, will you freeze the funds? Provide additional corrective training?). Don’t forget to also include a signature field the employee must sign in to indicate their agreement with your BYOD policies. The best time to introduce employees to the policy is during onboarding or, for existing employees, during the network registration process for the BYOD device. Setting expectations and educating your employees is essential to protect both company data and employee privacy. Basic Cybersecurity Training When putting together your BYOD employee training program, don’t make the mistake of thinking basic device security is too…basic. It’s not. Since personal devices are usually less secure than corporate devices, they’re generally at a greater risk of data breaches, viruses, and loss or theft. Comprehensive user education that includes the basics is therefore all the more important to mitigate these risks. So as a basic rule, your employees should know not to allow their devices to auto-connect to public networks. If, on rare occasions, employees really do need to access company data on an open network, they should use a virtual private network (VPN). VPNs encrypt data and hide web activity, which adds an extra layer of security when accessing wifi networks. Shockingly, 22% of businesses say their employees have connected to malicious wifi networks on their personal devices in the past 12 months. Although it’s second nature for most of us to connect to public wifi networks, they’re often unsecured and vulnerable to attack, malware, and data breaches. Employees therefore need to understand and know how to mitigate these risks. t Regular Software Updates You should also educate your employees on the need to regularly update their operating system in order to bridge any security gaps. A whopping 95% of all cyberattacks target unpatched vulnerabilities. Software updates should therefore be downloaded and installed as soon as they’re released by the manufacturer. The same goes for apps. They also need to be updated regularly so as to fix any weaknesses that can let in malware or be exploited by cybercriminals. Also, emphasize that employees can only use expressly authorized apps for work tasks as unauthorized apps carry a greater risk of data breaches and privacy violations. User education is central to any successful BYOD policy. By communicating a comprehensive BYOD policy to your employees and educating them on cybersecurity best practices, you can reap the advantages of your BYOD policy without risk to your company data or cybersecurity.
https://cybersecurity.att.com/blogs/security-essentials/bring-your-own-device-how-to-educate-your-employees-on-cybersecurity-best-practices
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Software code is constantly growing and becoming more complex, and there is a worrying trend: an increasing number of open-source components are vulnerable to attacks. A notable instance was the Apache Log4j library vulnerability, which posed serious security risks. And this is not an isolated incident. Using open-source software necessitates thorough Software Composition Analysis (SCA) to identify these security threats. Organizations must integrate SCA tools into their development workflows while also being mindful of their limitations. Why SCA Is Important Open-source components have become crucial to software development across various industries. They are fundamental to the construction of modern applications, with estimates suggesting that up to 96% of the total code bases contain open-source elements. Assembling applications from diverse open-source blocks presents a challenge, necessitating robust protection strategies to manage and mitigate risks effectively. Software Composition Analysis is the process of identifying and verifying the security of components within software, especially open-source ones. It enables development teams to efficiently track, analyze, and manage any open-source element integrated into their projects. SCA tools identify all related components, including libraries and their direct and indirect dependencies. They also detect software licenses, outdated dependencies, vulnerabilities, and potential exploits. Through scanning, SCA creates a comprehensive inventory of a project's software assets, offering a full view of the software composition for better security and compliance management. Although SCA tools have been available for quite some time, the recent open-source usage surge has cemented their importance in application security. Modern software development methodologies, such as DevSecOps, emphasize the need for SCA solutions for developers. The role of security officers is to guide and assist developers in maintaining security across the Software Development Life Cycle (SDLC), ensuring that SCA becomes an integral part of creating secure software. Objectives and Tasks of SCA Tools Software Composition Analysis broadly refers to security methodologies and tools designed to scan applications, typically during development, to identify vulnerabilities and software license issues. For effective management of open-source components and associated risks, SCA solutions help navigate several tasks: 1) Increasing Transparency A developer might incorporate various open-source packages into their code, which in turn may depend on additional open-source packages unknown to the developer. These indirect dependencies can extend several levels deep, complicating the understanding of exactly which open-source code the application uses. Reports indicate that 86% of vulnerabilities in node.js projects stem from transitive (indirect) dependencies, with similar statistics in the Java and Python ecosystems. This suggests that most security vulnerabilities in applications often originate from open-source code that developers might not even be aware of. For cloud applications, open-source components in container images can also pose transparency challenges, requiring identification and vulnerability scanning. While the abstraction containers offer to programmers is beneficial for development, it simultaneously poses a security risk, as it can obscure the details of the underlying components. 2) Grasping the Logic of Dependencies Accurately identifying dependencies - and the vulnerabilities they introduce - demands a comprehensive understanding of each ecosystem's unique handling of them. It is crucial for an SCA solution to recognize these nuances and avoid generating false positives. 3) Prioritizing Vulnerabilities Due to the limited resources at the disposal of developers and security professionals, prioritizing vulnerabilities becomes a significant challenge without the required data and knowledge. While the Common Vulnerability Scoring System (CVSS) offers a method for assessing vulnerabilities, its shortcomings make it somewhat challenging to apply effectively. The main issues with CVSS stem from the variance in environments, including how they are operated, designed, and put together. Additionally, CVSS scores do not consider the age of a vulnerability or its involvement in exploit chains, further complicating their usage. 4) Building an Updated, Unified Vulnerability Database A vast array of analytical data on vulnerabilities is spread out over numerous sources, including national databases, online forums, and specialized security publications. However, there is often a delay in updating these sources with the latest vulnerability information. This delay in reporting can be critically detrimental. SCA tools help address this issue by aggregating and centralizing vulnerability data from a wide range of sources. 5) Speeding Up Secure Software Development Before the code progresses in the release process, it must undergo a security review. If the services tasked with checking for vulnerabilities do not do so swiftly, this can slow down the entire process. The use of AI test automation tools offers a solution to this issue. They enable the synchronization of development and vulnerability scanning processes, preventing unforeseen delays. The challenges mentioned above have spurred the development of the DevSecOps concept and the "Shift Left" approach, which places the responsibility for security directly on development teams. Guided by this principle, SCA solutions enable the verification of the security of open-source components early in the development process, ensuring that security considerations are integrated from the outset. Important Aspects of Choosing and Using SCA Tools Software Composition Analysis systems have been in existence for over a decade. However, the increasing reliance on open-source code and the evolving nature of application assembly, which now involves numerous components, have led to the introduction of various types of solutions. SCA solutions range from open-source scanners to specialized commercial tools, as well as comprehensive application security platforms. Additionally, some software development and maintenance solutions now include basic SCA features. When selecting an SCA system, it is helpful to evaluate the following capabilities and parameters: ● Developer-Centric Convenience Gone are the days when security teams would simply pass a list of vulnerabilities to developers to address. DevSecOps mandates a greater level of security responsibility on developers, but this shift will not be effective if the tools at their disposal are counterproductive. An SCA tool that is challenging to use or integrate will hardly be beneficial. Therefore, when selecting an SCA tool, make sure it can: - Be intuitive and straightforward to set up and use - Easily integrate with existing workflows - Automatically offer practical recommendations for addressing issues ● Harmonizing Integration in the Ecosystem An SCA tool's effectiveness is diminished if it cannot accommodate the programming languages used to develop your applications or fit seamlessly into your development environment. While some SCA solutions might offer comprehensive language support, they might lack, for example, a plugin for Jenkins, which would allow for the straightforward inclusion of application security testing within the build process or modules for the Integrated Development Environment (IDE). ● Examining Dependencies Since many vulnerabilities are tied to dependencies, whose exploitation can often only be speculated, it is important when assessing an SCA tool to verify that it can accurately understand all the application's dependencies. This ensures those in charge have a comprehensive view of the security landscape. It would be good if your SCA tool could also provide a visualization of dependencies to understand the structure and risks better. ● Identifying Vulnerabilities An SCA tool's ability to identify vulnerabilities in open-source packages crucially depends on the quality of the security data it uses. This is the main area where SCA tools differ significantly. Some tools may rely exclusively on publicly available databases, while others aggregate data from multiple proprietary sources into a continuously updated and enriched database, employing advanced analytical processes. Even then, nuances in the database's quality and the accuracy and comprehensiveness of its intelligence can vary, impacting the tool's effectiveness. ● Prioritizing Vulnerabilities SCA tools find hundreds or thousands of vulnerabilities, a volume that can swiftly become unmanageable for a team. Given that it is practically unfeasible to fix every single vulnerability, it is vital to strategize which fixes will yield the most significant benefit. A poor prioritization mechanism, particularly one that leads to an SCA tool frequently triggering false positives, can create unnecessary friction and diminish developers' trust in the process. ● Fixing Vulnerabilities Some SCA tools not only detect vulnerabilities but also proceed to the logical next step of patching them. The range of these patching capabilities can differ significantly from one tool to another, and this variability extends to the recommendations provided. It is one matter to suggest upgrading to a version that resolves a specific vulnerability; it is quite another to determine the minimal update path to prevent disruptions. For example, some tools might automatically generate a patch request when a new vulnerability with a recommended fix is identified, showcasing the advanced and proactive features that differentiate these tools in their approach to securing applications. ● Executing Oversight and Direction It is essential to choose an SCA tool that offers the controls necessary for managing the use of open-source code within your applications effectively. The ideal SCA tool should come equipped with policies that allow for detailed fine-tuning, enabling you to granularly define and automatically apply your organization's specific security and compliance standards. ● Reports Tracking various open-source packages over time, including their licenses, serves important purposes for different stakeholders. Security teams, for example, may want to evaluate the effectiveness of SCA processes by monitoring the number and remediation of identified vulnerabilities. Meanwhile, legal departments might focus on compiling an inventory of all dependencies and licenses to ensure the organization's adherence to compliance and regulatory requirements. Your selected SCA tool should be capable of providing flexible and detailed reporting to cater to the diverse needs of stakeholders. ● Automation and Scalability Manual tasks associated with SCA processes often become increasingly challenging in larger development environments. Automating tasks like adding new projects and users for testing or scanning new builds within CI/CD pipelines not only enhances efficiency but also helps avoid conflicts with existing workflows. Modern SCA tools should use machine learning for improved accuracy and data quality. Another critical factor to consider is the availability of a robust API, which enables deeper integration. Moreover, the potential for interaction with related systems, such as Security Orchestration, Automation, and Response (SOAR) and Security Information and Event Management (SIEM), in accessing information on security incidents, is also noteworthy. ● Application Component Management Modern applications consist of numerous components, each requiring scanning and protection. A modern SCA tool should be able to scan container images for vulnerabilities and seamlessly integrate into the workflows, tools, and systems used for building, testing, and running these images. Advanced solutions may also offer remedies for identified flaws in containers. Conclusion Every organization has unique requirements influenced by factors like technology stack, use case, budget, and security priorities. There is no one-size-fits-all solution for Software Composition Analysis. However, by carefully evaluating the features, capabilities, and integration options of various SCA tools, organizations can select a solution that best aligns with their specific needs and enhances their overall security posture. The chosen SCA tool should accurately identify all open-source components, along with their associated vulnerabilities and licenses.
https://cybersecurity.att.com/blogs/security-essentials/introduction-to-software-composition-analysis-and-how-to-select-an-sca-tool
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In a digital era marked by rapidly evolving threats, the complexity of cybersecurity challenges has surged, pressing organizations to evolve beyond traditional, tech-only defense strategies. As the cyber landscape grows more intricate, there's a pivotal shift towards embracing methods that are not just robust from a technical standpoint but are also deeply human-centric. This also means that a significant percentage of employees, driven by the high demands of operational pressures, may engage in risky cybersecurity behaviors. Such statistics illuminate the urgent need for a more nuanced approach to cybersecurity—one that not only fortifies defenses but also resonates with and supports the people behind the screens. Integrating human-centric design with continuous threat management emerges as a forward-thinking strategy, promising a balanced blend of technical excellence and user empathy to navigate the complex cybersecurity challenges of today and tomorrow. Embracing the Human Element in Cybersecurity Diving into the realm of human-centric security design and culture, it's clear that the future of cybersecurity isn't just about the latest technology—it's equally about the human touch. This approach puts the spotlight firmly on enhancing the employee experience, ensuring that cybersecurity measures don't become an unbearable burden that drives people to take shortcuts. By designing systems that people can use easily and effectively, the friction often caused by stringent security protocols can be significantly reduced. Gartner's insights throw a compelling light on this shift, predicting that by 2027, half of all Chief Information Security Officers (CISOs) will have formally embraced human-centric security practices. This isn't just a hopeful guess but a recognition of the tangible benefits these practices bring to the table—reducing operational friction and bolstering the adoption of essential controls. This strategic pivot also acknowledges a fundamental truth. When security becomes a seamless part of the workflow, its effectiveness skyrockets. It's a win-win, improving both the user experience and the overall security posture. CTEM: Your Cybersecurity Compass in Stormy Seas Imagine that your organization's cybersecurity landscape isn't just a static battleground. Instead, it’s more like the open sea, with waves of threats coming and going, each with the potential to breach your defenses. That's where Continuous Threat Exposure Management (CTEM) sails in, serving as your trusted compass, guiding you through these treacherous waters. CTEM isn't your average, run-of-the-mill security tactic. It's about being proactive, scanning the horizon with a spyglass, looking for potential vulnerabilities before they even become a blip on a hacker's radar. Think of it as your cybersecurity early-warning system, constantly on the lookout for trouble, ensuring you're not just reacting to threats but actively preventing them. Again, Gartner's insights into the future of cybersecurity reveal that by 2026, those organizations that strategically direct their security budgets towards CTEM will likely see a downturn in the number of breaches they suffer. This prediction stems from the efficiency CTEM brings into the security strategy, allowing organizations to prioritize and address the most critical vulnerabilities with precision. Rather than spreading their efforts thinly across all possible threats, firms can concentrate on fortifying their defenses where it counts the most. This focused approach transforms cybersecurity measures from a broad, somewhat random guard into a finely tuned, strategic defense system. So, one could claim that embracing CTEM isn't just about adopting new technology at this point. It’s a mindset shift. It's accepting and recognizing the fact that in the vast ocean of the internet, being proactive isn't just smart—it's essential. With CTEM, you're not just charting a safer course for your organization; you're setting sail toward a future where cybersecurity is woven into the very fabric of your operations, a testament to your commitment to safeguarding your digital realm. Fortifying Defenses with Identity Fabric Immunity The more we navigate further into the realm of sophisticated cybersecurity strategies, the concept of Identity Fabric Immunity stands out as a monumental innovation. This approach is designed to weave a comprehensive net of identity verification and management across an organization's entire digital landscape. By 2027, the ambition is clear: drastically minimize the potential for attacks and significantly reduce the financial fallout from any breaches that do occur. Integrating Identity Fabric Immunity with human-centric design principles presents a unique opportunity to bolster our cybersecurity defenses. This blend ensures that our security measures are not only technologically advanced but also intuitively aligned with the natural behaviors and needs of our users. It's about creating a security infrastructure that is both invisible and effective, reducing friction for legitimate users while seamlessly guarding against unauthorized access. This strategic fusion aims to prevent rather than just react to threats, marking a shift towards a more proactive and user-friendly cybersecurity stance. By prioritizing the user experience in the context of robust security measures, we can create an environment where safety and usability coexist harmoniously, setting a new standard for what it means to be secure in the digital age. Imagining Tomorrow's Success Stories Exploring how organizations might integrate human-centric security design, Continuous Threat Exposure Management (CTEM), and Identity Fabric Immunity reveals promising futures. This visionary blend not only aims to strenghten defenses against cyber threats but also to smooth out the user experience by mixing advanced security protocols with a deep understanding of human behavior. Focusing on designs that marry security with user-friendliness, HealthSecure could position itself as a patient care leader. This approach underscores the power of merging technology with an understanding of human needs. Delving into resources like SaaS Security would undeniably offer rich insights for establishing such cybersecurity benchmarks, ensuring digital environments are both secure and accessible. HealthSecure, facing the critical job of protecting patient data while keeping healthcare access fluid, could redefine patient care standards. The combination of Identity Fabric Immunity and CTEM within HealthSecure's framework highlights the immense value of this integrated strategy. It promises to bolster the company's defenses and diminish the financial and reputational damage from potential breaches. This strategy doesn't just protect patient information; it improves user experiences, setting the stage for a cybersecurity model that's strong, intuitive, and deeply resonant with human elements. A New Era Begins Soon? The future beckons with the promise of more resilient digital defenses, yet the journey there is fraught with hurdles. The need for organizations to continually adapt to new threats and technologies can be daunting. Resistance to change, a natural human tendency, poses another significant barrier, especially in established organizations with deep-rooted processes. However, the fact remains that the cybersecurity landscape is evolving, and with it, our approaches must also transform. The integration of human-centric design alongside advanced frameworks like CTEM and Identity Fabric Immunity isn't just beneficial; it's becoming essential. These strategies promise a more adaptable, resilient cybersecurity posture, finely tuned to the complexities of human behavior and the cunning of cyber threats. Organizations are encouraged to embrace these forward-thinking strategies, laying the groundwork for a secure digital future that values both technological robustness and the human experience.
https://cybersecurity.att.com/blogs/security-essentials/cybersecuritys-human-factor-merging-tech-with-people-centric-strategies
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. In the digital world, every document, image, video, or program we create leaves a trail. Understanding the lifecycle of a file, from its creation to deletion, is crucial for various purposes, including data security, data recovery, and digital forensics. This article delves into the journey a file takes within a storage device, explaining its creation, storage, access, and potential deletion phases. File Lifecycle 1. Creation: Birth of a Digital Entity A file's life begins with its creation. This can happen in various ways: Software Applications: When you create a new document in a word processor, edit an image in a photo editing software, or record a video, the application allocates space on the storage device and writes the data associated with the file. Downloads: Downloading a file from the internet involves copying data from the remote server to your storage device. Data Transfers: Copying a file from one location to another on the same device or transferring it to a different device creates a new instance of the file. System Processes: Operating systems and applications sometimes create temporary files during various processes. These files may be automatically deleted upon task completion. During creation, the operating system assigns a unique identifier (often a filename) to the file and stores it in a directory (folder) along with additional information about the file, known as metadata. This metadata typically includes: File size: The total amount of storage space occupied by the file. Creation date and time: The timestamp of when the file was first created. Modification date and time: The timestamp of the last time the file content was modified. File access permissions: Restrictions on who can read, write, or execute the file. File type: Information about the type of file (e.g., .docx, .jpg, .exe). 2. Storage: Finding a Home Storage devices like hard disk drives (HDDs), solid-state drives (SSDs), and flash drives hold the data associated with files. However, the data isn't stored as a continuous stream of information. Instead, it's broken down into smaller chunks called sectors. When a file is created, the operating system allocates a specific number of sectors on the storage device to hold the file content. This allocation process can happen in various ways depending on the file system used. Here are some key points to remember about file storage: Fragmentation: Over time, as files are created, deleted, and resized, the available sectors become fragmented across the storage device. This fragmentation can impact file access speed. File Allocation Table (FAT) or Similar Structures: Some file systems rely on a separate table (FAT) or index that keeps track of which sectors belong to specific files. Deleted Files: When a file is deleted, the operating system typically only removes the reference to the file from the directory structure. The actual data may still reside on the storage device until overwritten by new data. 3. Access: Reading and Writing We interact with files by accessing them for various purposes, such as reading a document, editing an image, or running a program. This involves the following steps: File System Request: When an application attempts to access a file, it sends a request to the operating system. Directory Lookup: The operating system first locates the file's entry in the directory structure. Allocation Table or Index Lookup: Depending on the file system, the operating system might consult the FAT or similar structure to determine the physical location of the file data on the storage device. Data Retrieval: The operating system retrieves the data from the allocated sectors and presents it to the application. File Modification: If the application attempts to modify the file content, the operating system needs to find new sectors to store the updated data. This process can involve overwriting existing data or allocating new sectors depending on the available space. 4. Deletion: Erasing the Footprint (or Not Quite) When a file is deleted using the operating system's delete function, the process primarily involves removing the file's entry from the directory structure. As mentioned earlier, the actual data may still reside on the storage device until overwritten. Here's why deleted files aren't truly gone: Overwriting: Until new data is written over the sectors holding the deleted file's content, it remains recoverable using data recovery software. This depends on factors like the type of storage device and how actively it's used. Unallocated Space: The deleted file's sectors are simply marked as "unallocated," indicating the operating system can utilize them for new data storage. Different File Systems: File systems provide the fundamental structure for storing and organizing files on a storage device. They dictate how files are created, stored, and accessed. From a digital forensics perspective, understanding different file systems is crucial for effective evidence recovery and analysis. Here's a breakdown of the most common file systems and the considerations for investigators: 1. FAT (File Allocation Table) Systems Legacy Systems: Found on older storage devices like floppy disks, USB drives, and some early hard drives. FAT Table: Relies on a master table (FAT) that tracks the allocation of data within clusters (groups of sectors) on the storage device. Forensics Advantages: Relatively simple structure, easier to analyze. Challenges: Limited file size support in older versions, prone to fragmentation, potential for data overwriting after deletion. 2. NTFS (New Technology File System) Modern Windows Systems: The default file system of modern Windows operating systems. Master File Table (MFT): A comprehensive database tracking all files and folders on the volume, including detailed metadata. Forensics Advantages: Journaling for data integrity, better file security, support for larger files and volumes, potential for deleted file recovery. Challenges: Increased complexity compared to FAT, potential for recovery hinderance due to overwriting. 3. Ext (Extended File System) Family Linux Systems: Popular file system for Linux distributions. Includes several versions (Ext2, Ext3, Ext4). Inodes: Uses a data structure called "inodes" that store detailed metadata and track file allocation on the storage device. Forensics Advantages: Journaling (in later versions) for data integrity, support for large files and volumes. Challenges: Increased complexity compared to FAT or older NTFS versions; recovery tools may need to be Linux-compatible. 4. HFS+ (Hierarchical File System Plus) Mac Systems: Used in older macOS systems. B-trees: Employs B-trees (data structures for organizing information) for file organization. Forensics Advantages: Journaling (optional), support for large files and volumes. Challenges: Primarily used in macOS systems, potentially requiring specialized forensics tools for analysis. 5. APFS (Apple File System) Modern Mac Systems: The default option on modern macOS, iOS, watchOS, and tvOS systems. Copy-on-Write: Employs a copy-on-write mechanism for data modifications, preserving original file versions. Forensics Advantages: Optimized for SSDs, encryption features. Challenges: Increased complexity, nascent forensics tools due to relative novelty of the file system. Post-deletion, the fate of files varies across file systems: In FAT, deleted files are marked as available for reuse, with their data potentially recoverable until overwritten. NTFS may overwrite deleted files' clusters, hindering recovery, but some residual data may remain. Ext file systems may retain deleted file data until overwritten, facilitating recovery from unallocated space. HFS+ and APFS utilize journaling, potentially overwriting deleted file data rapidly but still leaving chances for recovery until overwritten. Conclusion Having a deep understanding of file lifecycles, file systems, and the storage of deleted files is indispensable in digital forensics. Mastery of these concepts equips forensic investigators to reconstruct events, extract evidence, and unravel complex data structures crucial for legal proceedings and incident response in the digital realm. By leveraging specialized tools and techniques, forensic analysts can navigate diverse file systems, recover deleted artifacts, and elucidate the digital footprint left behind in storage devices.
https://cybersecurity.att.com/blogs/security-essentials/the-lifecycle-of-a-digital-file
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. AI has long since been an intriguing topic for every tech-savvy person, and the concept of AI chatbots is not entirely new. In 2023, AI chatbots will be all the world can talk about, especially after the release of ChatGPT by OpenAI. Still, there was a past when AI chatbots, specifically Bing’s AI chatbot, Sydney, managed to wreak havoc over the internet and had to be forcefully shut down. Now, in 2023, with the world relatively more technologically advanced, AI chatbots have appeared with more gist and fervor. Almost every tech giant is on its way to producing large Language Model chatbots like chatGPT, with Google successfully releasing its Bard and Microsoft and returning to Sydney. However, despite the technological advancements, it seems that there remains a significant part of the risks that these tech giants, specifically Microsoft, have managed to ignore while releasing their chatbots. What is Microsoft Bing AI Chat Used for? Microsoft has released the Bing AI chat in collaboration with OpenAI after the release of ChatGPT. This AI chatbot is a relatively advanced version of ChatGPT 3, known as ChatGPT 4, promising more creativity and accuracy. Therefore, unlike ChatGPT 3, the Bing AI chatbot has several uses, including the ability to generate new content such as images, code, and texts. Apart from that, the chatbot also serves as a conversational web search engine and answers questions about current events, history, random facts, and almost every other topic in a concise and conversational manner. Moreover, it also allows image inputs, such that users can upload images in the chatbot and ask questions related to them. Since the chatbot has several impressive features, its use quickly spread in various industries, specifically within the creative industry. It is a handy tool for generating ideas, research, content, and graphics. However, one major problem with its adoption is the various cybersecurity issues and risks that the chatbot poses. The problem with these cybersecurity issues is that it is not possible to mitigate them through traditional security tools like VPN, antivirus, etc., which is a significant reason why chatbots are still not as popular as they should be. Is Microsoft Bing AI Chat Safe? Like ChatGPT, Microsoft Bing Chat is fairly new, and although many users claim that it is far better in terms of responses and research, its security is something to remain skeptical over. The modern version of the Microsoft AI chatbot is formed in partnership with OpenAI and is a better version of ChatGPT. However, despite that, the chatbot has several privacy and security issues, such as: The chatbot may spy on Microsoft employees through their webcams. Microsoft is bringing ads to Bing, which marketers often use to track users and gather personal information for targeted advertisements. The chatbot stores users' information, and certain employees can access it, which breaches users' privacy. - Microsoft’s staff can read chatbot conversations; therefore, sharing sensitive information is vulnerable. The chatbot can be used to aid in several cybersecurity attacks, such as aiding in spear phishing attacks and creating ransomware codes. Bing AI chat has a feature that lets the chatbot “see” what web pages are open on the users' other tabs. The chatbot has been known to be vulnerable to prompt injection attacks that leave users vulnerable to data theft and scams. Vulnerabilities in the chatbot have led to data leak issues. Even though the Microsoft Bing AI chatbot is relatively new, it is subject to such vulnerabilities. However, privacy and security are not the only concerns its users must look out for. Since it is still predominantly within the developmental stage, the chatbot has also been known to have several programming issues. Despite being significantly better in research and creativity than ChatGPT 3, the Bing AI chatbot is also said to provide faulty and misleading information and give snide remarks in response to prompts. Can I Safely Use Microsoft Bing AI Chat? Although the chatbot has several privacy and security concerns, it is helpful in several ways. With generative AI chatbots automating tasks, work within an organization is now occurring more smoothly and faster. Therefore, it is hard to abandon the use of generative AI altogether. Instead, the best way out is to implement secure practices of generative AI such as: Make sure never to share personal information with the chatbot. Implement safe AI use policies in the organization Best have a strong zero-trust policy in the organization Ensure that the use of this chatbot is monitored While these are not completely foolproof ways of ensuring the safe use of Microsoft Bing AI chat, these precautionary methods can help you remain secure while using the chatbot. Final Words The Microsoft Bing AI chatbot undeniably offers creative potential. The chatbot is applicable in various industries. However, beneath its promising facade lies a series of security concerns that should not be taken lightly. From privacy breaches to potential vulnerabilities in the chatbot's architecture, the risks associated with its use are more substantial than they may initially appear. While Bing AI chat undoubtedly presents opportunities for innovation and efficiency within organizations, users must exercise caution and diligence. Implementing stringent security practices, safeguarding personal information, and closely monitoring its usage are essential steps to mitigate the potential risks of this powerful tool. As technology continues to evolve, striking the delicate balance between harnessing the benefits of AI and safeguarding against its inherent risks becomes increasingly vital. In the case of Microsoft's Bing AI chat, vigilance and proactive security measures are paramount to ensure that its advantages do not come at the expense of privacy and data integrity.
https://cybersecurity.att.com/blogs/security-essentials/microsoft-bing-ai-chat-is-a-bigger-security-issue-than-it-seems
Heimdal blog
Wed, 24 Apr 2024 14:41:45 +0000CrushFTP urges customers to patch servers with new versions due to discovering zero-day. The CrushFTP zero-day vulnerability is tracked tracked CVE-2024-4040 and enables hackers to escape VFS and download system files. Its CVSS is 9.8, which is critical. CrushFTP zero-day explained CrushFTP is vulnerable to a server-side template injection issue that affects versions before 10.7.1 […] The post Patch Now! CrushFTP Zero-day Lets Attackers Download System Files appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/crushftp-zero-day/
MITRE Corporation announced that state-backed hackers used Ivanti zero-day vulnerabilities to breach their system. The attack happened in January 2024 and impacted MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE). NERVE is an unclassified collaborative network that researchers use. The two Ivanti vulnerabilities were: authentication bypass CVE-2023-46805 command injection CVE-2024-21887 None of them had an […] The post MITRE Breached – Hackers Chained 2 Ivanti Zero-days to Compromise VPN appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/mitre-breached-ivanti-zero-days/
Patching is the second most challenging and resource-consuming task of a System Administrator. That’s what Alex Panait told me when I wanted to know his opinion on the benefits and hurdles of patching. Alex has been a System Administrator in Internal IT at Heimdal for the last 8 years. He’s seen the company developing and […] The post A System Administrator’s Challenges in Patch Management appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/system-administrator-patch-management-challenges/
Managing user accounts and ensuring the security of data and information systems are crucial for any business. To assist organizations in this task, we offer a comprehensive Account Management Policy Template designed to streamline the process of account creation, maintenance, and termination. This template is adaptable and available in three formats—PDF, Word, and Google Docs—to […] The post Free and Downloadable Account Management Policy Template appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/free-and-downloadable-account-management-policy-template/
Choosing a cybersecurity solution is no easy task. Some solutions specialize in one thing, while others take a broader, unified approach. Finding the right balance for your company depends on many factors such as size, price, support, or complexity. Atera and ConnectWise are some of the most common solutions, and in this article, we’ll compare […] The post Atera vs. ConnectWise: Head-to-Head Comparison (And Alternative) appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/atera-vs-connectwise/
If you run an MSP business, choosing a remote monitoring and management (RMM) platform will be a critical business decision. A quality RMM allows you to oversee your customers’ IT environments, remediate issues, and manage everything from patches to software updates. There are many RMM tools out there, so deciding which one is right for […] The post NinjaOne vs. Atera: A Deep Comparison Between the Solutions appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/ninjaone-vs-atera/
Cybersecurity researchers unveiled a new malvertising campaign that uses malicious Google ads to deliver a backdoor dubbed ‘MadMxShell’. The ads leverage a set of domains to push the backdoor and mimic legitimate IP scanner software. The 45 domains, registered between November 2023 and March 2024 pose as IP scanner software such as: Angry IP Scanner […] The post Deceptive Google Ads Mimic IP Scanner Software to Push Backdoor appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/deceptive-google-ads-mimic-ip-scanner-software-to-push-backdoor/
When it comes to endpoint detection tools, the cybersecurity market is a pretty crowded place. Finding the right one for your business can be a minefield. Some are designed to do one thing very well; others offer a broader, more unified solution. One product might be perfect for enterprises, but far too expensive and unwieldy […] The post CrowdStrike vs. SentinelOne: Which One Is Better For Endpoint Security? appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/crowdstrike-vs-sentinelone/
Researchers observed a rise in daily infection attempts leveraging old TP-Link Archer Command Injection Vulnerability. Since March 2024, six botnet malware operations showed interest in scanning TP-Link Archer AX21 (AX1800) routers for CVE-2023-1389. The daily number of attempts ranged between 40,000 – 50,000 during the month. Source – Bleeping Computer The vendor released a patch […] The post Surge in Botnets Exploiting CVE-2023-1389 to Infect TP-Link Archer Routers appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/tp-link-archer-command-injection-vulnerability/
Researchers discovered an overlooked vulnerability in Lighttpd web server that is used in Baseboard Management Controllers (BMCs). The flaw impacts hardware vendors that use AMI MegaRAC BMCs, like Intel, Lenovo and Supermicro. Although developers discovered and fixed the Lighttpd flaw back in 2018, the vulnerability didn’t get a CVE. Further on, Lighttpd users, like AMI […] The post Years-Old Vulnerability in AMI MegaRAC BMCs Impacts Intel and Lenovo Hardware appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/years-old-vulnerability-in-ami-megarac-bmcs-impacts-intel-and-lenovo-hardware/
Patch management is one of the most effective, yet overlooked cybersecurity practices to keep your operations safe. And it’s not just me saying it, statistics do too. For example, were you aware that 80% of cyberattacks happen due to unpatched vulnerabilities? With 84% of companies and online businesses reporting suffering at least one cyberattack in […] The post Your All-In Guide to MSP Patch Management Software in 2024 [Template Included] appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/msp-patch-management-software/
Email serves as a fundamental communication tool in business operations, necessitating stringent security measures to protect sensitive information and maintain corporate integrity. Our email security policy template serves as a comprehensive guide for companies looking to implement robust email security practices. It’s written in three different formats (PDF, Word, Google Docs) to suit all business […] The post Free and Downloadable Email Security Policy Template appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/email-security-policy-template/
Two methods that researchers have found might allow attackers to get around audit logs or produce less serious entries when they download data from SharePoint. Due to the sensitivity of SharePoint data, a lot of businesses audit sensitive occurrences, such as data downloads, to set off alarms in security information and event management platforms (SIEMs), […] The post SharePoint Flaws Could Help Threat Actors Evade Detection Easier When Stealing Files appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/sharepoint-flaws-could-help-threat-actors-evade-detection-easier/
A new emergency directive from CISA requires U.S. federal agencies to address the risks associated with the Russian hacking group APT29’s compromise of several Microsoft business email accounts. On April 2, Federal Civilian Executive Branch (FCEB) agencies received Emergency Directive 24-02. They must look into potentially impacted emails, reset any compromised passwords, and take precautions […] The post CISA Issues Emergency Directive and Orders Agencies to Mitigate the Risks of the Microsoft Hack appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/cisa-emergency-directive-microsoft-hack/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Thursday about a data breach at Sisense, a US business intelligence software. The agency strongly recommended that all Sisense users promptly change their passwords and any other potentially compromised credentials used to access the company’s services. The agency also advised users to be […] The post CISA Urges Sisense Customers to Reset Credentials and Report Suspicious Activity appeared first on Heimdal Security Blog.
https://heimdalsecurity.com/blog/cisa-urges-sisense-customers-to-reset-credentials/
Teri Radichel
Sat, 27 Apr 2024 18:54:43 GMTPlease stop this nonsenseContinue reading on Bugs That Bite »
https://medium.com/bugs-that-bite/censys-is-out-of-control-9f3ea4e9598c?source=rss-863161906cc5------2
Too many rules and logs (?) makes them randomly failContinue reading on Cloud Security »
https://medium.com/cloud-security/are-your-pfsense-filters-really-working-d8716601a0f8?source=rss-863161906cc5------2
What caused it? Not sure…session started, can’t loginContinue reading on Bugs That Bite »
https://medium.com/bugs-that-bite/xrdp-issues-on-ubuntu-71faf3b94633?source=rss-863161906cc5------2
Why do I not remember this?Continue reading on Bugs That Bite »
https://medium.com/bugs-that-bite/the-s3-recursive-flag-d485bca636d8?source=rss-863161906cc5------2
Why you (and I) need a Universal Power SupplyContinue reading on Cloud Security »
https://medium.com/cloud-security/availability-for-cybersecurity-2eced75509f3?source=rss-863161906cc5------2
ACM.480 I calculated the cost of an AWS architecture. How did I do?Continue reading on Cloud Security »
https://medium.com/cloud-security/comparing-estimated-cost-of-aws-vpn-with-pfsense-transit-gateway-and-nat-to-actual-a75727cec02a?source=rss-863161906cc5------2
And people wonder why I segregate the Internet of ThingsContinue reading on Cloud Security »
https://medium.com/cloud-security/example-something-on-wifi-trying-to-find-an-something-on-the-internal-network-786d4d6155c5?source=rss-863161906cc5------2
What are all those STS calls to Australia, Europe, Asia, and South Africa?Continue reading on Cloud Security »
https://medium.com/cloud-security/create-pfsense-aliases-to-block-api-calls-and-data-leaks-to-unwanted-regions-a930dfcbf175?source=rss-863161906cc5------2
Summarizing steps in other posts and trying out Ubuntu ProContinue reading on Cloud Security »
https://medium.com/cloud-security/summary-of-steps-to-set-up-ubuntu-vm-on-aws-ec2-06049ffd3be1?source=rss-863161906cc5------2
Can log into Ubuntu OS on AWS but not Ubuntu Pro with same key and configurationContinue reading on Bugs That Bite »
https://medium.com/bugs-that-bite/ubuntu-on-aws-works-but-ubuntu-pro-does-not-same-configuration-key-etc-4268bd8b4539?source=rss-863161906cc5------2
Byron V. Acohido
Fri, 03 May 2024 19:36:29 +0000SAN FRANCISCO — On the eve of what promises to be a news-packed RSA Conference 2024, opening here on Monday, Microsoft is putting its money where its mouth is. Related: Shedding light on LLM vulnerabilities More precisely the software … (more…)
https://www.lastwatchdog.com/my-take-is-satya-nadellas-secure-future-initiative-a-deja-vu-of-trustworthy-computing/
At the start, Distributed Denial of Service (DDoS) attacks were often motivated by bragging rights or mischief. Related: The role of ‘dynamic baselining’ DDoS attack methodology and defensive measures have advanced steadily since then. Today, DDoS campaigns are launched by … (more…)
https://www.lastwatchdog.com/rsac-fireside-chat-the-necessary-care-and-feeding-of-ddos-detection-and-protection-systems/
Businesses today need protection from increasingly frequent and sophisticated DDoS attacks. Service providers, data center operators, and enterprises delivering critical infrastructure all face risks from attacks. Related: The care and feeding of DDoS defenses But to protect their networks, … (more…)
https://www.lastwatchdog.com/guest-essay-a-primer-on-how-why-dynamic-baselining-fosters-accurate-ddos-protection/
Tel Aviv, Israel, May 2, 2024, CyberNewsWire — LayerX, pioneer of the LayerX Browser Security platform, today announced $26 million in Series A funding led by Glilot+, the early-growth fund of Glilot Capital Partners, with participation from Dell Technologies … (more…)
https://www.lastwatchdog.com/news-alert-layerx-security-raises-24m-series-a-funding-for-its-enterprise-browser-security-platform/
SAN FRANCISCO — It took some five years to get to 100 million users of the World Wide Web and it took just one year to get to 100 million Facebook users. Related: LLM risk mitigation strategies Then along came … (more…)
https://www.lastwatchdog.com/rsac-fireside-chat-how-the-open-source-community-instantly-derived-owasp-top-ten-for-llm/
SAN FRANCISCO — At the close of 2019, API security was a concern, though not necessarily a top priority for many CISOs. Related: GenAI ignites 100x innovation Then Covid 19 hit, and API growth skyrocketed, a trajectory that only steepened … (more…)
https://www.lastwatchdog.com/rsac-fireside-chat-apis-are-wondrous-connectors-and-the-wellspring-of-multiplying-exposures/
Tel Aviv, Israel – April 30, 2024 – Cybersixgill, the global cyber threat intelligence data provider, broke new ground today by introducing its Third-Party Intelligence module. The new module delivers vendor-specific cybersecurity and threat intelligence to organizations’ security teams, enabling … (more…)
https://www.lastwatchdog.com/news-alert-cybersixgill-unveils-third-party-intelligence-to-deliver-vendor-specific-threat-intel/
For all the discussion around the sophisticated technology, strategies, and tactics hackers use to infiltrate networks, sometimes the simplest attack method can do the most damage. The recent Unitronics hack, in which attackers took control over a Pennsylvania water … (more…)
https://www.lastwatchdog.com/guest-essay-recalibrating-critical-infrastructure-security-in-the-wake-of-evolving-threats/
SAN FRANCISCO — At the end of 2000, I was hired by USA Today to cover Microsoft, which at the time was being prosecuted by the U.S. Department of Justice. Related: Why proxies aren’t enough Microsoft had used illegal monopolistic … (more…)
https://www.lastwatchdog.com/rsac-fireside-chat-secure-flexible-web-browsers-finally-available-thanks-to-open-source-code/
Critical infrastructure like electrical, emergency, water, transportation and security systems are vital for public safety but can be taken out with a single cyberattack. How can cybersecurity professionals protect their cities? In 2021, a lone hacker infiltrated a water treatment … (more…)
https://www.lastwatchdog.com/guest-essay-heres-why-securing-smart-cities-critical-infrastructure-has-become-a-top-priority/